Analysis
-
max time kernel
600s -
max time network
507s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2023 00:55
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://bafybeifx3t7zuqslr2l4wtflmftyw3pa4gnw475q4k7zgjlwctvskcahha.ipfs.dweb.link/ddoonnvau.html
Resource
win10v2004-20230220-en
General
-
Target
https://bafybeifx3t7zuqslr2l4wtflmftyw3pa4gnw475q4k7zgjlwctvskcahha.ipfs.dweb.link/ddoonnvau.html
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133291977474194466" chrome.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4132 chrome.exe 4132 chrome.exe 1464 chrome.exe 1464 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 4132 chrome.exe 4132 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4132 chrome.exe Token: SeCreatePagefilePrivilege 4132 chrome.exe Token: SeShutdownPrivilege 4132 chrome.exe Token: SeCreatePagefilePrivilege 4132 chrome.exe Token: SeShutdownPrivilege 4132 chrome.exe Token: SeCreatePagefilePrivilege 4132 chrome.exe Token: SeShutdownPrivilege 4132 chrome.exe Token: SeCreatePagefilePrivilege 4132 chrome.exe Token: SeShutdownPrivilege 4132 chrome.exe Token: SeCreatePagefilePrivilege 4132 chrome.exe Token: SeShutdownPrivilege 4132 chrome.exe Token: SeCreatePagefilePrivilege 4132 chrome.exe Token: SeShutdownPrivilege 4132 chrome.exe Token: SeCreatePagefilePrivilege 4132 chrome.exe Token: SeShutdownPrivilege 4132 chrome.exe Token: SeCreatePagefilePrivilege 4132 chrome.exe Token: SeShutdownPrivilege 4132 chrome.exe Token: SeCreatePagefilePrivilege 4132 chrome.exe Token: SeShutdownPrivilege 4132 chrome.exe Token: SeCreatePagefilePrivilege 4132 chrome.exe Token: SeShutdownPrivilege 4132 chrome.exe Token: SeCreatePagefilePrivilege 4132 chrome.exe Token: SeShutdownPrivilege 4132 chrome.exe Token: SeCreatePagefilePrivilege 4132 chrome.exe Token: SeShutdownPrivilege 4132 chrome.exe Token: SeCreatePagefilePrivilege 4132 chrome.exe Token: SeShutdownPrivilege 4132 chrome.exe Token: SeCreatePagefilePrivilege 4132 chrome.exe Token: SeShutdownPrivilege 4132 chrome.exe Token: SeCreatePagefilePrivilege 4132 chrome.exe Token: SeShutdownPrivilege 4132 chrome.exe Token: SeCreatePagefilePrivilege 4132 chrome.exe Token: SeShutdownPrivilege 4132 chrome.exe Token: SeCreatePagefilePrivilege 4132 chrome.exe Token: SeShutdownPrivilege 4132 chrome.exe Token: SeCreatePagefilePrivilege 4132 chrome.exe Token: SeShutdownPrivilege 4132 chrome.exe Token: SeCreatePagefilePrivilege 4132 chrome.exe Token: SeShutdownPrivilege 4132 chrome.exe Token: SeCreatePagefilePrivilege 4132 chrome.exe Token: SeShutdownPrivilege 4132 chrome.exe Token: SeCreatePagefilePrivilege 4132 chrome.exe Token: SeShutdownPrivilege 4132 chrome.exe Token: SeCreatePagefilePrivilege 4132 chrome.exe Token: SeShutdownPrivilege 4132 chrome.exe Token: SeCreatePagefilePrivilege 4132 chrome.exe Token: SeShutdownPrivilege 4132 chrome.exe Token: SeCreatePagefilePrivilege 4132 chrome.exe Token: SeShutdownPrivilege 4132 chrome.exe Token: SeCreatePagefilePrivilege 4132 chrome.exe Token: SeShutdownPrivilege 4132 chrome.exe Token: SeCreatePagefilePrivilege 4132 chrome.exe Token: SeShutdownPrivilege 4132 chrome.exe Token: SeCreatePagefilePrivilege 4132 chrome.exe Token: SeShutdownPrivilege 4132 chrome.exe Token: SeCreatePagefilePrivilege 4132 chrome.exe Token: SeShutdownPrivilege 4132 chrome.exe Token: SeCreatePagefilePrivilege 4132 chrome.exe Token: SeShutdownPrivilege 4132 chrome.exe Token: SeCreatePagefilePrivilege 4132 chrome.exe Token: SeShutdownPrivilege 4132 chrome.exe Token: SeCreatePagefilePrivilege 4132 chrome.exe Token: SeShutdownPrivilege 4132 chrome.exe Token: SeCreatePagefilePrivilege 4132 chrome.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4132 wrote to memory of 1508 4132 chrome.exe 84 PID 4132 wrote to memory of 1508 4132 chrome.exe 84 PID 4132 wrote to memory of 4420 4132 chrome.exe 85 PID 4132 wrote to memory of 4420 4132 chrome.exe 85 PID 4132 wrote to memory of 4420 4132 chrome.exe 85 PID 4132 wrote to memory of 4420 4132 chrome.exe 85 PID 4132 wrote to memory of 4420 4132 chrome.exe 85 PID 4132 wrote to memory of 4420 4132 chrome.exe 85 PID 4132 wrote to memory of 4420 4132 chrome.exe 85 PID 4132 wrote to memory of 4420 4132 chrome.exe 85 PID 4132 wrote to memory of 4420 4132 chrome.exe 85 PID 4132 wrote to memory of 4420 4132 chrome.exe 85 PID 4132 wrote to memory of 4420 4132 chrome.exe 85 PID 4132 wrote to memory of 4420 4132 chrome.exe 85 PID 4132 wrote to memory of 4420 4132 chrome.exe 85 PID 4132 wrote to memory of 4420 4132 chrome.exe 85 PID 4132 wrote to memory of 4420 4132 chrome.exe 85 PID 4132 wrote to memory of 4420 4132 chrome.exe 85 PID 4132 wrote to memory of 4420 4132 chrome.exe 85 PID 4132 wrote to memory of 4420 4132 chrome.exe 85 PID 4132 wrote to memory of 4420 4132 chrome.exe 85 PID 4132 wrote to memory of 4420 4132 chrome.exe 85 PID 4132 wrote to memory of 4420 4132 chrome.exe 85 PID 4132 wrote to memory of 4420 4132 chrome.exe 85 PID 4132 wrote to memory of 4420 4132 chrome.exe 85 PID 4132 wrote to memory of 4420 4132 chrome.exe 85 PID 4132 wrote to memory of 4420 4132 chrome.exe 85 PID 4132 wrote to memory of 4420 4132 chrome.exe 85 PID 4132 wrote to memory of 4420 4132 chrome.exe 85 PID 4132 wrote to memory of 4420 4132 chrome.exe 85 PID 4132 wrote to memory of 4420 4132 chrome.exe 85 PID 4132 wrote to memory of 4420 4132 chrome.exe 85 PID 4132 wrote to memory of 4420 4132 chrome.exe 85 PID 4132 wrote to memory of 4420 4132 chrome.exe 85 PID 4132 wrote to memory of 4420 4132 chrome.exe 85 PID 4132 wrote to memory of 4420 4132 chrome.exe 85 PID 4132 wrote to memory of 4420 4132 chrome.exe 85 PID 4132 wrote to memory of 4420 4132 chrome.exe 85 PID 4132 wrote to memory of 4420 4132 chrome.exe 85 PID 4132 wrote to memory of 4420 4132 chrome.exe 85 PID 4132 wrote to memory of 1436 4132 chrome.exe 86 PID 4132 wrote to memory of 1436 4132 chrome.exe 86 PID 4132 wrote to memory of 4560 4132 chrome.exe 87 PID 4132 wrote to memory of 4560 4132 chrome.exe 87 PID 4132 wrote to memory of 4560 4132 chrome.exe 87 PID 4132 wrote to memory of 4560 4132 chrome.exe 87 PID 4132 wrote to memory of 4560 4132 chrome.exe 87 PID 4132 wrote to memory of 4560 4132 chrome.exe 87 PID 4132 wrote to memory of 4560 4132 chrome.exe 87 PID 4132 wrote to memory of 4560 4132 chrome.exe 87 PID 4132 wrote to memory of 4560 4132 chrome.exe 87 PID 4132 wrote to memory of 4560 4132 chrome.exe 87 PID 4132 wrote to memory of 4560 4132 chrome.exe 87 PID 4132 wrote to memory of 4560 4132 chrome.exe 87 PID 4132 wrote to memory of 4560 4132 chrome.exe 87 PID 4132 wrote to memory of 4560 4132 chrome.exe 87 PID 4132 wrote to memory of 4560 4132 chrome.exe 87 PID 4132 wrote to memory of 4560 4132 chrome.exe 87 PID 4132 wrote to memory of 4560 4132 chrome.exe 87 PID 4132 wrote to memory of 4560 4132 chrome.exe 87 PID 4132 wrote to memory of 4560 4132 chrome.exe 87 PID 4132 wrote to memory of 4560 4132 chrome.exe 87 PID 4132 wrote to memory of 4560 4132 chrome.exe 87 PID 4132 wrote to memory of 4560 4132 chrome.exe 87
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://bafybeifx3t7zuqslr2l4wtflmftyw3pa4gnw475q4k7zgjlwctvskcahha.ipfs.dweb.link/ddoonnvau.html1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4132 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa25bc9758,0x7ffa25bc9768,0x7ffa25bc97782⤵PID:1508
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1800 --field-trial-handle=1820,i,13306698055958713787,10156531190310108660,131072 /prefetch:22⤵PID:4420
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1820,i,13306698055958713787,10156531190310108660,131072 /prefetch:82⤵PID:1436
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1820,i,13306698055958713787,10156531190310108660,131072 /prefetch:82⤵PID:4560
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3204 --field-trial-handle=1820,i,13306698055958713787,10156531190310108660,131072 /prefetch:12⤵PID:3860
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3220 --field-trial-handle=1820,i,13306698055958713787,10156531190310108660,131072 /prefetch:12⤵PID:3760
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5012 --field-trial-handle=1820,i,13306698055958713787,10156531190310108660,131072 /prefetch:82⤵PID:2984
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4988 --field-trial-handle=1820,i,13306698055958713787,10156531190310108660,131072 /prefetch:82⤵PID:544
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 --field-trial-handle=1820,i,13306698055958713787,10156531190310108660,131072 /prefetch:82⤵PID:3544
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2456 --field-trial-handle=1820,i,13306698055958713787,10156531190310108660,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1464
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:1060
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72B
MD598079ffe974e0973ff6158aadd8d605e
SHA11d32e4ea54d5cd7f36dc238177c08972d46faa9e
SHA256090164f5417a214232c68a0d8a61706d230311fc13aa13b602d75dcb8fd374ba
SHA51205163905b575d6db8718daba839191da7feb98b94e715a93d5aac4cd3bd2db5bc0d664d9e67690e6b853344e455d6613eeddbea652b4541e8d6e50105bafb7f1
-
Filesize
1KB
MD5c6499f90d6146aca1a410a4f73831f5b
SHA130f937dcb3e7c8abc46f681c0476d4e01a285f3e
SHA256b328a430a85ebbd819bd1f7b3901f907ee34f4689e994728a14c0bdfca6b804b
SHA512facd0c29dc6754ffef7be826495f137a9237158fc5e222986174e0aecd514e09108b7365f0f7ff906d0819a967ee4c4d7798dc5406a5d0d2ccf56df5d1caa14a
-
Filesize
705B
MD52a83533b07dd852c0ddfa1418d8a151c
SHA1f4a74693e5ad0392253f1a57d8c7b695ed2f24d0
SHA2561649550eb1a764f65ab3c3fad36cc7ad4b6559fb74de22e5575e493afe652d48
SHA512370f8c67379f59f655b16dbacfc29d53df2d5b41f5335bfd7fcec36cde94e01f0e2e005602bf3cbaf8fe7079355a5a76cce6caa6326631c5ff5b9789e8ac0ce4
-
Filesize
6KB
MD5c758d5e51fe7fb90d77d6f4e6632f768
SHA1526756e5f3170d7121062bcd4f95e0de842b76fc
SHA256706d9e82167ad2b9ebec54adb9d6f1497a48d857e24fabccb9950591f54449ff
SHA512db26d0ebc3df08e771005ed2a0edc140c11d3b461ddc42db63c40e953f9b1b44ce7a40de653de11fd9b0ee3b245dfa35d781b55790f6f121669c7fab18246e20
-
Filesize
15KB
MD59880574cd61b16c06d9ef4910438d3ce
SHA19c684b7ed894b21ae0b8dd02535c021e8314fc52
SHA2564977e087658bea5ac9f19d55fb18a0762a4fc7ca2f55337d60be5ea5c916865f
SHA5129a1847eb1989b47ac8459a789c0a5a872c0a75f697c8c58246b45f633972463207f933625453722ac84c5e9ade33139cb4dae1d6887df2a1c181ef0931a62821
-
Filesize
151KB
MD550dd09cf2b81c19ad6e8950fb23e5033
SHA1a0b47ffdd9b1b1719a327c03d93b9980c86b3489
SHA2569f0f01df8ecba604ad1910ec7a40824e4ec1495b979cf3cb4288cfba08d6357f
SHA51258bae5560bb089b8b9dd5df5be98a5d44e6a55ff07ac2752dca92603eb3a2a171969b67c66a7822ecb6b5939aca4a4b9a6e0dfa0eb687d40ca06650db81c12c4
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd