hxxps://pub-50cf5244be594ba492b2904621691deb[.]r2[.]dev/ourteam[.]html?

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
23/05/2023, 15:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://pub-50cf5244be594ba492b2904621691deb.r2.dev/ourteam.html?

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133293279511801637"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4676	chrome.exe
4676	chrome.exe
3500	chrome.exe
3500	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4676	chrome.exe
4676	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4676	chrome.exe
Token: SeCreatePagefilePrivilege	4676	chrome.exe
Token: SeShutdownPrivilege	4676	chrome.exe
Token: SeCreatePagefilePrivilege	4676	chrome.exe
Token: SeShutdownPrivilege	4676	chrome.exe
Token: SeCreatePagefilePrivilege	4676	chrome.exe
Token: SeShutdownPrivilege	4676	chrome.exe
Token: SeCreatePagefilePrivilege	4676	chrome.exe
Token: SeShutdownPrivilege	4676	chrome.exe
Token: SeCreatePagefilePrivilege	4676	chrome.exe
Token: SeShutdownPrivilege	4676	chrome.exe
Token: SeCreatePagefilePrivilege	4676	chrome.exe
Token: SeShutdownPrivilege	4676	chrome.exe
Token: SeCreatePagefilePrivilege	4676	chrome.exe
Token: SeShutdownPrivilege	4676	chrome.exe
Token: SeCreatePagefilePrivilege	4676	chrome.exe
Token: SeShutdownPrivilege	4676	chrome.exe
Token: SeCreatePagefilePrivilege	4676	chrome.exe
Token: SeShutdownPrivilege	4676	chrome.exe
Token: SeCreatePagefilePrivilege	4676	chrome.exe
Token: SeShutdownPrivilege	4676	chrome.exe
Token: SeCreatePagefilePrivilege	4676	chrome.exe
Token: SeShutdownPrivilege	4676	chrome.exe
Token: SeCreatePagefilePrivilege	4676	chrome.exe
Token: SeShutdownPrivilege	4676	chrome.exe
Token: SeCreatePagefilePrivilege	4676	chrome.exe
Token: SeShutdownPrivilege	4676	chrome.exe
Token: SeCreatePagefilePrivilege	4676	chrome.exe
Token: SeShutdownPrivilege	4676	chrome.exe
Token: SeCreatePagefilePrivilege	4676	chrome.exe
Token: SeShutdownPrivilege	4676	chrome.exe
Token: SeCreatePagefilePrivilege	4676	chrome.exe
Token: SeShutdownPrivilege	4676	chrome.exe
Token: SeCreatePagefilePrivilege	4676	chrome.exe
Token: SeShutdownPrivilege	4676	chrome.exe
Token: SeCreatePagefilePrivilege	4676	chrome.exe
Token: SeShutdownPrivilege	4676	chrome.exe
Token: SeCreatePagefilePrivilege	4676	chrome.exe
Token: SeShutdownPrivilege	4676	chrome.exe
Token: SeCreatePagefilePrivilege	4676	chrome.exe
Token: SeShutdownPrivilege	4676	chrome.exe
Token: SeCreatePagefilePrivilege	4676	chrome.exe
Token: SeShutdownPrivilege	4676	chrome.exe
Token: SeCreatePagefilePrivilege	4676	chrome.exe
Token: SeShutdownPrivilege	4676	chrome.exe
Token: SeCreatePagefilePrivilege	4676	chrome.exe
Token: SeShutdownPrivilege	4676	chrome.exe
Token: SeCreatePagefilePrivilege	4676	chrome.exe
Token: SeShutdownPrivilege	4676	chrome.exe
Token: SeCreatePagefilePrivilege	4676	chrome.exe
Token: SeShutdownPrivilege	4676	chrome.exe
Token: SeCreatePagefilePrivilege	4676	chrome.exe
Token: SeShutdownPrivilege	4676	chrome.exe
Token: SeCreatePagefilePrivilege	4676	chrome.exe
Token: SeShutdownPrivilege	4676	chrome.exe
Token: SeCreatePagefilePrivilege	4676	chrome.exe
Token: SeShutdownPrivilege	4676	chrome.exe
Token: SeCreatePagefilePrivilege	4676	chrome.exe
Token: SeShutdownPrivilege	4676	chrome.exe
Token: SeCreatePagefilePrivilege	4676	chrome.exe
Token: SeShutdownPrivilege	4676	chrome.exe
Token: SeCreatePagefilePrivilege	4676	chrome.exe
Token: SeShutdownPrivilege	4676	chrome.exe
Token: SeCreatePagefilePrivilege	4676	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4676 wrote to memory of 632	4676	chrome.exe	84
PID 4676 wrote to memory of 632	4676	chrome.exe	84
PID 4676 wrote to memory of 3936	4676	chrome.exe	85
PID 4676 wrote to memory of 3936	4676	chrome.exe	85
PID 4676 wrote to memory of 3936	4676	chrome.exe	85
PID 4676 wrote to memory of 3936	4676	chrome.exe	85
PID 4676 wrote to memory of 3936	4676	chrome.exe	85
PID 4676 wrote to memory of 3936	4676	chrome.exe	85
PID 4676 wrote to memory of 3936	4676	chrome.exe	85
PID 4676 wrote to memory of 3936	4676	chrome.exe	85
PID 4676 wrote to memory of 3936	4676	chrome.exe	85
PID 4676 wrote to memory of 3936	4676	chrome.exe	85
PID 4676 wrote to memory of 3936	4676	chrome.exe	85
PID 4676 wrote to memory of 3936	4676	chrome.exe	85
PID 4676 wrote to memory of 3936	4676	chrome.exe	85
PID 4676 wrote to memory of 3936	4676	chrome.exe	85
PID 4676 wrote to memory of 3936	4676	chrome.exe	85
PID 4676 wrote to memory of 3936	4676	chrome.exe	85
PID 4676 wrote to memory of 3936	4676	chrome.exe	85
PID 4676 wrote to memory of 3936	4676	chrome.exe	85
PID 4676 wrote to memory of 3936	4676	chrome.exe	85
PID 4676 wrote to memory of 3936	4676	chrome.exe	85
PID 4676 wrote to memory of 3936	4676	chrome.exe	85
PID 4676 wrote to memory of 3936	4676	chrome.exe	85
PID 4676 wrote to memory of 3936	4676	chrome.exe	85
PID 4676 wrote to memory of 3936	4676	chrome.exe	85
PID 4676 wrote to memory of 3936	4676	chrome.exe	85
PID 4676 wrote to memory of 3936	4676	chrome.exe	85
PID 4676 wrote to memory of 3936	4676	chrome.exe	85
PID 4676 wrote to memory of 3936	4676	chrome.exe	85
PID 4676 wrote to memory of 3936	4676	chrome.exe	85
PID 4676 wrote to memory of 3936	4676	chrome.exe	85
PID 4676 wrote to memory of 3936	4676	chrome.exe	85
PID 4676 wrote to memory of 3936	4676	chrome.exe	85
PID 4676 wrote to memory of 3936	4676	chrome.exe	85
PID 4676 wrote to memory of 3936	4676	chrome.exe	85
PID 4676 wrote to memory of 3936	4676	chrome.exe	85
PID 4676 wrote to memory of 3936	4676	chrome.exe	85
PID 4676 wrote to memory of 3936	4676	chrome.exe	85
PID 4676 wrote to memory of 3936	4676	chrome.exe	85
PID 4676 wrote to memory of 3224	4676	chrome.exe	86
PID 4676 wrote to memory of 3224	4676	chrome.exe	86
PID 4676 wrote to memory of 216	4676	chrome.exe	87
PID 4676 wrote to memory of 216	4676	chrome.exe	87
PID 4676 wrote to memory of 216	4676	chrome.exe	87
PID 4676 wrote to memory of 216	4676	chrome.exe	87
PID 4676 wrote to memory of 216	4676	chrome.exe	87
PID 4676 wrote to memory of 216	4676	chrome.exe	87
PID 4676 wrote to memory of 216	4676	chrome.exe	87
PID 4676 wrote to memory of 216	4676	chrome.exe	87
PID 4676 wrote to memory of 216	4676	chrome.exe	87
PID 4676 wrote to memory of 216	4676	chrome.exe	87
PID 4676 wrote to memory of 216	4676	chrome.exe	87
PID 4676 wrote to memory of 216	4676	chrome.exe	87
PID 4676 wrote to memory of 216	4676	chrome.exe	87
PID 4676 wrote to memory of 216	4676	chrome.exe	87
PID 4676 wrote to memory of 216	4676	chrome.exe	87
PID 4676 wrote to memory of 216	4676	chrome.exe	87
PID 4676 wrote to memory of 216	4676	chrome.exe	87
PID 4676 wrote to memory of 216	4676	chrome.exe	87
PID 4676 wrote to memory of 216	4676	chrome.exe	87
PID 4676 wrote to memory of 216	4676	chrome.exe	87
PID 4676 wrote to memory of 216	4676	chrome.exe	87
PID 4676 wrote to memory of 216	4676	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://pub-50cf5244be594ba492b2904621691deb.r2.dev/ourteam.html?
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8d6a59758,0x7ff8d6a59768,0x7ff8d6a59778
  2⤵
  PID:632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1812 --field-trial-handle=1756,i,16594934894281957299,6308213730592568188,131072 /prefetch:2
  2⤵
  PID:3936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1756,i,16594934894281957299,6308213730592568188,131072 /prefetch:8
  2⤵
  PID:3224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2220 --field-trial-handle=1756,i,16594934894281957299,6308213730592568188,131072 /prefetch:8
  2⤵
  PID:216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3208 --field-trial-handle=1756,i,16594934894281957299,6308213730592568188,131072 /prefetch:1
  2⤵
  PID:672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3220 --field-trial-handle=1756,i,16594934894281957299,6308213730592568188,131072 /prefetch:1
  2⤵
  PID:2716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5020 --field-trial-handle=1756,i,16594934894281957299,6308213730592568188,131072 /prefetch:8
  2⤵
  PID:1300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5116 --field-trial-handle=1756,i,16594934894281957299,6308213730592568188,131072 /prefetch:8
  2⤵
  PID:3652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2740 --field-trial-handle=1756,i,16594934894281957299,6308213730592568188,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3500

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000004

Filesize
17KB

MD5
591b892cfcbe0068b53987c3cbcc9a78

SHA1
11d5b4047439ac40d40e894fb4e40ac315ad2ca8

SHA256
0bbcecf6489121f16859ef2d9f1c8fda1ec226a1fb59e4b577056174527ff858

SHA512
800545ec2e23cc0f86f99677b6c09edd9a1fe5a60b6d0d8248fbd9288dea3cf964e0e99f075c9572666a932f9e5712803403876193bdc39c277cf4ae94006730

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
312B

MD5
6664de71b5d226212ed4a9eeaad07430

SHA1
08e76ed9ae3134ac483488e6916546d54e3fc5b1

SHA256
185a36bd982e61066943a5fdae46f58f022a34bb2440c47f64509342e7978bb4

SHA512
bd8cd3cd9ac403071e5350c3b71c093b30ca548028ead7e55d529abf6a2177e2d84a8a719372df8896ea25e95807416e10a99d8d3e7168dd0e9e1298ecbdcc08

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
d38baab15990267060f4a26b8b40f7dc

SHA1
1950c906431dfcc38b5725db8f2a6a14e1d506a1

SHA256
4148b600e8f20738aa2e46fafa25ed31f8ca2a9bec7a0976b9376ab763650c96

SHA512
067c845336d03236ab90b9afbe5c1b2245be37b20ed30cebbda5db1a3e76994e6362ced1de8c31205a02cd7ad3c8ab518805aa504a06cc2e71b5af653d0456b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
77be57494e7a0ac86dd6fdfa8de52dba

SHA1
112fe3016b50c6693504fdba5313d9a95d9884ed

SHA256
d26e8ec5211a955b56ff2903631a1c90b3ec0504275747a77fdb767c839a33b0

SHA512
fdfc90831392c35e5a73bc63658ae000de585c6571966b1494a7d5031c9e33a56ed8379d48f31d2d1e54076e75dfbfdd6f04195257c8b4168cc8556bb265d4b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
41d5cea4e6436557b8b9e04535206e49

SHA1
f8e09020423002a77cf7542f9601a9653fd2bcf9

SHA256
ac47e201481d0dfb4bc12a3ede2bddf85d2edf6bdd2f843826da7a0e3ebe5955

SHA512
95c7cdd3528cc20929b1e56fafd187f465ca93db6a2a1179ccf1caa19c0e46fb94da8c37052be85009c469798200216c2e00bde759ebd5305815b189d6e71e3c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
f1e54ac707b7ad06aa9db23c0fab7396

SHA1
fb7d01a82aecf111b5d5b23ad9196c8c516e9019

SHA256
0460500c1e5e229533aa6427d1397920d7971372665497c60a10d6e9091a02d1

SHA512
879e12d4479e24c0edc604758895b4e1fdc804336bce29d289d46e7ff79899ba54b503731bbaa8bd6c1dd6b2a2a9cf3ef86bd75743deaf0ac97cc703e91b3312

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
a710864a0b0d45041705069a0e602aa8

SHA1
0a30c3bb19e6508eca7d2ad4680aeee3aa95ed7f

SHA256
b190a5047e7ab4da7f35b28fb933ca04ed26ee345dcc961198799aca06381617

SHA512
ee8a4a9e3aa510d459592d25b455beadfac60afce3fbe771b3f32726d2f35ffa5a2d3bed6c4d25542324a07a26601a91c3375290ac9d06ea36acf205fab95016

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
152KB

MD5
f501828f365f28221680ebf77e15ac26

SHA1
6888cba4cd357ebab005b2fe37175985e1a20434

SHA256
e8a3bf318291a0802bb7b5856da00677ec99660830b8acd4c905110eed6e0654

SHA512
895f365c43fd531d0830c3435819f6678781f0605f6993a928eb80de77af6d1c70086df721eb47257bd4cf66f18f645388d459d4a7446dbf700fd956d76e8069

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit