hxxps://bit[.]ly/3MRvki6

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05-06-2023 01:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://bit.ly/3MRvki6

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133304038240817614"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4372	chrome.exe
4372	chrome.exe
3104	chrome.exe
3104	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4372 wrote to memory of 5116	4372	chrome.exe	83
PID 4372 wrote to memory of 5116	4372	chrome.exe	83
PID 4372 wrote to memory of 3976	4372	chrome.exe	84
PID 4372 wrote to memory of 3976	4372	chrome.exe	84
PID 4372 wrote to memory of 3976	4372	chrome.exe	84
PID 4372 wrote to memory of 3976	4372	chrome.exe	84
PID 4372 wrote to memory of 3976	4372	chrome.exe	84
PID 4372 wrote to memory of 3976	4372	chrome.exe	84
PID 4372 wrote to memory of 3976	4372	chrome.exe	84
PID 4372 wrote to memory of 3976	4372	chrome.exe	84
PID 4372 wrote to memory of 3976	4372	chrome.exe	84
PID 4372 wrote to memory of 3976	4372	chrome.exe	84
PID 4372 wrote to memory of 3976	4372	chrome.exe	84
PID 4372 wrote to memory of 3976	4372	chrome.exe	84
PID 4372 wrote to memory of 3976	4372	chrome.exe	84
PID 4372 wrote to memory of 3976	4372	chrome.exe	84
PID 4372 wrote to memory of 3976	4372	chrome.exe	84
PID 4372 wrote to memory of 3976	4372	chrome.exe	84
PID 4372 wrote to memory of 3976	4372	chrome.exe	84
PID 4372 wrote to memory of 3976	4372	chrome.exe	84
PID 4372 wrote to memory of 3976	4372	chrome.exe	84
PID 4372 wrote to memory of 3976	4372	chrome.exe	84
PID 4372 wrote to memory of 3976	4372	chrome.exe	84
PID 4372 wrote to memory of 3976	4372	chrome.exe	84
PID 4372 wrote to memory of 3976	4372	chrome.exe	84
PID 4372 wrote to memory of 3976	4372	chrome.exe	84
PID 4372 wrote to memory of 3976	4372	chrome.exe	84
PID 4372 wrote to memory of 3976	4372	chrome.exe	84
PID 4372 wrote to memory of 3976	4372	chrome.exe	84
PID 4372 wrote to memory of 3976	4372	chrome.exe	84
PID 4372 wrote to memory of 3976	4372	chrome.exe	84
PID 4372 wrote to memory of 3976	4372	chrome.exe	84
PID 4372 wrote to memory of 3976	4372	chrome.exe	84
PID 4372 wrote to memory of 3976	4372	chrome.exe	84
PID 4372 wrote to memory of 3976	4372	chrome.exe	84
PID 4372 wrote to memory of 3976	4372	chrome.exe	84
PID 4372 wrote to memory of 3976	4372	chrome.exe	84
PID 4372 wrote to memory of 3976	4372	chrome.exe	84
PID 4372 wrote to memory of 3976	4372	chrome.exe	84
PID 4372 wrote to memory of 3976	4372	chrome.exe	84
PID 4372 wrote to memory of 2236	4372	chrome.exe	85
PID 4372 wrote to memory of 2236	4372	chrome.exe	85
PID 4372 wrote to memory of 216	4372	chrome.exe	86
PID 4372 wrote to memory of 216	4372	chrome.exe	86
PID 4372 wrote to memory of 216	4372	chrome.exe	86
PID 4372 wrote to memory of 216	4372	chrome.exe	86
PID 4372 wrote to memory of 216	4372	chrome.exe	86
PID 4372 wrote to memory of 216	4372	chrome.exe	86
PID 4372 wrote to memory of 216	4372	chrome.exe	86
PID 4372 wrote to memory of 216	4372	chrome.exe	86
PID 4372 wrote to memory of 216	4372	chrome.exe	86
PID 4372 wrote to memory of 216	4372	chrome.exe	86
PID 4372 wrote to memory of 216	4372	chrome.exe	86
PID 4372 wrote to memory of 216	4372	chrome.exe	86
PID 4372 wrote to memory of 216	4372	chrome.exe	86
PID 4372 wrote to memory of 216	4372	chrome.exe	86
PID 4372 wrote to memory of 216	4372	chrome.exe	86
PID 4372 wrote to memory of 216	4372	chrome.exe	86
PID 4372 wrote to memory of 216	4372	chrome.exe	86
PID 4372 wrote to memory of 216	4372	chrome.exe	86
PID 4372 wrote to memory of 216	4372	chrome.exe	86
PID 4372 wrote to memory of 216	4372	chrome.exe	86
PID 4372 wrote to memory of 216	4372	chrome.exe	86
PID 4372 wrote to memory of 216	4372	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://bit.ly/3MRvki6
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb937c9758,0x7ffb937c9768,0x7ffb937c9778
  2⤵
  PID:5116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1740 --field-trial-handle=1868,i,18147517877019675301,14464903142198727657,131072 /prefetch:2
  2⤵
  PID:3976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1868,i,18147517877019675301,14464903142198727657,131072 /prefetch:8
  2⤵
  PID:2236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2236 --field-trial-handle=1868,i,18147517877019675301,14464903142198727657,131072 /prefetch:8
  2⤵
  PID:216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3156 --field-trial-handle=1868,i,18147517877019675301,14464903142198727657,131072 /prefetch:1
  2⤵
  PID:1848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3136 --field-trial-handle=1868,i,18147517877019675301,14464903142198727657,131072 /prefetch:1
  2⤵
  PID:4320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4552 --field-trial-handle=1868,i,18147517877019675301,14464903142198727657,131072 /prefetch:1
  2⤵
  PID:2216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4556 --field-trial-handle=1868,i,18147517877019675301,14464903142198727657,131072 /prefetch:8
  2⤵
  PID:3436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4972 --field-trial-handle=1868,i,18147517877019675301,14464903142198727657,131072 /prefetch:8
  2⤵
  PID:3916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1016 --field-trial-handle=1868,i,18147517877019675301,14464903142198727657,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3104

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
d02c5c9cc1c4d20a34f4608dafbd26b2

SHA1
6548eac058124341a461ed395379a09c43f8c1ea

SHA256
d628f8632fc605dd31d0955fa0a6438c8b8fe6e3c6c8ff55d50112b84571c4a0

SHA512
e02fcdf609b6a9eea0d54d3440d26e0447cb1f31e15f5117e8236119f0b0852cf786a2a01fb3e37a2629f9a1e88067611df80234a03e6feabe433c0106145827

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
63ebf54013662f559b4a56cbb93b255c

SHA1
f0941f180111731124f20b98aeedac7d6a55fcb1

SHA256
4a1841cd147bce98ed62270baa13d15161740d2cbf93d3b9d6e5d5304ea75e1c

SHA512
4d42c03c5c2fe1997e04e15d078035df7617ec640de7363e0815bce65ede97d2ce0b71e80a9d454f8ff02bcf7ed93ea1888e5064efd0cc6a75ed1079fce1ffc2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
874B

MD5
82ad475e6e717d5c2420c8dc22449187

SHA1
963e7e9b09fa198d6e6dac224d9300200e6a5fef

SHA256
7f1bde8c7d907e9c12a324fd9f26622051ebd62a3267df02ad4bfcb733371f94

SHA512
b62b62cc3a670f82c649a9fd760c55ef62892f063a7dc36ab9d7ad17a1f329b22162c8a5e6b5269dccb9489cc3edf20cabd4017d256c005bed226dd81956c0dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
0fd47191fc5398a8b947efbdc3375f6f

SHA1
9a6c685f16b097edcfdf5840cee1b12dc74464d3

SHA256
42c3f5e3c9dbc3496e73308cfd2fb3559fcf5fa541bb24057f5ce10f3d053df1

SHA512
3052ad13c700059230e0efc2618e13c258ad4b50be83b0db58bac67287d57e700385538a280e7815dd7e7312920479bcf61f033415e1f9934e2718b01efae522

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
0615a4ae7726d714777a7b2bf03360c1

SHA1
2b5350ef235e0ad1cb273dec2600567b408c208a

SHA256
088b0d38748e3f51d20292d50a8250e5dd392d9f52323f6a05d030fd953af0c3

SHA512
557ed6822d2259514d61905cc2c614e5dea5e3677d408652d773e840c0e97a68e1191250f781d1abab534d2ebe501c33a9514608236d5efd2d63e1a0d528eb34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
0434c891ff886e1b6ce9f5f91b26f8d6

SHA1
bd053d6e1efb686e03eb3063975435dda4127be7

SHA256
6638bd3d7162f4b704b54aa507aa2c0255fb9370856cfc5e9e87163d43d57830

SHA512
98a766fc2297f01d9cf41a4330144c2f57435706b1845cbc5053463073c0be4231fb1372e4fe6cde0260c5071ec94f6d324c9495c8ae3844a89b19a80b41265a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
158KB

MD5
b4a285f0e1e36b063be07955554ee7a7

SHA1
22194ad8072edbbb83ab91fbe531aacf71f79e1a

SHA256
f46aeb13ced785b708a3c0cbb3c8fefe5d8a55081978c945b401d4d6f25d40c6

SHA512
f1eedb47d63fb24ee3940124b1c63c091f2c1a9fd435619d4821434ea9cb5ea6360cc683d9c43acd318b57255efc75162377f31e98dff1bf4b20b6e312e414be

Download Submit