hxxp://www[.]thebluebook[.]com/wsnsa[.]dll/WService=wsbrk1/comm/redirect[.]p?account=4223432&seq=0&compno=1601231&userno=2&trackM=m[:]13_31%5Et[:]28_34&trackT=t[:]28_34&trackdt=01252021&reDirTo=https%3A%2F%2Fsclgfnt[.]com[.]au%2Fwam%2Fnew%2Fsf_rand_string_lowercase6%2F%2F%2F%2FamVzc2ljYS5jaGlhbmdAcGVybm9kLXJpY2FyZC5jb20=

Analysis

max time kernel
239s
max time network
236s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
04/06/2023, 04:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

http://www.thebluebook.com/wsnsa.dll/WService=wsbrk1/comm/redirect.p?account=4223432&seq=0&compno=1601231&userno=2&trackM=m:13_31%5Et:28_34&trackT=t:28_34&trackdt=01252021&reDirTo=https%3A%2F%2Fsclgfnt.com.au%2Fwam%2Fnew%2Fsf_rand_string_lowercase6%2F%2F%2F%2FamVzc2ljYS5jaGlhbmdAcGVybm9kLXJpY2FyZC5jb20=

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133303271310886601"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4240	chrome.exe
4240	chrome.exe
264	chrome.exe
264	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4240	chrome.exe
4240	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4240 wrote to memory of 2856	4240	chrome.exe	83
PID 4240 wrote to memory of 2856	4240	chrome.exe	83
PID 4240 wrote to memory of 4480	4240	chrome.exe	84
PID 4240 wrote to memory of 4480	4240	chrome.exe	84
PID 4240 wrote to memory of 4480	4240	chrome.exe	84
PID 4240 wrote to memory of 4480	4240	chrome.exe	84
PID 4240 wrote to memory of 4480	4240	chrome.exe	84
PID 4240 wrote to memory of 4480	4240	chrome.exe	84
PID 4240 wrote to memory of 4480	4240	chrome.exe	84
PID 4240 wrote to memory of 4480	4240	chrome.exe	84
PID 4240 wrote to memory of 4480	4240	chrome.exe	84
PID 4240 wrote to memory of 4480	4240	chrome.exe	84
PID 4240 wrote to memory of 4480	4240	chrome.exe	84
PID 4240 wrote to memory of 4480	4240	chrome.exe	84
PID 4240 wrote to memory of 4480	4240	chrome.exe	84
PID 4240 wrote to memory of 4480	4240	chrome.exe	84
PID 4240 wrote to memory of 4480	4240	chrome.exe	84
PID 4240 wrote to memory of 4480	4240	chrome.exe	84
PID 4240 wrote to memory of 4480	4240	chrome.exe	84
PID 4240 wrote to memory of 4480	4240	chrome.exe	84
PID 4240 wrote to memory of 4480	4240	chrome.exe	84
PID 4240 wrote to memory of 4480	4240	chrome.exe	84
PID 4240 wrote to memory of 4480	4240	chrome.exe	84
PID 4240 wrote to memory of 4480	4240	chrome.exe	84
PID 4240 wrote to memory of 4480	4240	chrome.exe	84
PID 4240 wrote to memory of 4480	4240	chrome.exe	84
PID 4240 wrote to memory of 4480	4240	chrome.exe	84
PID 4240 wrote to memory of 4480	4240	chrome.exe	84
PID 4240 wrote to memory of 4480	4240	chrome.exe	84
PID 4240 wrote to memory of 4480	4240	chrome.exe	84
PID 4240 wrote to memory of 4480	4240	chrome.exe	84
PID 4240 wrote to memory of 4480	4240	chrome.exe	84
PID 4240 wrote to memory of 4480	4240	chrome.exe	84
PID 4240 wrote to memory of 4480	4240	chrome.exe	84
PID 4240 wrote to memory of 4480	4240	chrome.exe	84
PID 4240 wrote to memory of 4480	4240	chrome.exe	84
PID 4240 wrote to memory of 4480	4240	chrome.exe	84
PID 4240 wrote to memory of 4480	4240	chrome.exe	84
PID 4240 wrote to memory of 4480	4240	chrome.exe	84
PID 4240 wrote to memory of 4480	4240	chrome.exe	84
PID 4240 wrote to memory of 1740	4240	chrome.exe	85
PID 4240 wrote to memory of 1740	4240	chrome.exe	85
PID 4240 wrote to memory of 4980	4240	chrome.exe	86
PID 4240 wrote to memory of 4980	4240	chrome.exe	86
PID 4240 wrote to memory of 4980	4240	chrome.exe	86
PID 4240 wrote to memory of 4980	4240	chrome.exe	86
PID 4240 wrote to memory of 4980	4240	chrome.exe	86
PID 4240 wrote to memory of 4980	4240	chrome.exe	86
PID 4240 wrote to memory of 4980	4240	chrome.exe	86
PID 4240 wrote to memory of 4980	4240	chrome.exe	86
PID 4240 wrote to memory of 4980	4240	chrome.exe	86
PID 4240 wrote to memory of 4980	4240	chrome.exe	86
PID 4240 wrote to memory of 4980	4240	chrome.exe	86
PID 4240 wrote to memory of 4980	4240	chrome.exe	86
PID 4240 wrote to memory of 4980	4240	chrome.exe	86
PID 4240 wrote to memory of 4980	4240	chrome.exe	86
PID 4240 wrote to memory of 4980	4240	chrome.exe	86
PID 4240 wrote to memory of 4980	4240	chrome.exe	86
PID 4240 wrote to memory of 4980	4240	chrome.exe	86
PID 4240 wrote to memory of 4980	4240	chrome.exe	86
PID 4240 wrote to memory of 4980	4240	chrome.exe	86
PID 4240 wrote to memory of 4980	4240	chrome.exe	86
PID 4240 wrote to memory of 4980	4240	chrome.exe	86
PID 4240 wrote to memory of 4980	4240	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://www.thebluebook.com/wsnsa.dll/WService=wsbrk1/comm/redirect.p?account=4223432&seq=0&compno=1601231&userno=2&trackM=m:13_31%5Et:28_34&trackT=t:28_34&trackdt=01252021&reDirTo=https%3A%2F%2Fsclgfnt.com.au%2Fwam%2Fnew%2Fsf_rand_string_lowercase6%2F%2F%2F%2FamVzc2ljYS5jaGlhbmdAcGVybm9kLXJpY2FyZC5jb20=
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xd8,0x10c,0x7ffbd2b79758,0x7ffbd2b79768,0x7ffbd2b79778
  2⤵
  PID:2856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1800 --field-trial-handle=1820,i,16479360049802484389,6513151163232809134,131072 /prefetch:2
  2⤵
  PID:4480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 --field-trial-handle=1820,i,16479360049802484389,6513151163232809134,131072 /prefetch:8
  2⤵
  PID:1740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1820,i,16479360049802484389,6513151163232809134,131072 /prefetch:8
  2⤵
  PID:4980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3008 --field-trial-handle=1820,i,16479360049802484389,6513151163232809134,131072 /prefetch:1
  2⤵
  PID:3676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3028 --field-trial-handle=1820,i,16479360049802484389,6513151163232809134,131072 /prefetch:1
  2⤵
  PID:3960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4844 --field-trial-handle=1820,i,16479360049802484389,6513151163232809134,131072 /prefetch:8
  2⤵
  PID:3996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4908 --field-trial-handle=1820,i,16479360049802484389,6513151163232809134,131072 /prefetch:8
  2⤵
  PID:3304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4596 --field-trial-handle=1820,i,16479360049802484389,6513151163232809134,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:264

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
ec9a32bd736646a2556c26c8347e2369

SHA1
ca9c2441989fb23e7fb6b1d2b7e4fb7c7966d684

SHA256
86ccebbd62b77a3fcc3714bdff8582fd28cce3fdc294ca8867e1475873c645c5

SHA512
46cdb414504a3ce603ced8c346c92c81bf03ffeb07be2dc5e9a5d1874162f0fcdd8d0524d68ebff969fb9d89f9ca88d398e8f8c353de4b9b023a92d19b79c2fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
0a2fa840840a8291724369b05252d1a2

SHA1
9143157dd98d74824d01e6f63b8d857f60c9cf4b

SHA256
0e8a900a74ad7d0f67803f650a15c4a794264e52619bb539dfab1e9716d4f167

SHA512
22f469410f4c051a96c420dcb85d934318dafa36aaae47c658680a795f85932212da87b9bc0d2cfaeccfea4f17275fa5c8bb0dad5e11c0ccde1ba46d19b31a2e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
778867f54a694dcaa77b65ab4ec080dc

SHA1
cf148213452bb91331af75360269c0c1b1f6aab5

SHA256
b48e103973cb1f3ed0d5bbc80eddbd026f05b39dce070ae43a2ebe12febda06e

SHA512
f794f8e848bca8df72c675bbcf34eb9fdce599fcf3d99eb660d9fbf6966d957f90ba3af01434b08cd9945cd3770459ce56a55d15ff5477a2b78b7ff669173f62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
158KB

MD5
963c0e6095e49bd510671da2f530bb89

SHA1
12db05b5ff70de58b9130e9443b511f01082867b

SHA256
f2978e2b85d267e5abac5832f16ff670c904c086b148c3f359a618b106b9c95b

SHA512
a706707a339e94982e903dfa65bd170032a9f895ade572b441c1e71c36aee24616c0845382538dc59fe8e69eb4862010e1daf67e93df47d29e9363156a8354e2

Download Submit