Analysis
-
max time kernel
16s -
max time network
18s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2023 09:48
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://bafybeibeedoz4hoq2n7rahlcjmralh4lbhxato7eajllpdsntx4b2rn6ly.ipfs.dweb.link/#[email protected]
Resource
win10v2004-20230220-en
General
-
Target
https://bafybeibeedoz4hoq2n7rahlcjmralh4lbhxato7eajllpdsntx4b2rn6ly.ipfs.dweb.link/#[email protected]
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133293161540214600" chrome.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5044 chrome.exe 5044 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
description pid Process Token: SeShutdownPrivilege 5044 chrome.exe Token: SeCreatePagefilePrivilege 5044 chrome.exe Token: SeShutdownPrivilege 5044 chrome.exe Token: SeCreatePagefilePrivilege 5044 chrome.exe Token: SeShutdownPrivilege 5044 chrome.exe Token: SeCreatePagefilePrivilege 5044 chrome.exe Token: SeShutdownPrivilege 5044 chrome.exe Token: SeCreatePagefilePrivilege 5044 chrome.exe Token: SeShutdownPrivilege 5044 chrome.exe Token: SeCreatePagefilePrivilege 5044 chrome.exe Token: SeShutdownPrivilege 5044 chrome.exe Token: SeCreatePagefilePrivilege 5044 chrome.exe Token: SeShutdownPrivilege 5044 chrome.exe Token: SeCreatePagefilePrivilege 5044 chrome.exe Token: SeShutdownPrivilege 5044 chrome.exe Token: SeCreatePagefilePrivilege 5044 chrome.exe Token: SeShutdownPrivilege 5044 chrome.exe Token: SeCreatePagefilePrivilege 5044 chrome.exe Token: SeShutdownPrivilege 5044 chrome.exe Token: SeCreatePagefilePrivilege 5044 chrome.exe Token: SeShutdownPrivilege 5044 chrome.exe Token: SeCreatePagefilePrivilege 5044 chrome.exe Token: SeShutdownPrivilege 5044 chrome.exe Token: SeCreatePagefilePrivilege 5044 chrome.exe Token: SeShutdownPrivilege 5044 chrome.exe Token: SeCreatePagefilePrivilege 5044 chrome.exe Token: SeShutdownPrivilege 5044 chrome.exe Token: SeCreatePagefilePrivilege 5044 chrome.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5044 wrote to memory of 3708 5044 chrome.exe 87 PID 5044 wrote to memory of 3708 5044 chrome.exe 87 PID 5044 wrote to memory of 4676 5044 chrome.exe 88 PID 5044 wrote to memory of 4676 5044 chrome.exe 88 PID 5044 wrote to memory of 4676 5044 chrome.exe 88 PID 5044 wrote to memory of 4676 5044 chrome.exe 88 PID 5044 wrote to memory of 4676 5044 chrome.exe 88 PID 5044 wrote to memory of 4676 5044 chrome.exe 88 PID 5044 wrote to memory of 4676 5044 chrome.exe 88 PID 5044 wrote to memory of 4676 5044 chrome.exe 88 PID 5044 wrote to memory of 4676 5044 chrome.exe 88 PID 5044 wrote to memory of 4676 5044 chrome.exe 88 PID 5044 wrote to memory of 4676 5044 chrome.exe 88 PID 5044 wrote to memory of 4676 5044 chrome.exe 88 PID 5044 wrote to memory of 4676 5044 chrome.exe 88 PID 5044 wrote to memory of 4676 5044 chrome.exe 88 PID 5044 wrote to memory of 4676 5044 chrome.exe 88 PID 5044 wrote to memory of 4676 5044 chrome.exe 88 PID 5044 wrote to memory of 4676 5044 chrome.exe 88 PID 5044 wrote to memory of 4676 5044 chrome.exe 88 PID 5044 wrote to memory of 4676 5044 chrome.exe 88 PID 5044 wrote to memory of 4676 5044 chrome.exe 88 PID 5044 wrote to memory of 4676 5044 chrome.exe 88 PID 5044 wrote to memory of 4676 5044 chrome.exe 88 PID 5044 wrote to memory of 4676 5044 chrome.exe 88 PID 5044 wrote to memory of 4676 5044 chrome.exe 88 PID 5044 wrote to memory of 4676 5044 chrome.exe 88 PID 5044 wrote to memory of 4676 5044 chrome.exe 88 PID 5044 wrote to memory of 4676 5044 chrome.exe 88 PID 5044 wrote to memory of 4676 5044 chrome.exe 88 PID 5044 wrote to memory of 4676 5044 chrome.exe 88 PID 5044 wrote to memory of 4676 5044 chrome.exe 88 PID 5044 wrote to memory of 4676 5044 chrome.exe 88 PID 5044 wrote to memory of 4676 5044 chrome.exe 88 PID 5044 wrote to memory of 4676 5044 chrome.exe 88 PID 5044 wrote to memory of 4676 5044 chrome.exe 88 PID 5044 wrote to memory of 4676 5044 chrome.exe 88 PID 5044 wrote to memory of 4676 5044 chrome.exe 88 PID 5044 wrote to memory of 4676 5044 chrome.exe 88 PID 5044 wrote to memory of 4676 5044 chrome.exe 88 PID 5044 wrote to memory of 3360 5044 chrome.exe 89 PID 5044 wrote to memory of 3360 5044 chrome.exe 89 PID 5044 wrote to memory of 416 5044 chrome.exe 90 PID 5044 wrote to memory of 416 5044 chrome.exe 90 PID 5044 wrote to memory of 416 5044 chrome.exe 90 PID 5044 wrote to memory of 416 5044 chrome.exe 90 PID 5044 wrote to memory of 416 5044 chrome.exe 90 PID 5044 wrote to memory of 416 5044 chrome.exe 90 PID 5044 wrote to memory of 416 5044 chrome.exe 90 PID 5044 wrote to memory of 416 5044 chrome.exe 90 PID 5044 wrote to memory of 416 5044 chrome.exe 90 PID 5044 wrote to memory of 416 5044 chrome.exe 90 PID 5044 wrote to memory of 416 5044 chrome.exe 90 PID 5044 wrote to memory of 416 5044 chrome.exe 90 PID 5044 wrote to memory of 416 5044 chrome.exe 90 PID 5044 wrote to memory of 416 5044 chrome.exe 90 PID 5044 wrote to memory of 416 5044 chrome.exe 90 PID 5044 wrote to memory of 416 5044 chrome.exe 90 PID 5044 wrote to memory of 416 5044 chrome.exe 90 PID 5044 wrote to memory of 416 5044 chrome.exe 90 PID 5044 wrote to memory of 416 5044 chrome.exe 90 PID 5044 wrote to memory of 416 5044 chrome.exe 90 PID 5044 wrote to memory of 416 5044 chrome.exe 90 PID 5044 wrote to memory of 416 5044 chrome.exe 90
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://bafybeibeedoz4hoq2n7rahlcjmralh4lbhxato7eajllpdsntx4b2rn6ly.ipfs.dweb.link/#[email protected]1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffce88a9758,0x7ffce88a9768,0x7ffce88a97782⤵PID:3708
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1796 --field-trial-handle=1820,i,7805448230055937259,1198499486144784058,131072 /prefetch:22⤵PID:4676
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1820,i,7805448230055937259,1198499486144784058,131072 /prefetch:82⤵PID:3360
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2168 --field-trial-handle=1820,i,7805448230055937259,1198499486144784058,131072 /prefetch:82⤵PID:416
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3172 --field-trial-handle=1820,i,7805448230055937259,1198499486144784058,131072 /prefetch:12⤵PID:3712
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3176 --field-trial-handle=1820,i,7805448230055937259,1198499486144784058,131072 /prefetch:12⤵PID:3400
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4864 --field-trial-handle=1820,i,7805448230055937259,1198499486144784058,131072 /prefetch:12⤵PID:2876
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 --field-trial-handle=1820,i,7805448230055937259,1198499486144784058,131072 /prefetch:82⤵PID:784
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5216 --field-trial-handle=1820,i,7805448230055937259,1198499486144784058,131072 /prefetch:82⤵PID:1316
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 --field-trial-handle=1820,i,7805448230055937259,1198499486144784058,131072 /prefetch:82⤵PID:1560
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:4504
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
534B
MD511597e5ca9e1e9cb4e360e0804218e9a
SHA16e7d978f4ebe97acce4f676831c019eb2cb542a9
SHA256922c71e726ee63c91c6ab7a9ed85d8a66b32d5c89068b05adcf19946e4ec67bd
SHA5121104ff74dc390df4394cd67aed48e6628a44ed5a4b42d897c3545abdda89903029cd151070147a4a064e20ace9bf9b98b5e27f1d30c0114bfcd8e7c3c0549cbd
-
Filesize
15KB
MD5dca37d19bcd41a6986e522d97ec275e0
SHA1c7c7e3580b579b75d51bb7d5e66fd03e38a654c7
SHA25686a22bd6604cca8f4dea863c2ebcf7f2862edfe4f08bd43982258aae9e703a98
SHA5124f35ded633e9480e38d3cd7a88046ee0844a210aa83fddf5933f2511bcb17075d68dbdc6d4cd1f21e37128ecdb270baed15741cbd19551bc1bc03bcc39a984c3
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\a229d50b-292c-4857-a744-a3b8830554d4.tmp
Filesize6KB
MD5d7d43f78b9581f6f640d8321726c4564
SHA1e65522434200429cb0dcd2b14dfbfcd4ed73534d
SHA256ba921211d02e9ca58c599f599973b89dbcd139852faaf0820a0403eb81540398
SHA51273f2c49ecf0e153781f508ed715d6bb1b6eae2c2dcf69126acaaf1f42a6dc92a473f20d5b7e91e81ad61cbba9d54ef01df8b37c1044daa17add54450d9fd287e
-
Filesize
152KB
MD5c3e7bcd9e6472a8d2dcac536ab61f5cd
SHA159e8b40f647c59a9639e50ca74369bc8e3d07993
SHA256e6017ef62d9997522bd56f4679b6f98c83576cc7a9064b0c76642ed666f9c364
SHA5125400b253f9ed6d0755c2a0a7f9a78458ed688bb515ca54a63b259f6112c59e630a276e74e5304eacf41ce774d17bd4db4e84521be7d35c6aae57dc676737e15e
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd