hxxps://ecv[.]microsoft[.]com/gAvP2GFWQW

Analysis

max time kernel
1801s
max time network
1696s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2023 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://ecv.microsoft.com/gAvP2GFWQW

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133294341471875020"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3108	chrome.exe
3108	chrome.exe
4084	chrome.exe
4084	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3108	chrome.exe
3108	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3108 wrote to memory of 1172	3108	chrome.exe	82
PID 3108 wrote to memory of 1172	3108	chrome.exe	82
PID 3108 wrote to memory of 2784	3108	chrome.exe	83
PID 3108 wrote to memory of 2784	3108	chrome.exe	83
PID 3108 wrote to memory of 2784	3108	chrome.exe	83
PID 3108 wrote to memory of 2784	3108	chrome.exe	83
PID 3108 wrote to memory of 2784	3108	chrome.exe	83
PID 3108 wrote to memory of 2784	3108	chrome.exe	83
PID 3108 wrote to memory of 2784	3108	chrome.exe	83
PID 3108 wrote to memory of 2784	3108	chrome.exe	83
PID 3108 wrote to memory of 2784	3108	chrome.exe	83
PID 3108 wrote to memory of 2784	3108	chrome.exe	83
PID 3108 wrote to memory of 2784	3108	chrome.exe	83
PID 3108 wrote to memory of 2784	3108	chrome.exe	83
PID 3108 wrote to memory of 2784	3108	chrome.exe	83
PID 3108 wrote to memory of 2784	3108	chrome.exe	83
PID 3108 wrote to memory of 2784	3108	chrome.exe	83
PID 3108 wrote to memory of 2784	3108	chrome.exe	83
PID 3108 wrote to memory of 2784	3108	chrome.exe	83
PID 3108 wrote to memory of 2784	3108	chrome.exe	83
PID 3108 wrote to memory of 2784	3108	chrome.exe	83
PID 3108 wrote to memory of 2784	3108	chrome.exe	83
PID 3108 wrote to memory of 2784	3108	chrome.exe	83
PID 3108 wrote to memory of 2784	3108	chrome.exe	83
PID 3108 wrote to memory of 2784	3108	chrome.exe	83
PID 3108 wrote to memory of 2784	3108	chrome.exe	83
PID 3108 wrote to memory of 2784	3108	chrome.exe	83
PID 3108 wrote to memory of 2784	3108	chrome.exe	83
PID 3108 wrote to memory of 2784	3108	chrome.exe	83
PID 3108 wrote to memory of 2784	3108	chrome.exe	83
PID 3108 wrote to memory of 2784	3108	chrome.exe	83
PID 3108 wrote to memory of 2784	3108	chrome.exe	83
PID 3108 wrote to memory of 2784	3108	chrome.exe	83
PID 3108 wrote to memory of 2784	3108	chrome.exe	83
PID 3108 wrote to memory of 2784	3108	chrome.exe	83
PID 3108 wrote to memory of 2784	3108	chrome.exe	83
PID 3108 wrote to memory of 2784	3108	chrome.exe	83
PID 3108 wrote to memory of 2784	3108	chrome.exe	83
PID 3108 wrote to memory of 2784	3108	chrome.exe	83
PID 3108 wrote to memory of 2784	3108	chrome.exe	83
PID 3108 wrote to memory of 180	3108	chrome.exe	84
PID 3108 wrote to memory of 180	3108	chrome.exe	84
PID 3108 wrote to memory of 3568	3108	chrome.exe	85
PID 3108 wrote to memory of 3568	3108	chrome.exe	85
PID 3108 wrote to memory of 3568	3108	chrome.exe	85
PID 3108 wrote to memory of 3568	3108	chrome.exe	85
PID 3108 wrote to memory of 3568	3108	chrome.exe	85
PID 3108 wrote to memory of 3568	3108	chrome.exe	85
PID 3108 wrote to memory of 3568	3108	chrome.exe	85
PID 3108 wrote to memory of 3568	3108	chrome.exe	85
PID 3108 wrote to memory of 3568	3108	chrome.exe	85
PID 3108 wrote to memory of 3568	3108	chrome.exe	85
PID 3108 wrote to memory of 3568	3108	chrome.exe	85
PID 3108 wrote to memory of 3568	3108	chrome.exe	85
PID 3108 wrote to memory of 3568	3108	chrome.exe	85
PID 3108 wrote to memory of 3568	3108	chrome.exe	85
PID 3108 wrote to memory of 3568	3108	chrome.exe	85
PID 3108 wrote to memory of 3568	3108	chrome.exe	85
PID 3108 wrote to memory of 3568	3108	chrome.exe	85
PID 3108 wrote to memory of 3568	3108	chrome.exe	85
PID 3108 wrote to memory of 3568	3108	chrome.exe	85
PID 3108 wrote to memory of 3568	3108	chrome.exe	85
PID 3108 wrote to memory of 3568	3108	chrome.exe	85
PID 3108 wrote to memory of 3568	3108	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://ecv.microsoft.com/gAvP2GFWQW
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff89b539758,0x7ff89b539768,0x7ff89b539778
  2⤵
  PID:1172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1776 --field-trial-handle=1808,i,4549300337212134356,13538967650038651318,131072 /prefetch:2
  2⤵
  PID:2784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1808,i,4549300337212134356,13538967650038651318,131072 /prefetch:8
  2⤵
  PID:180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2216 --field-trial-handle=1808,i,4549300337212134356,13538967650038651318,131072 /prefetch:8
  2⤵
  PID:3568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3104 --field-trial-handle=1808,i,4549300337212134356,13538967650038651318,131072 /prefetch:1
  2⤵
  PID:1580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3124 --field-trial-handle=1808,i,4549300337212134356,13538967650038651318,131072 /prefetch:1
  2⤵
  PID:812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4756 --field-trial-handle=1808,i,4549300337212134356,13538967650038651318,131072 /prefetch:8
  2⤵
  PID:3644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4848 --field-trial-handle=1808,i,4549300337212134356,13538967650038651318,131072 /prefetch:8
  2⤵
  PID:2304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1784 --field-trial-handle=1808,i,4549300337212134356,13538967650038651318,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4084

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
e24debae840e0181525ade12cb6166ee

SHA1
c014bcdd0d24d9d1e661ff3eb7abf32c667e8853

SHA256
2630136cdd7fb81b29d2a8699c2644ddb32a31cb10ac6ff6eaa828c5b0ff5dbf

SHA512
ed1b5b7622012159fc3c59241c4fce1e9a4f74455757c949eaa33c5a39f118737c93180dd0fa6bf87c48b53c805d3dcc5971f3dce88e5343605aaeb7d730504f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
329a40d4d20fe17d2457162262eec7fd

SHA1
0c074a545cf773cfd523aa84884c04028f9af4f7

SHA256
d306d3949816692e2c25d222f0dd346ac321d72358095ade5528cd3d700d6fa6

SHA512
a3b8f28345fe6a7aba697b100a17780aacde68722a8e678fc8a3867126260fb089b0559d2573976db094eccd4428a64333c30bbb22cba107c6ad8f55c37b8665

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
873B

MD5
e5f52842924a3078faa10ef43bc0a85a

SHA1
a6929c745eba918de35ff0c73012adebeb6e4254

SHA256
8b10fe4ed379a0c1d3fd0f479693acefdc33fe8073ff7eab0b2c9980b39349c3

SHA512
9d63e95acd135880cea795be11d1c09b5ccac36bfcbb18698f48f0b3d008f656f9036f750896ed9b8f257de3ac7b3bdbc0a83b4538db95dd5838b53d9d6bb093

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
43c906b3691d8e4e35b38e03975534c3

SHA1
6c1d22a030373b57e04dcc47bfe1f61d0960ee15

SHA256
2ea56c832931d0ba31133467373e571f41d0a4cc5cf342050907477e7f3b97ed

SHA512
29f68d2cf938febc1cb14926d2a8f65feb6c6385766178920c34fafc908f4bcbc4e3a0cc6a0a46148d53d1beb0b631a7b0214036c72631dd8aaae23c5ca26548

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
35a768617bd271e2002d960ffb6b2b8f

SHA1
f6dacd97dbc17321b557b0e4ce270186d2051425

SHA256
359c9135f1896a2fc6ea1efe09c00914c890d499b8340e88eeb53a73527e1916

SHA512
c84301f435726aa6ae4287c90e923c4ea446a41738a59ba1150493e7c6437b536eedc1734c82d96acec8a6ac3f88d67ce52b1ac0d8a6b347d8d263affdfcb8f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
6be31a09cc9ffa607b399d55ecd13178

SHA1
52599add2328a1a8cfb076cead9f125ce71165d3

SHA256
24020ed52946034b7ee7fd87f28157bf992632fb5dbaf1864739bb86ac990596

SHA512
97a46cc24099354dcfba76fdc256922c4c2595efead4e3474ac6a499e4db4a8b91c2c6f1a55e20634cdb16b5b25c9d7a16571979a0e58c176e9186e79c545f33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
152KB

MD5
f023c516ea52bd4675e443cf34227abb

SHA1
adc21f7ce94a155eafc20c75ad64073e1132b211

SHA256
598153d629c17f77589f84a2f291b6c2bad52067b05177eb0d32f4a8668d5359

SHA512
1306f9da67523e5b01fb71374f5733d3eb23f37740c0f8f77beef58efe9661c5281128ff110d70773738aa52f32264707f3afc39572b25c96ad7f3a2c22c201b

Download Submit