hxxp://ec2-52-33-3-241[.]us-west-2[.]compute[.]amazonaws[.]com/x/d?c=31853374&l=52275102-db91-4eb7-b1a4-de00efa110ec&r=fe0bd732-ab25-4b0e-90cd-2d86a7fe9505

Analysis

max time kernel
601s
max time network
599s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
26/05/2023, 10:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

http://ec2-52-33-3-241.us-west-2.compute.amazonaws.com/x/d?c=31853374&l=52275102-db91-4eb7-b1a4-de00efa110ec&r=fe0bd732-ab25-4b0e-90cd-2d86a7fe9505

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133295769120550066"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3420	chrome.exe
3420	chrome.exe
2204	chrome.exe
2204	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3420 wrote to memory of 1324	3420	chrome.exe	85
PID 3420 wrote to memory of 1324	3420	chrome.exe	85
PID 3420 wrote to memory of 224	3420	chrome.exe	87
PID 3420 wrote to memory of 224	3420	chrome.exe	87
PID 3420 wrote to memory of 224	3420	chrome.exe	87
PID 3420 wrote to memory of 224	3420	chrome.exe	87
PID 3420 wrote to memory of 224	3420	chrome.exe	87
PID 3420 wrote to memory of 224	3420	chrome.exe	87
PID 3420 wrote to memory of 224	3420	chrome.exe	87
PID 3420 wrote to memory of 224	3420	chrome.exe	87
PID 3420 wrote to memory of 224	3420	chrome.exe	87
PID 3420 wrote to memory of 224	3420	chrome.exe	87
PID 3420 wrote to memory of 224	3420	chrome.exe	87
PID 3420 wrote to memory of 224	3420	chrome.exe	87
PID 3420 wrote to memory of 224	3420	chrome.exe	87
PID 3420 wrote to memory of 224	3420	chrome.exe	87
PID 3420 wrote to memory of 224	3420	chrome.exe	87
PID 3420 wrote to memory of 224	3420	chrome.exe	87
PID 3420 wrote to memory of 224	3420	chrome.exe	87
PID 3420 wrote to memory of 224	3420	chrome.exe	87
PID 3420 wrote to memory of 224	3420	chrome.exe	87
PID 3420 wrote to memory of 224	3420	chrome.exe	87
PID 3420 wrote to memory of 224	3420	chrome.exe	87
PID 3420 wrote to memory of 224	3420	chrome.exe	87
PID 3420 wrote to memory of 224	3420	chrome.exe	87
PID 3420 wrote to memory of 224	3420	chrome.exe	87
PID 3420 wrote to memory of 224	3420	chrome.exe	87
PID 3420 wrote to memory of 224	3420	chrome.exe	87
PID 3420 wrote to memory of 224	3420	chrome.exe	87
PID 3420 wrote to memory of 224	3420	chrome.exe	87
PID 3420 wrote to memory of 224	3420	chrome.exe	87
PID 3420 wrote to memory of 224	3420	chrome.exe	87
PID 3420 wrote to memory of 224	3420	chrome.exe	87
PID 3420 wrote to memory of 224	3420	chrome.exe	87
PID 3420 wrote to memory of 224	3420	chrome.exe	87
PID 3420 wrote to memory of 224	3420	chrome.exe	87
PID 3420 wrote to memory of 224	3420	chrome.exe	87
PID 3420 wrote to memory of 224	3420	chrome.exe	87
PID 3420 wrote to memory of 224	3420	chrome.exe	87
PID 3420 wrote to memory of 224	3420	chrome.exe	87
PID 3420 wrote to memory of 228	3420	chrome.exe	88
PID 3420 wrote to memory of 228	3420	chrome.exe	88
PID 3420 wrote to memory of 4156	3420	chrome.exe	89
PID 3420 wrote to memory of 4156	3420	chrome.exe	89
PID 3420 wrote to memory of 4156	3420	chrome.exe	89
PID 3420 wrote to memory of 4156	3420	chrome.exe	89
PID 3420 wrote to memory of 4156	3420	chrome.exe	89
PID 3420 wrote to memory of 4156	3420	chrome.exe	89
PID 3420 wrote to memory of 4156	3420	chrome.exe	89
PID 3420 wrote to memory of 4156	3420	chrome.exe	89
PID 3420 wrote to memory of 4156	3420	chrome.exe	89
PID 3420 wrote to memory of 4156	3420	chrome.exe	89
PID 3420 wrote to memory of 4156	3420	chrome.exe	89
PID 3420 wrote to memory of 4156	3420	chrome.exe	89
PID 3420 wrote to memory of 4156	3420	chrome.exe	89
PID 3420 wrote to memory of 4156	3420	chrome.exe	89
PID 3420 wrote to memory of 4156	3420	chrome.exe	89
PID 3420 wrote to memory of 4156	3420	chrome.exe	89
PID 3420 wrote to memory of 4156	3420	chrome.exe	89
PID 3420 wrote to memory of 4156	3420	chrome.exe	89
PID 3420 wrote to memory of 4156	3420	chrome.exe	89
PID 3420 wrote to memory of 4156	3420	chrome.exe	89
PID 3420 wrote to memory of 4156	3420	chrome.exe	89
PID 3420 wrote to memory of 4156	3420	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://ec2-52-33-3-241.us-west-2.compute.amazonaws.com/x/d?c=31853374&l=52275102-db91-4eb7-b1a4-de00efa110ec&r=fe0bd732-ab25-4b0e-90cd-2d86a7fe9505
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd74129758,0x7ffd74129768,0x7ffd74129778
  2⤵
  PID:1324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1728 --field-trial-handle=1788,i,861071411534855697,12536807025888968272,131072 /prefetch:2
  2⤵
  PID:224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1788,i,861071411534855697,12536807025888968272,131072 /prefetch:8
  2⤵
  PID:228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1992 --field-trial-handle=1788,i,861071411534855697,12536807025888968272,131072 /prefetch:8
  2⤵
  PID:4156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2944 --field-trial-handle=1788,i,861071411534855697,12536807025888968272,131072 /prefetch:1
  2⤵
  PID:4216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1740 --field-trial-handle=1788,i,861071411534855697,12536807025888968272,131072 /prefetch:1
  2⤵
  PID:4552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4684 --field-trial-handle=1788,i,861071411534855697,12536807025888968272,131072 /prefetch:1
  2⤵
  PID:1644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 --field-trial-handle=1788,i,861071411534855697,12536807025888968272,131072 /prefetch:8
  2⤵
  PID:2368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3080 --field-trial-handle=1788,i,861071411534855697,12536807025888968272,131072 /prefetch:8
  2⤵
  PID:1684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4440 --field-trial-handle=1788,i,861071411534855697,12536807025888968272,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2204

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
940a8a056670ea3f938fcd35f6c7b9e9

SHA1
b1ef7753ed8c44ba20c3a48271070f3c21363c64

SHA256
e032a61d657dac08a3d2c775a21d78a738fa02e2bf2ac0b345b65eb0eae204cd

SHA512
d95d7a7f1f640f26eb95d661c41cc205b99828a7c8b087340fc4b5093c1b603974bdbfebfab99ff091e2ba60b2b15bd48265e70b744be2359b6447f463696c44

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
5e4fff27544f7c73f6c715eb1b209216

SHA1
f401291832d963cadeed913d4e9c2fd19dac3200

SHA256
72906766b7d7a5de97664764f8e74d53f3450026128046822499ac91bbe397ba

SHA512
b4ef7afbd2c61e677c3fd4ac31b1103cabc586f3ef36a2cf8f821c104072119de687a64eabfad804d9e51f263b9d68344dff2684d7c368ff37c8ea57fdd41d9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
706B

MD5
18f3bca3ebb2493b2c9af733bb8369de

SHA1
4a5e6bfe6a3d27c95373c900f2a9987d5115604b

SHA256
8cdf5bfb2a7317ef6e96faec9075b877305e8d478d4462b740139a579e8d6820

SHA512
18cea7b902e7bb13652499a1d809f80741ff79e3a816dbc3289cbbe7c22c2cf545ee891b50ea76f2382bce5a04b2dcde7c6b3f1c4589bc9224c653a7f65f2962

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
df5170e32e3cda00cc909a4bc6636865

SHA1
fc0e5f6e43806c0e06836f2ad50f381e00aa3f5a

SHA256
a5faf137bc701e4505a3ba393caf3b7b02ff9ae60684c4c0930415e8ffee6606

SHA512
f8fae11b4c599758459d2e1bb07e302260873f5cbd675046ba3025d24113341a4c98069ef817656d4f16e461922dc01692698d3ec4cd57897b5aff77761967e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
e863c643c82c94fa7442f7658813b999

SHA1
cf52906a36f94aa4eee641820db3208c8b7646bf

SHA256
c9eb4ede5ced180d73c6457906dbfda02c83b69b4bf37bd236422af09fe93873

SHA512
081d9bfd25e5e3d9adf2d4592d3f1d66cae0398521ab8d13ed76b3871d405829347a0bd11b2b330d95c4ea86330a151f30b3ad8c5726dfbd0d4324e6efccbdf0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
71c9351843dd3659165993ae3315da31

SHA1
bea9d6991ded89ef7cb015cc79abefeac6d9ddc3

SHA256
67a7a059f96ef44b9c956044e2559c55eb05a8feb77aa8e90d1d1c10dcbed197

SHA512
da7b035d45b36ce91f39b047f3dffcea404dda92a247562a2a9e6401d62ed648ab96441f06bed1364e1540abf020ef88da04e467be96ac10b9fa3492b4f796ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
153KB

MD5
88f91e27fb25fc63e258d6b305de3f87

SHA1
cf3d6eefc12cdc82177c32fdb87314a6dd65eb10

SHA256
46d26b83c11c25642ad6ee75facc6217afc00b56e31f8474d4b0eca48d6c2c3c

SHA512
6533bf14e91974b11c8de40135b3339174b137b031b9d5bcea8636bd9de89934f4a14b11f3897b83e4b1a7fb03814c1027142f438c02f5f3c01a6e2cef5dfe3c

Download Submit