hxxp://sagarlore[.]hotel-guipuzcoa[.]com

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
19/05/2023, 08:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

http://sagarlore.hotel-guipuzcoa.com

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133289655717128342"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
404	chrome.exe
404	chrome.exe
2600	chrome.exe
2600	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
404	chrome.exe
404	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 404 wrote to memory of 4112	404	chrome.exe	86
PID 404 wrote to memory of 4112	404	chrome.exe	86
PID 404 wrote to memory of 3776	404	chrome.exe	87
PID 404 wrote to memory of 3776	404	chrome.exe	87
PID 404 wrote to memory of 3776	404	chrome.exe	87
PID 404 wrote to memory of 3776	404	chrome.exe	87
PID 404 wrote to memory of 3776	404	chrome.exe	87
PID 404 wrote to memory of 3776	404	chrome.exe	87
PID 404 wrote to memory of 3776	404	chrome.exe	87
PID 404 wrote to memory of 3776	404	chrome.exe	87
PID 404 wrote to memory of 3776	404	chrome.exe	87
PID 404 wrote to memory of 3776	404	chrome.exe	87
PID 404 wrote to memory of 3776	404	chrome.exe	87
PID 404 wrote to memory of 3776	404	chrome.exe	87
PID 404 wrote to memory of 3776	404	chrome.exe	87
PID 404 wrote to memory of 3776	404	chrome.exe	87
PID 404 wrote to memory of 3776	404	chrome.exe	87
PID 404 wrote to memory of 3776	404	chrome.exe	87
PID 404 wrote to memory of 3776	404	chrome.exe	87
PID 404 wrote to memory of 3776	404	chrome.exe	87
PID 404 wrote to memory of 3776	404	chrome.exe	87
PID 404 wrote to memory of 3776	404	chrome.exe	87
PID 404 wrote to memory of 3776	404	chrome.exe	87
PID 404 wrote to memory of 3776	404	chrome.exe	87
PID 404 wrote to memory of 3776	404	chrome.exe	87
PID 404 wrote to memory of 3776	404	chrome.exe	87
PID 404 wrote to memory of 3776	404	chrome.exe	87
PID 404 wrote to memory of 3776	404	chrome.exe	87
PID 404 wrote to memory of 3776	404	chrome.exe	87
PID 404 wrote to memory of 3776	404	chrome.exe	87
PID 404 wrote to memory of 3776	404	chrome.exe	87
PID 404 wrote to memory of 3776	404	chrome.exe	87
PID 404 wrote to memory of 3776	404	chrome.exe	87
PID 404 wrote to memory of 3776	404	chrome.exe	87
PID 404 wrote to memory of 3776	404	chrome.exe	87
PID 404 wrote to memory of 3776	404	chrome.exe	87
PID 404 wrote to memory of 3776	404	chrome.exe	87
PID 404 wrote to memory of 3776	404	chrome.exe	87
PID 404 wrote to memory of 3776	404	chrome.exe	87
PID 404 wrote to memory of 3776	404	chrome.exe	87
PID 404 wrote to memory of 4348	404	chrome.exe	88
PID 404 wrote to memory of 4348	404	chrome.exe	88
PID 404 wrote to memory of 4908	404	chrome.exe	89
PID 404 wrote to memory of 4908	404	chrome.exe	89
PID 404 wrote to memory of 4908	404	chrome.exe	89
PID 404 wrote to memory of 4908	404	chrome.exe	89
PID 404 wrote to memory of 4908	404	chrome.exe	89
PID 404 wrote to memory of 4908	404	chrome.exe	89
PID 404 wrote to memory of 4908	404	chrome.exe	89
PID 404 wrote to memory of 4908	404	chrome.exe	89
PID 404 wrote to memory of 4908	404	chrome.exe	89
PID 404 wrote to memory of 4908	404	chrome.exe	89
PID 404 wrote to memory of 4908	404	chrome.exe	89
PID 404 wrote to memory of 4908	404	chrome.exe	89
PID 404 wrote to memory of 4908	404	chrome.exe	89
PID 404 wrote to memory of 4908	404	chrome.exe	89
PID 404 wrote to memory of 4908	404	chrome.exe	89
PID 404 wrote to memory of 4908	404	chrome.exe	89
PID 404 wrote to memory of 4908	404	chrome.exe	89
PID 404 wrote to memory of 4908	404	chrome.exe	89
PID 404 wrote to memory of 4908	404	chrome.exe	89
PID 404 wrote to memory of 4908	404	chrome.exe	89
PID 404 wrote to memory of 4908	404	chrome.exe	89
PID 404 wrote to memory of 4908	404	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://sagarlore.hotel-guipuzcoa.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffff04e9758,0x7ffff04e9768,0x7ffff04e9778
  2⤵
  PID:4112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1800 --field-trial-handle=1872,i,3223436156058232861,15709978057515165100,131072 /prefetch:2
  2⤵
  PID:3776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1872,i,3223436156058232861,15709978057515165100,131072 /prefetch:8
  2⤵
  PID:4348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2252 --field-trial-handle=1872,i,3223436156058232861,15709978057515165100,131072 /prefetch:8
  2⤵
  PID:4908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3120 --field-trial-handle=1872,i,3223436156058232861,15709978057515165100,131072 /prefetch:1
  2⤵
  PID:1528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3132 --field-trial-handle=1872,i,3223436156058232861,15709978057515165100,131072 /prefetch:1
  2⤵
  PID:4992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4652 --field-trial-handle=1872,i,3223436156058232861,15709978057515165100,131072 /prefetch:8
  2⤵
  PID:1948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4592 --field-trial-handle=1872,i,3223436156058232861,15709978057515165100,131072 /prefetch:8
  2⤵
  PID:5056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4820 --field-trial-handle=1872,i,3223436156058232861,15709978057515165100,131072 /prefetch:8
  2⤵
  PID:3588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2692 --field-trial-handle=1872,i,3223436156058232861,15709978057515165100,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2600

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
84bfaec3f2d179d71ac1f16d6bc58ac3

SHA1
c9751a555053cede4fb72941bd8e3872ca2e8bc9

SHA256
e4758cfce57ca2702d316e2f01d5caa7282abcc3eb57dee83a72d06804c25bec

SHA512
a156a97f1a4d73ec65db36b317f4155b4ac12d29fc9822a5de8cc5aa426725ea23a1bbc34dfc6cddac97bcfd95e8969bf77128f76f09125f132c845824fb6e39

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
2e3ed26babe000ccb5844f4d373e54ef

SHA1
4461d134cf60d02713670dd763a51693a25bb08b

SHA256
baa682f55726e6bcdd499f65590403bf28df2bc2ccc2ecbb0a4532aed1537196

SHA512
51e1ac115f3279ca4359a3dc5d9ca64be0bf1160057ee0ae75d64f2635f9ff12f05b22b6cd756a4e8ee1b2f27790e93c73094f86e088cf9553b927142f9148b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
701B

MD5
0d4a791bc1210767fac357da9c7a4678

SHA1
40cf7cb8e16de38f0f039c07ddc9238593ae6097

SHA256
28076e64c443bf436341b85ad6928d80f4d2a4d20a611cdf69266ba4ac637d17

SHA512
cd02478b3649065fdce450d2c41da3af458b05ec526307e802e326c038e5891df1f6c99729f7e032ad50fc90ad0e69383fceb894a0064b65706fb75d35f2c6e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
5f01eb32e76f3e5d9c2e987f64ed5365

SHA1
0205dc0f002772601ad2e3a4d1e98822b820195b

SHA256
ed02eb76c3553b4d8b71e17085d92553ba98968326ba2db973a17ecc2c58bfe3

SHA512
5ce04056746dbf14fbacbfe29d431ba9111c02bb9b6a73afbaa00610f4f398fdd6279a8388cf564f714b7d7183839e431bae1d9f7ea914ba5656b34ce7af361c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
8e9bbb90317c514154a06d2b9e366b9f

SHA1
ce1c3c741365d6006d8794203013be6c06fc9286

SHA256
1684d25a3c1d91c97d705c26cd5fdf730a8059a226a4426b73ffbe9130ca6050

SHA512
b3fc7e8dca1726b295d3629325a3659495cfb4ad21c74a596b15736d9568c21bfb265c63315b52c08bee5f2e1551e42f4d59e9a4087a225992b4d52f943bd2c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
a9c5c8fa20796a57c70bb2282319cf03

SHA1
7cadd28585b6ab025b9cad985f95ab3b2719c4e3

SHA256
d41607d85d544331348f37c60dbce5f9632e16b020d50600ad2d25ead0175ef0

SHA512
d3ebbd52bee24a5ed21424ff7ae0ec4a09d472dd48a002b63efa96d99534ef96f921da41f8506775245bad89d3b9e25e9ed6cadd901c4dde2d9cd4102280e616

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
151KB

MD5
8e515cf00ccab35a0f9145e67f768408

SHA1
1c56a844050a9e477ef933a416bbe7cbf8b24cf2

SHA256
788001da3d745381ce95f61fd59bc46dbdc11dc74a7a293c0934877c61c2484a

SHA512
a73d426b891c1d982c34f6d90081ea1a5b731fdf15a0fdd16271da9f06f3cc3953c183170a68e640107cd3b25561c5452a670c0bdd4176c8e89c6506dd3f579f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit