hxxp://shrtco[.]de/YSP7x6

Analysis

max time kernel
1800s
max time network
1688s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
24/05/2023, 15:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://shrtco.de/YSP7x6

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133294224678092577"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2704	chrome.exe
2704	chrome.exe
1736	chrome.exe
1736	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 4876	2704	chrome.exe	82
PID 2704 wrote to memory of 4876	2704	chrome.exe	82
PID 2704 wrote to memory of 4492	2704	chrome.exe	83
PID 2704 wrote to memory of 4492	2704	chrome.exe	83
PID 2704 wrote to memory of 4492	2704	chrome.exe	83
PID 2704 wrote to memory of 4492	2704	chrome.exe	83
PID 2704 wrote to memory of 4492	2704	chrome.exe	83
PID 2704 wrote to memory of 4492	2704	chrome.exe	83
PID 2704 wrote to memory of 4492	2704	chrome.exe	83
PID 2704 wrote to memory of 4492	2704	chrome.exe	83
PID 2704 wrote to memory of 4492	2704	chrome.exe	83
PID 2704 wrote to memory of 4492	2704	chrome.exe	83
PID 2704 wrote to memory of 4492	2704	chrome.exe	83
PID 2704 wrote to memory of 4492	2704	chrome.exe	83
PID 2704 wrote to memory of 4492	2704	chrome.exe	83
PID 2704 wrote to memory of 4492	2704	chrome.exe	83
PID 2704 wrote to memory of 4492	2704	chrome.exe	83
PID 2704 wrote to memory of 4492	2704	chrome.exe	83
PID 2704 wrote to memory of 4492	2704	chrome.exe	83
PID 2704 wrote to memory of 4492	2704	chrome.exe	83
PID 2704 wrote to memory of 4492	2704	chrome.exe	83
PID 2704 wrote to memory of 4492	2704	chrome.exe	83
PID 2704 wrote to memory of 4492	2704	chrome.exe	83
PID 2704 wrote to memory of 4492	2704	chrome.exe	83
PID 2704 wrote to memory of 4492	2704	chrome.exe	83
PID 2704 wrote to memory of 4492	2704	chrome.exe	83
PID 2704 wrote to memory of 4492	2704	chrome.exe	83
PID 2704 wrote to memory of 4492	2704	chrome.exe	83
PID 2704 wrote to memory of 4492	2704	chrome.exe	83
PID 2704 wrote to memory of 4492	2704	chrome.exe	83
PID 2704 wrote to memory of 4492	2704	chrome.exe	83
PID 2704 wrote to memory of 4492	2704	chrome.exe	83
PID 2704 wrote to memory of 4492	2704	chrome.exe	83
PID 2704 wrote to memory of 4492	2704	chrome.exe	83
PID 2704 wrote to memory of 4492	2704	chrome.exe	83
PID 2704 wrote to memory of 4492	2704	chrome.exe	83
PID 2704 wrote to memory of 4492	2704	chrome.exe	83
PID 2704 wrote to memory of 4492	2704	chrome.exe	83
PID 2704 wrote to memory of 4492	2704	chrome.exe	83
PID 2704 wrote to memory of 4492	2704	chrome.exe	83
PID 2704 wrote to memory of 364	2704	chrome.exe	84
PID 2704 wrote to memory of 364	2704	chrome.exe	84
PID 2704 wrote to memory of 1656	2704	chrome.exe	85
PID 2704 wrote to memory of 1656	2704	chrome.exe	85
PID 2704 wrote to memory of 1656	2704	chrome.exe	85
PID 2704 wrote to memory of 1656	2704	chrome.exe	85
PID 2704 wrote to memory of 1656	2704	chrome.exe	85
PID 2704 wrote to memory of 1656	2704	chrome.exe	85
PID 2704 wrote to memory of 1656	2704	chrome.exe	85
PID 2704 wrote to memory of 1656	2704	chrome.exe	85
PID 2704 wrote to memory of 1656	2704	chrome.exe	85
PID 2704 wrote to memory of 1656	2704	chrome.exe	85
PID 2704 wrote to memory of 1656	2704	chrome.exe	85
PID 2704 wrote to memory of 1656	2704	chrome.exe	85
PID 2704 wrote to memory of 1656	2704	chrome.exe	85
PID 2704 wrote to memory of 1656	2704	chrome.exe	85
PID 2704 wrote to memory of 1656	2704	chrome.exe	85
PID 2704 wrote to memory of 1656	2704	chrome.exe	85
PID 2704 wrote to memory of 1656	2704	chrome.exe	85
PID 2704 wrote to memory of 1656	2704	chrome.exe	85
PID 2704 wrote to memory of 1656	2704	chrome.exe	85
PID 2704 wrote to memory of 1656	2704	chrome.exe	85
PID 2704 wrote to memory of 1656	2704	chrome.exe	85
PID 2704 wrote to memory of 1656	2704	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://shrtco.de/YSP7x6
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffadf3c9758,0x7ffadf3c9768,0x7ffadf3c9778
  2⤵
  PID:4876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1808 --field-trial-handle=1800,i,13772935766132062078,4406055350130123024,131072 /prefetch:2
  2⤵
  PID:4492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1800,i,13772935766132062078,4406055350130123024,131072 /prefetch:8
  2⤵
  PID:364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1308 --field-trial-handle=1800,i,13772935766132062078,4406055350130123024,131072 /prefetch:8
  2⤵
  PID:1656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3080 --field-trial-handle=1800,i,13772935766132062078,4406055350130123024,131072 /prefetch:1
  2⤵
  PID:244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3096 --field-trial-handle=1800,i,13772935766132062078,4406055350130123024,131072 /prefetch:1
  2⤵
  PID:3980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4512 --field-trial-handle=1800,i,13772935766132062078,4406055350130123024,131072 /prefetch:1
  2⤵
  PID:2660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5156 --field-trial-handle=1800,i,13772935766132062078,4406055350130123024,131072 /prefetch:8
  2⤵
  PID:1440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5240 --field-trial-handle=1800,i,13772935766132062078,4406055350130123024,131072 /prefetch:8
  2⤵
  PID:1424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 --field-trial-handle=1800,i,13772935766132062078,4406055350130123024,131072 /prefetch:8
  2⤵
  PID:3868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2824 --field-trial-handle=1800,i,13772935766132062078,4406055350130123024,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1736

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
ee768cc52e4f904c22a0a34c8e134883

SHA1
d9a7ee2c9be73923a3de92d3b01eb39e4014c582

SHA256
bc06b98599a28fff5c8fda188453c92997dd100dcb05493c19d1e0fb88fa69e3

SHA512
df9eeb6c3b5585450ea114f1738e10439c46ee2a50b0ca100356b073a3364469d51776d9b6f094af1dd2dd0dd64edb5d238db51d1cab7aaee0f994ebc18b66dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
54e7ab8c9b65b1c45cd03e7994100ad7

SHA1
447bbdd362821010dc9cdaa3da0e3602ae3f150b

SHA256
c325f0858db9b3d78415200da8036dd8d920ac9be6cdc76bc3eb5e176904c09b

SHA512
2350693ff84e3135a16684a06d1f08859a143fc7ef123bf773bcc991865ca8e9b3e3e5741dfdbdb53c1906a485e36527d6e03176c05658f2d7e0e7d8b5ac72c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b1599c1267f1b30996d4154f9e985f64

SHA1
d3576f53ae0566027651d3a94cd57729327de69e

SHA256
ef24cac71cf3c26565a48b23a32cebb90241fdf2bff350a4818bc9a4f2df63c2

SHA512
b9eacf0744fc77c9c2e98760c5e493928d6d3313e1c751da1a700f696249b69e4186ae1948b77ff59cbfabac224232b7aad30a2608d72fe31f841bfd4bee7a4e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
dee0831e4fb16ab13ccbd223bcd69a57

SHA1
3e65f6f7ef3e624837cd62d7999fb7aadd30a954

SHA256
259707b6cd825ce04aa9d43f6e3b66a3fc8e35240da94e2fe60a337caba1dead

SHA512
06a6d24d6513e9a57493906872b9137f903c91abc7d3a6db5a0694084503cf3ce12741510279903721981efc45ecaadeed5086ada9cef1c9be7eaa2d69924954

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
e5ad662fb03e300b0b1584a09450ea1c

SHA1
c7ea9d831ca014231df31f945cf570deb401fde3

SHA256
a9eb5d73e2a7268044dfafb60dd5702e6d1f32f46e6d8ffc4648d8b5d5c63708

SHA512
1d0a27fac74153bd8f6a873d1901e6904a903f07e31ad48e4058e7381153bfd88930c89a989bb45e3311cc32334eb90f1b6b11333c6f96a7d0583826a9ef5801

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
152KB

MD5
43c9e593041251fe0703c81178ae1493

SHA1
9c6808f311a9d82f8e2f3cd213b6986f1d1d641b

SHA256
70f23b300f6f78d1b6093f0c64daf3283e00997bb849be32696e0082579c04a7

SHA512
ec30eb2dae9ea1e9246f0494bf4d366605869dcc846b854f42bed4f02c1aa42d994c118ac3e243c959a19e7d60e31d81f486fea22540b8876ddebb9add98c1ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit