hxxps://metrowestcorporation[.]com/uett/?106578

Analysis

max time kernel
33s
max time network
35s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2023 18:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://metrowestcorporation.com/uett/?106578

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133295194179442835"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4656	chrome.exe
4656	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4656	chrome.exe
4656	chrome.exe

Suspicious use of AdjustPrivilegeToken 60 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4656 wrote to memory of 3112	4656	chrome.exe	84
PID 4656 wrote to memory of 3112	4656	chrome.exe	84
PID 4656 wrote to memory of 4388	4656	chrome.exe	85
PID 4656 wrote to memory of 4388	4656	chrome.exe	85
PID 4656 wrote to memory of 4388	4656	chrome.exe	85
PID 4656 wrote to memory of 4388	4656	chrome.exe	85
PID 4656 wrote to memory of 4388	4656	chrome.exe	85
PID 4656 wrote to memory of 4388	4656	chrome.exe	85
PID 4656 wrote to memory of 4388	4656	chrome.exe	85
PID 4656 wrote to memory of 4388	4656	chrome.exe	85
PID 4656 wrote to memory of 4388	4656	chrome.exe	85
PID 4656 wrote to memory of 4388	4656	chrome.exe	85
PID 4656 wrote to memory of 4388	4656	chrome.exe	85
PID 4656 wrote to memory of 4388	4656	chrome.exe	85
PID 4656 wrote to memory of 4388	4656	chrome.exe	85
PID 4656 wrote to memory of 4388	4656	chrome.exe	85
PID 4656 wrote to memory of 4388	4656	chrome.exe	85
PID 4656 wrote to memory of 4388	4656	chrome.exe	85
PID 4656 wrote to memory of 4388	4656	chrome.exe	85
PID 4656 wrote to memory of 4388	4656	chrome.exe	85
PID 4656 wrote to memory of 4388	4656	chrome.exe	85
PID 4656 wrote to memory of 4388	4656	chrome.exe	85
PID 4656 wrote to memory of 4388	4656	chrome.exe	85
PID 4656 wrote to memory of 4388	4656	chrome.exe	85
PID 4656 wrote to memory of 4388	4656	chrome.exe	85
PID 4656 wrote to memory of 4388	4656	chrome.exe	85
PID 4656 wrote to memory of 4388	4656	chrome.exe	85
PID 4656 wrote to memory of 4388	4656	chrome.exe	85
PID 4656 wrote to memory of 4388	4656	chrome.exe	85
PID 4656 wrote to memory of 4388	4656	chrome.exe	85
PID 4656 wrote to memory of 4388	4656	chrome.exe	85
PID 4656 wrote to memory of 4388	4656	chrome.exe	85
PID 4656 wrote to memory of 4388	4656	chrome.exe	85
PID 4656 wrote to memory of 4388	4656	chrome.exe	85
PID 4656 wrote to memory of 4388	4656	chrome.exe	85
PID 4656 wrote to memory of 4388	4656	chrome.exe	85
PID 4656 wrote to memory of 4388	4656	chrome.exe	85
PID 4656 wrote to memory of 4388	4656	chrome.exe	85
PID 4656 wrote to memory of 4388	4656	chrome.exe	85
PID 4656 wrote to memory of 4388	4656	chrome.exe	85
PID 4656 wrote to memory of 904	4656	chrome.exe	86
PID 4656 wrote to memory of 904	4656	chrome.exe	86
PID 4656 wrote to memory of 3876	4656	chrome.exe	87
PID 4656 wrote to memory of 3876	4656	chrome.exe	87
PID 4656 wrote to memory of 3876	4656	chrome.exe	87
PID 4656 wrote to memory of 3876	4656	chrome.exe	87
PID 4656 wrote to memory of 3876	4656	chrome.exe	87
PID 4656 wrote to memory of 3876	4656	chrome.exe	87
PID 4656 wrote to memory of 3876	4656	chrome.exe	87
PID 4656 wrote to memory of 3876	4656	chrome.exe	87
PID 4656 wrote to memory of 3876	4656	chrome.exe	87
PID 4656 wrote to memory of 3876	4656	chrome.exe	87
PID 4656 wrote to memory of 3876	4656	chrome.exe	87
PID 4656 wrote to memory of 3876	4656	chrome.exe	87
PID 4656 wrote to memory of 3876	4656	chrome.exe	87
PID 4656 wrote to memory of 3876	4656	chrome.exe	87
PID 4656 wrote to memory of 3876	4656	chrome.exe	87
PID 4656 wrote to memory of 3876	4656	chrome.exe	87
PID 4656 wrote to memory of 3876	4656	chrome.exe	87
PID 4656 wrote to memory of 3876	4656	chrome.exe	87
PID 4656 wrote to memory of 3876	4656	chrome.exe	87
PID 4656 wrote to memory of 3876	4656	chrome.exe	87
PID 4656 wrote to memory of 3876	4656	chrome.exe	87
PID 4656 wrote to memory of 3876	4656	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://metrowestcorporation.com/uett/?106578
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xd8,0x100,0x104,0xfc,0x108,0x7ff9b5b79758,0x7ff9b5b79768,0x7ff9b5b79778
  2⤵
  PID:3112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1320 --field-trial-handle=1812,i,17422962612926418918,5833856332534932174,131072 /prefetch:2
  2⤵
  PID:4388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1812,i,17422962612926418918,5833856332534932174,131072 /prefetch:8
  2⤵
  PID:904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2240 --field-trial-handle=1812,i,17422962612926418918,5833856332534932174,131072 /prefetch:8
  2⤵
  PID:3876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3188 --field-trial-handle=1812,i,17422962612926418918,5833856332534932174,131072 /prefetch:1
  2⤵
  PID:4972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3200 --field-trial-handle=1812,i,17422962612926418918,5833856332534932174,131072 /prefetch:1
  2⤵
  PID:4580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5240 --field-trial-handle=1812,i,17422962612926418918,5833856332534932174,131072 /prefetch:8
  2⤵
  PID:4544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 --field-trial-handle=1812,i,17422962612926418918,5833856332534932174,131072 /prefetch:8
  2⤵
  PID:3540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4996 --field-trial-handle=1812,i,17422962612926418918,5833856332534932174,131072 /prefetch:8
  2⤵
  PID:4652

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4144

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\35911588-90b4-4225-8cb1-61066c8e1444.tmp

Filesize
15KB

MD5
45ad698221e5f9c56e3609fcd117ae0f

SHA1
4a37f0301eec28b60201a2106b20865e6a6c275f

SHA256
533534d02d1eef3fcd1daacb582f94a7ffabedb30dd3b90e16007671d0ddcd29

SHA512
e09ce933a10ecf42060fc19ea81e4bc1ecde757488d25be2950c698ec9141570efd4093a6544336159cf20598ad7baab0399158aaedd177b10aaa9be7e425d1f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
456B

MD5
5e07b04b44a2b749c1155db6aa264f74

SHA1
3168172df16c9b260fdefd848b5b037245b34ff8

SHA256
67e961670aaf6863567aa724992a629c0431f8795159be36ab3e2d1439ee198b

SHA512
fbbca336c1065728ca5bca25462980c34901ea62de4b50e43bfb2bb6c579c2bf442d8fca13c869c270474c575d3f1b97cad21ad0c5765ede38dab0654e4a47c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
ec686982dba35efe0939e3a72ccb8223

SHA1
7e4ce44a4c1393e32c01f1d266b0c66b10600f15

SHA256
ec6d8a1ca0bd51ed5455f8956cbc6bc8667b20c0b02bff2d4c9029b6eed46246

SHA512
2eabd14d6f2599f6da9539489b3ce0167960dc851380a618b364fee0a3c74aebd250aeba51457fab00bb79019c267b9d177a1856da9107fab30d236ef69dd5e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
75db896aaf2329c9ee633938ee2fa7e4

SHA1
cf3aeb01bd1127a43c548a046d7912e219bf76f5

SHA256
8591c3d9e0a2c8d6442edb226112ccca9fba9082e7d98c83675314cbdc7ecaac

SHA512
7d5f81d4b610c733d4dbdaf4786d4a6880792c0db66edcbab671e3ba82581d255714f431b60f6ca7d74f874b4442a1c1c7bd3dd23df74581ced7954475606204

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
5db5a9e0af3adcb3f9fb6b8a2a3dba65

SHA1
df1496561a3a92b24404e16ba453b01531e982ea

SHA256
804092d4e2ad3ac4eb94f89029e65053832dae0a63254eda5910d0bd599a7221

SHA512
f02ea9e4fccec029a269dce8f02c2d5da000e36e21e2fd94c4e900fa370e0104ebae052c6bdbbff8a558a07d2db7779ee2a47dcb66a5a8226cf8f51e007b096c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
153KB

MD5
47bedf959c8a6149672bba06f170c136

SHA1
0754d29c542653f0c92f60f3a4ca29dfea174d3e

SHA256
a4e2dc726820eb8948a5a15c54dbf1c0b071aa6496813fa80175b4b89297dbbf

SHA512
280c14dc9d6cd04088d8a13ea1e91f2e8db5b348b4bdfce6ef0023d91bf37e0d6602acb7c74488be28ee38c38d55570dd893f1e60352d525b658a7dd08f608ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
102KB

MD5
fa7a972390c576c09e12b283d3e47718

SHA1
128549a3e5572076f59b2875f5ec5f06e9980bdf

SHA256
40fe62d89c03d5980198b7eb209cb53a75188aceae353e4d785e1c79d589520d

SHA512
f038a4ab6e4e2ffaf0275e37c1986c701b68888d8d80f09817d92f6277c96a98aa97006d670514a96a7c9dcb0825729ea759428abcfbecd39c1661b21994c125

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe56e266.TMP

Filesize
101KB

MD5
a7b58db58431422d065e47b847b42b11

SHA1
023d745ce97f03cdf1846603f3ae128c794895e9

SHA256
88df814b91445c3f8694a3a5357b9068ac32a3a59ed3bead1d1ba0636e92b2bf

SHA512
e0a08f9ca040c25cba9bfe9a504dc32ad89a2330b53df96095ef1cf19371478f6d95adb15ea17524d50201951321ae4c8dbcf576c00d653751cb01f734e6e0e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit