hxxp://www[.]log[.]in[.]meta[.]HL3bNNuy[.]dv[.]la[.]gv[.]uk[.]n5fBJcuqM1Wx[.]homebox[.]ir/[.]qzq/[.]zqz/?n5fBJcuqM1Wx

Resubmissions

30/05/2023, 15:55

230530-tcykfaah3z 1

30/05/2023, 15:31

230530-syffbaaf9z 4

Analysis

max time kernel
27s
max time network
29s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
30/05/2023, 15:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://www.log.in.meta.HL3bNNuy.dv.la.gv.uk.n5fBJcuqM1Wx.homebox.ir/.qzq/.zqz/?n5fBJcuqM1Wx

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133299429553216846"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1660	chrome.exe
1660	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1660	chrome.exe
1660	chrome.exe
1660	chrome.exe
1660	chrome.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1660	chrome.exe
Token: SeCreatePagefilePrivilege	1660	chrome.exe
Token: SeShutdownPrivilege	1660	chrome.exe
Token: SeCreatePagefilePrivilege	1660	chrome.exe
Token: SeShutdownPrivilege	1660	chrome.exe
Token: SeCreatePagefilePrivilege	1660	chrome.exe
Token: SeShutdownPrivilege	1660	chrome.exe
Token: SeCreatePagefilePrivilege	1660	chrome.exe
Token: SeShutdownPrivilege	1660	chrome.exe
Token: SeCreatePagefilePrivilege	1660	chrome.exe
Token: SeShutdownPrivilege	1660	chrome.exe
Token: SeCreatePagefilePrivilege	1660	chrome.exe
Token: SeShutdownPrivilege	1660	chrome.exe
Token: SeCreatePagefilePrivilege	1660	chrome.exe
Token: SeShutdownPrivilege	1660	chrome.exe
Token: SeCreatePagefilePrivilege	1660	chrome.exe
Token: SeShutdownPrivilege	1660	chrome.exe
Token: SeCreatePagefilePrivilege	1660	chrome.exe
Token: SeShutdownPrivilege	1660	chrome.exe
Token: SeCreatePagefilePrivilege	1660	chrome.exe
Token: SeShutdownPrivilege	1660	chrome.exe
Token: SeCreatePagefilePrivilege	1660	chrome.exe
Token: SeShutdownPrivilege	1660	chrome.exe
Token: SeCreatePagefilePrivilege	1660	chrome.exe
Token: SeShutdownPrivilege	1660	chrome.exe
Token: SeCreatePagefilePrivilege	1660	chrome.exe
Token: SeShutdownPrivilege	1660	chrome.exe
Token: SeCreatePagefilePrivilege	1660	chrome.exe
Token: SeShutdownPrivilege	1660	chrome.exe
Token: SeCreatePagefilePrivilege	1660	chrome.exe
Token: SeShutdownPrivilege	1660	chrome.exe
Token: SeCreatePagefilePrivilege	1660	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1660	chrome.exe
1660	chrome.exe
1660	chrome.exe
1660	chrome.exe
1660	chrome.exe
1660	chrome.exe
1660	chrome.exe
1660	chrome.exe
1660	chrome.exe
1660	chrome.exe
1660	chrome.exe
1660	chrome.exe
1660	chrome.exe
1660	chrome.exe
1660	chrome.exe
1660	chrome.exe
1660	chrome.exe
1660	chrome.exe
1660	chrome.exe
1660	chrome.exe
1660	chrome.exe
1660	chrome.exe
1660	chrome.exe
1660	chrome.exe
1660	chrome.exe
1660	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1660	chrome.exe
1660	chrome.exe
1660	chrome.exe
1660	chrome.exe
1660	chrome.exe
1660	chrome.exe
1660	chrome.exe
1660	chrome.exe
1660	chrome.exe
1660	chrome.exe
1660	chrome.exe
1660	chrome.exe
1660	chrome.exe
1660	chrome.exe
1660	chrome.exe
1660	chrome.exe
1660	chrome.exe
1660	chrome.exe
1660	chrome.exe
1660	chrome.exe
1660	chrome.exe
1660	chrome.exe
1660	chrome.exe
1660	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 4536	1660	chrome.exe	85
PID 1660 wrote to memory of 4536	1660	chrome.exe	85
PID 1660 wrote to memory of 224	1660	chrome.exe	86
PID 1660 wrote to memory of 224	1660	chrome.exe	86
PID 1660 wrote to memory of 224	1660	chrome.exe	86
PID 1660 wrote to memory of 224	1660	chrome.exe	86
PID 1660 wrote to memory of 224	1660	chrome.exe	86
PID 1660 wrote to memory of 224	1660	chrome.exe	86
PID 1660 wrote to memory of 224	1660	chrome.exe	86
PID 1660 wrote to memory of 224	1660	chrome.exe	86
PID 1660 wrote to memory of 224	1660	chrome.exe	86
PID 1660 wrote to memory of 224	1660	chrome.exe	86
PID 1660 wrote to memory of 224	1660	chrome.exe	86
PID 1660 wrote to memory of 224	1660	chrome.exe	86
PID 1660 wrote to memory of 224	1660	chrome.exe	86
PID 1660 wrote to memory of 224	1660	chrome.exe	86
PID 1660 wrote to memory of 224	1660	chrome.exe	86
PID 1660 wrote to memory of 224	1660	chrome.exe	86
PID 1660 wrote to memory of 224	1660	chrome.exe	86
PID 1660 wrote to memory of 224	1660	chrome.exe	86
PID 1660 wrote to memory of 224	1660	chrome.exe	86
PID 1660 wrote to memory of 224	1660	chrome.exe	86
PID 1660 wrote to memory of 224	1660	chrome.exe	86
PID 1660 wrote to memory of 224	1660	chrome.exe	86
PID 1660 wrote to memory of 224	1660	chrome.exe	86
PID 1660 wrote to memory of 224	1660	chrome.exe	86
PID 1660 wrote to memory of 224	1660	chrome.exe	86
PID 1660 wrote to memory of 224	1660	chrome.exe	86
PID 1660 wrote to memory of 224	1660	chrome.exe	86
PID 1660 wrote to memory of 224	1660	chrome.exe	86
PID 1660 wrote to memory of 224	1660	chrome.exe	86
PID 1660 wrote to memory of 224	1660	chrome.exe	86
PID 1660 wrote to memory of 224	1660	chrome.exe	86
PID 1660 wrote to memory of 224	1660	chrome.exe	86
PID 1660 wrote to memory of 224	1660	chrome.exe	86
PID 1660 wrote to memory of 224	1660	chrome.exe	86
PID 1660 wrote to memory of 224	1660	chrome.exe	86
PID 1660 wrote to memory of 224	1660	chrome.exe	86
PID 1660 wrote to memory of 224	1660	chrome.exe	86
PID 1660 wrote to memory of 224	1660	chrome.exe	86
PID 1660 wrote to memory of 1196	1660	chrome.exe	87
PID 1660 wrote to memory of 1196	1660	chrome.exe	87
PID 1660 wrote to memory of 1860	1660	chrome.exe	88
PID 1660 wrote to memory of 1860	1660	chrome.exe	88
PID 1660 wrote to memory of 1860	1660	chrome.exe	88
PID 1660 wrote to memory of 1860	1660	chrome.exe	88
PID 1660 wrote to memory of 1860	1660	chrome.exe	88
PID 1660 wrote to memory of 1860	1660	chrome.exe	88
PID 1660 wrote to memory of 1860	1660	chrome.exe	88
PID 1660 wrote to memory of 1860	1660	chrome.exe	88
PID 1660 wrote to memory of 1860	1660	chrome.exe	88
PID 1660 wrote to memory of 1860	1660	chrome.exe	88
PID 1660 wrote to memory of 1860	1660	chrome.exe	88
PID 1660 wrote to memory of 1860	1660	chrome.exe	88
PID 1660 wrote to memory of 1860	1660	chrome.exe	88
PID 1660 wrote to memory of 1860	1660	chrome.exe	88
PID 1660 wrote to memory of 1860	1660	chrome.exe	88
PID 1660 wrote to memory of 1860	1660	chrome.exe	88
PID 1660 wrote to memory of 1860	1660	chrome.exe	88
PID 1660 wrote to memory of 1860	1660	chrome.exe	88
PID 1660 wrote to memory of 1860	1660	chrome.exe	88
PID 1660 wrote to memory of 1860	1660	chrome.exe	88
PID 1660 wrote to memory of 1860	1660	chrome.exe	88
PID 1660 wrote to memory of 1860	1660	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://www.log.in.meta.HL3bNNuy.dv.la.gv.uk.n5fBJcuqM1Wx.homebox.ir/.qzq/.zqz/?n5fBJcuqM1Wx
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd74129758,0x7ffd74129768,0x7ffd74129778
  2⤵
  PID:4536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1788 --field-trial-handle=1752,i,586967679685584429,13208559115812617793,131072 /prefetch:2
  2⤵
  PID:224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1752,i,586967679685584429,13208559115812617793,131072 /prefetch:8
  2⤵
  PID:1196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2240 --field-trial-handle=1752,i,586967679685584429,13208559115812617793,131072 /prefetch:8
  2⤵
  PID:1860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2968 --field-trial-handle=1752,i,586967679685584429,13208559115812617793,131072 /prefetch:1
  2⤵
  PID:4648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2976 --field-trial-handle=1752,i,586967679685584429,13208559115812617793,131072 /prefetch:1
  2⤵
  PID:1868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4588 --field-trial-handle=1752,i,586967679685584429,13208559115812617793,131072 /prefetch:1
  2⤵
  PID:1672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3240 --field-trial-handle=1752,i,586967679685584429,13208559115812617793,131072 /prefetch:1
  2⤵
  PID:2108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5536 --field-trial-handle=1752,i,586967679685584429,13208559115812617793,131072 /prefetch:8
  2⤵
  PID:3308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 --field-trial-handle=1752,i,586967679685584429,13208559115812617793,131072 /prefetch:8
  2⤵
  PID:1520

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:64

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
b41293672d7e1889fda740f3172dde3e

SHA1
f7e6b1d68a8e90b8751124ebbd91024ad1da1fbe

SHA256
1e076cea01ce02ffdba3f97ef9592a6ccd075585ef205c4d051f977438b4c77e

SHA512
6c077cf329a00ea1a0c3d2438c8fb87dceefeea28ec5b49debcbbca7be6810b061eee9682f886458a98d2a4c79feca83a21f8491f3bba2e225423825ad338147

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
7b1dabb90dd34c4efca345cf26d41376

SHA1
dd78aed03c347d759d992a15f808ef86b072f933

SHA256
082e103a3ac86b78e043758e7d06f3b389849ec3af8f9e0dbe4d910cd2520059

SHA512
fe8efeba732958b7134cb6e93fa4a7bd78c43ffa08c9767118572e50ab2fd48e7ff69087ede044201f650e63a6bbc3c4aeb577bad3e337a95f3991ad478a6463

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
49a908dd1886ec57bef355ea52251c64

SHA1
a45239a6abcb14403334a914ac75bb39a53b70e8

SHA256
1f018c53ea450fc6c335045c4860c701b112c97dc669acd7a4bcb7df30e663ee

SHA512
b226445540e007595198be870ceccc6b5b1d67f5405bb30e580b7350d35a2bbf1301ef3501d6e155d890d9a67532e1fe4da83f768e0b99d3f610caf700c32f84

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
71KB

MD5
aa5c036dfd881c554abe9c5f04a7718a

SHA1
ea878c882a4e1440ba70d4c1b33d1196dd96bd15

SHA256
5faf87c77c5970ec0c33bda7f7f34e92c7850513f604f04d4f891cb37a669997

SHA512
5132798fe83f7c578933315ddb0c8a60e08716d32595ae4222939c7a453aa183f058ab0b5484d00ac200d3ea8e2dd88065d4a9414f17ace4d68da19dd0969632

Download Submit