hxxp://handbaggather[.]com

Analysis

max time kernel
177s
max time network
178s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
26/05/2023, 07:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://handbaggather.com

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133295686310496375"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1220	chrome.exe
1220	chrome.exe
4256	chrome.exe
4256	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 3620	1220	chrome.exe	77
PID 1220 wrote to memory of 3620	1220	chrome.exe	77
PID 1220 wrote to memory of 1760	1220	chrome.exe	80
PID 1220 wrote to memory of 1760	1220	chrome.exe	80
PID 1220 wrote to memory of 1760	1220	chrome.exe	80
PID 1220 wrote to memory of 1760	1220	chrome.exe	80
PID 1220 wrote to memory of 1760	1220	chrome.exe	80
PID 1220 wrote to memory of 1760	1220	chrome.exe	80
PID 1220 wrote to memory of 1760	1220	chrome.exe	80
PID 1220 wrote to memory of 1760	1220	chrome.exe	80
PID 1220 wrote to memory of 1760	1220	chrome.exe	80
PID 1220 wrote to memory of 1760	1220	chrome.exe	80
PID 1220 wrote to memory of 1760	1220	chrome.exe	80
PID 1220 wrote to memory of 1760	1220	chrome.exe	80
PID 1220 wrote to memory of 1760	1220	chrome.exe	80
PID 1220 wrote to memory of 1760	1220	chrome.exe	80
PID 1220 wrote to memory of 1760	1220	chrome.exe	80
PID 1220 wrote to memory of 1760	1220	chrome.exe	80
PID 1220 wrote to memory of 1760	1220	chrome.exe	80
PID 1220 wrote to memory of 1760	1220	chrome.exe	80
PID 1220 wrote to memory of 1760	1220	chrome.exe	80
PID 1220 wrote to memory of 1760	1220	chrome.exe	80
PID 1220 wrote to memory of 1760	1220	chrome.exe	80
PID 1220 wrote to memory of 1760	1220	chrome.exe	80
PID 1220 wrote to memory of 1760	1220	chrome.exe	80
PID 1220 wrote to memory of 1760	1220	chrome.exe	80
PID 1220 wrote to memory of 1760	1220	chrome.exe	80
PID 1220 wrote to memory of 1760	1220	chrome.exe	80
PID 1220 wrote to memory of 1760	1220	chrome.exe	80
PID 1220 wrote to memory of 1760	1220	chrome.exe	80
PID 1220 wrote to memory of 1760	1220	chrome.exe	80
PID 1220 wrote to memory of 1760	1220	chrome.exe	80
PID 1220 wrote to memory of 1760	1220	chrome.exe	80
PID 1220 wrote to memory of 1760	1220	chrome.exe	80
PID 1220 wrote to memory of 1760	1220	chrome.exe	80
PID 1220 wrote to memory of 1760	1220	chrome.exe	80
PID 1220 wrote to memory of 1760	1220	chrome.exe	80
PID 1220 wrote to memory of 1760	1220	chrome.exe	80
PID 1220 wrote to memory of 1760	1220	chrome.exe	80
PID 1220 wrote to memory of 1760	1220	chrome.exe	80
PID 1220 wrote to memory of 4828	1220	chrome.exe	81
PID 1220 wrote to memory of 4828	1220	chrome.exe	81
PID 1220 wrote to memory of 2800	1220	chrome.exe	82
PID 1220 wrote to memory of 2800	1220	chrome.exe	82
PID 1220 wrote to memory of 2800	1220	chrome.exe	82
PID 1220 wrote to memory of 2800	1220	chrome.exe	82
PID 1220 wrote to memory of 2800	1220	chrome.exe	82
PID 1220 wrote to memory of 2800	1220	chrome.exe	82
PID 1220 wrote to memory of 2800	1220	chrome.exe	82
PID 1220 wrote to memory of 2800	1220	chrome.exe	82
PID 1220 wrote to memory of 2800	1220	chrome.exe	82
PID 1220 wrote to memory of 2800	1220	chrome.exe	82
PID 1220 wrote to memory of 2800	1220	chrome.exe	82
PID 1220 wrote to memory of 2800	1220	chrome.exe	82
PID 1220 wrote to memory of 2800	1220	chrome.exe	82
PID 1220 wrote to memory of 2800	1220	chrome.exe	82
PID 1220 wrote to memory of 2800	1220	chrome.exe	82
PID 1220 wrote to memory of 2800	1220	chrome.exe	82
PID 1220 wrote to memory of 2800	1220	chrome.exe	82
PID 1220 wrote to memory of 2800	1220	chrome.exe	82
PID 1220 wrote to memory of 2800	1220	chrome.exe	82
PID 1220 wrote to memory of 2800	1220	chrome.exe	82
PID 1220 wrote to memory of 2800	1220	chrome.exe	82
PID 1220 wrote to memory of 2800	1220	chrome.exe	82

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://handbaggather.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xb4,0x108,0x7ffee9ad9758,0x7ffee9ad9768,0x7ffee9ad9778
  2⤵
  PID:3620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1808 --field-trial-handle=1812,i,9112525156712621995,13529484114912737978,131072 /prefetch:2
  2⤵
  PID:1760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1812,i,9112525156712621995,13529484114912737978,131072 /prefetch:8
  2⤵
  PID:4828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2232 --field-trial-handle=1812,i,9112525156712621995,13529484114912737978,131072 /prefetch:8
  2⤵
  PID:2800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3080 --field-trial-handle=1812,i,9112525156712621995,13529484114912737978,131072 /prefetch:1
  2⤵
  PID:5072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3092 --field-trial-handle=1812,i,9112525156712621995,13529484114912737978,131072 /prefetch:1
  2⤵
  PID:5112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4472 --field-trial-handle=1812,i,9112525156712621995,13529484114912737978,131072 /prefetch:1
  2⤵
  PID:1528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4732 --field-trial-handle=1812,i,9112525156712621995,13529484114912737978,131072 /prefetch:8
  2⤵
  PID:3184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4808 --field-trial-handle=1812,i,9112525156712621995,13529484114912737978,131072 /prefetch:8
  2⤵
  PID:1680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4788 --field-trial-handle=1812,i,9112525156712621995,13529484114912737978,131072 /prefetch:8
  2⤵
  PID:3404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2760 --field-trial-handle=1812,i,9112525156712621995,13529484114912737978,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4256

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1224

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
da1b618a7db20e0c83f642b73cd77657

SHA1
97b8803e27c2b708fcc4484d30f9a80a917ddf9e

SHA256
6c97fc8ddc682973076376879b407003eb2ab4a9167e563369fdacc2410f3c4a

SHA512
5042a5ea63ef0d870de0d45624856d9e712d7651ecac07c6254795a1d934cc94fca3511206c5a82159bf7c33305a4f74506763879c1e93b3b3eaaebcf8bd75c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
668f45cfb3fc091ff773031127d3da5c

SHA1
e957249a7476d2373b11e26295ba5ea8852dfc9c

SHA256
0f75b430147bc8c015fdfe71d6c3b2980ff62a192c1b25746ac64a84c2094381

SHA512
af0eb9b772482408d8cb444017aab0aae6f854c8e30ba964164b925a4cc0b54a3c235eaff96c167d256c0b7e5ecd57fe21b96b4c409d7b97cfdc3e0118ba0995

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
a935890283341dc00fa5dfaf4b4aa3bd

SHA1
213953b31c1cbfce9e8be91ef89f0cfe3afe0963

SHA256
855a6409bc6423d9a7d15f1c913b465ec03b7773e91f435419c8e6742c118017

SHA512
0fe6b2388b5aa04132365a3a5c5f2e5d5289291cb1ad7c60f291384f01bc2d3c016a3e0a5df75a6aece89257caf855892dc0cea558e1fab3cd81695ebef786a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
df149bd861976cd57daf17db154b6e57

SHA1
b4d12ba84b90c3ee99d61b0bec4d938fffcc051e

SHA256
bbce50a90af5d45c135ca6a742b3c7ed8297fca653ef8c9b4b9acf426902e14f

SHA512
27a6ac2f47032df544e8cdc73d5eaf9661f1af4adbed14cea0da9e51b3b3a1c4ecc20a7ebf648b57961fb6b1b61da0fc45bb669439aab6e7d009178342c85175

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
6cbb7fd2f35f05264501f7911414aba6

SHA1
111ecccc88a53f269059cd517d904c735d5916fb

SHA256
f5ac56b2564d4066708def7bda0a4c162e7e27df5e65440fab6c99c2ed5c107f

SHA512
2ad4711d62a514790fa4b9fa3f6b542f25dc50d388a55e219da3c2b9a6e0140d56afddf7a6977086ba9cb2cff26a13dc3aca40262ed2b5e27865d252e1b6d802

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
153KB

MD5
374dc3f8960c560e82672443b4d78550

SHA1
3a5ee2566e6563cd4866dbb36a561d214a5ce1ad

SHA256
3d626289f1098983451c7b9d1a6384c8bb91d076cbce640e6c707eb0c643a0f1

SHA512
2a2addb8b3eb38c0578f1ac4b2189fb2ef99dea23b0b0fdb7cce0657422b9301f55ebcfe591a9e98ba63755305e3e1ef8b378ec585a2fbd30898c1e90dac2bc9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit