hxxps://ncv[.]microsoft[.]com/qsBvusAjQS

Analysis

max time kernel
46s
max time network
48s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06-06-2023 19:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://ncv.microsoft.com/qsBvusAjQS

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133305545869327794"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3344	chrome.exe
3344	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3344	chrome.exe
3344	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3344	chrome.exe
Token: SeCreatePagefilePrivilege	3344	chrome.exe
Token: SeShutdownPrivilege	3344	chrome.exe
Token: SeCreatePagefilePrivilege	3344	chrome.exe
Token: SeShutdownPrivilege	3344	chrome.exe
Token: SeCreatePagefilePrivilege	3344	chrome.exe
Token: SeShutdownPrivilege	3344	chrome.exe
Token: SeCreatePagefilePrivilege	3344	chrome.exe
Token: SeShutdownPrivilege	3344	chrome.exe
Token: SeCreatePagefilePrivilege	3344	chrome.exe
Token: SeShutdownPrivilege	3344	chrome.exe
Token: SeCreatePagefilePrivilege	3344	chrome.exe
Token: SeShutdownPrivilege	3344	chrome.exe
Token: SeCreatePagefilePrivilege	3344	chrome.exe
Token: SeShutdownPrivilege	3344	chrome.exe
Token: SeCreatePagefilePrivilege	3344	chrome.exe
Token: SeShutdownPrivilege	3344	chrome.exe
Token: SeCreatePagefilePrivilege	3344	chrome.exe
Token: SeShutdownPrivilege	3344	chrome.exe
Token: SeCreatePagefilePrivilege	3344	chrome.exe
Token: SeShutdownPrivilege	3344	chrome.exe
Token: SeCreatePagefilePrivilege	3344	chrome.exe
Token: SeShutdownPrivilege	3344	chrome.exe
Token: SeCreatePagefilePrivilege	3344	chrome.exe
Token: SeShutdownPrivilege	3344	chrome.exe
Token: SeCreatePagefilePrivilege	3344	chrome.exe
Token: SeShutdownPrivilege	3344	chrome.exe
Token: SeCreatePagefilePrivilege	3344	chrome.exe
Token: SeShutdownPrivilege	3344	chrome.exe
Token: SeCreatePagefilePrivilege	3344	chrome.exe
Token: SeShutdownPrivilege	3344	chrome.exe
Token: SeCreatePagefilePrivilege	3344	chrome.exe
Token: SeShutdownPrivilege	3344	chrome.exe
Token: SeCreatePagefilePrivilege	3344	chrome.exe
Token: SeShutdownPrivilege	3344	chrome.exe
Token: SeCreatePagefilePrivilege	3344	chrome.exe
Token: SeShutdownPrivilege	3344	chrome.exe
Token: SeCreatePagefilePrivilege	3344	chrome.exe
Token: SeShutdownPrivilege	3344	chrome.exe
Token: SeCreatePagefilePrivilege	3344	chrome.exe
Token: SeShutdownPrivilege	3344	chrome.exe
Token: SeCreatePagefilePrivilege	3344	chrome.exe
Token: SeShutdownPrivilege	3344	chrome.exe
Token: SeCreatePagefilePrivilege	3344	chrome.exe
Token: SeShutdownPrivilege	3344	chrome.exe
Token: SeCreatePagefilePrivilege	3344	chrome.exe
Token: SeShutdownPrivilege	3344	chrome.exe
Token: SeCreatePagefilePrivilege	3344	chrome.exe
Token: SeShutdownPrivilege	3344	chrome.exe
Token: SeCreatePagefilePrivilege	3344	chrome.exe
Token: SeShutdownPrivilege	3344	chrome.exe
Token: SeCreatePagefilePrivilege	3344	chrome.exe
Token: SeShutdownPrivilege	3344	chrome.exe
Token: SeCreatePagefilePrivilege	3344	chrome.exe
Token: SeShutdownPrivilege	3344	chrome.exe
Token: SeCreatePagefilePrivilege	3344	chrome.exe
Token: SeShutdownPrivilege	3344	chrome.exe
Token: SeCreatePagefilePrivilege	3344	chrome.exe
Token: SeShutdownPrivilege	3344	chrome.exe
Token: SeCreatePagefilePrivilege	3344	chrome.exe
Token: SeShutdownPrivilege	3344	chrome.exe
Token: SeCreatePagefilePrivilege	3344	chrome.exe
Token: SeShutdownPrivilege	3344	chrome.exe
Token: SeCreatePagefilePrivilege	3344	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3344 wrote to memory of 2180	3344	chrome.exe	86
PID 3344 wrote to memory of 2180	3344	chrome.exe	86
PID 3344 wrote to memory of 216	3344	chrome.exe	87
PID 3344 wrote to memory of 216	3344	chrome.exe	87
PID 3344 wrote to memory of 216	3344	chrome.exe	87
PID 3344 wrote to memory of 216	3344	chrome.exe	87
PID 3344 wrote to memory of 216	3344	chrome.exe	87
PID 3344 wrote to memory of 216	3344	chrome.exe	87
PID 3344 wrote to memory of 216	3344	chrome.exe	87
PID 3344 wrote to memory of 216	3344	chrome.exe	87
PID 3344 wrote to memory of 216	3344	chrome.exe	87
PID 3344 wrote to memory of 216	3344	chrome.exe	87
PID 3344 wrote to memory of 216	3344	chrome.exe	87
PID 3344 wrote to memory of 216	3344	chrome.exe	87
PID 3344 wrote to memory of 216	3344	chrome.exe	87
PID 3344 wrote to memory of 216	3344	chrome.exe	87
PID 3344 wrote to memory of 216	3344	chrome.exe	87
PID 3344 wrote to memory of 216	3344	chrome.exe	87
PID 3344 wrote to memory of 216	3344	chrome.exe	87
PID 3344 wrote to memory of 216	3344	chrome.exe	87
PID 3344 wrote to memory of 216	3344	chrome.exe	87
PID 3344 wrote to memory of 216	3344	chrome.exe	87
PID 3344 wrote to memory of 216	3344	chrome.exe	87
PID 3344 wrote to memory of 216	3344	chrome.exe	87
PID 3344 wrote to memory of 216	3344	chrome.exe	87
PID 3344 wrote to memory of 216	3344	chrome.exe	87
PID 3344 wrote to memory of 216	3344	chrome.exe	87
PID 3344 wrote to memory of 216	3344	chrome.exe	87
PID 3344 wrote to memory of 216	3344	chrome.exe	87
PID 3344 wrote to memory of 216	3344	chrome.exe	87
PID 3344 wrote to memory of 216	3344	chrome.exe	87
PID 3344 wrote to memory of 216	3344	chrome.exe	87
PID 3344 wrote to memory of 216	3344	chrome.exe	87
PID 3344 wrote to memory of 216	3344	chrome.exe	87
PID 3344 wrote to memory of 216	3344	chrome.exe	87
PID 3344 wrote to memory of 216	3344	chrome.exe	87
PID 3344 wrote to memory of 216	3344	chrome.exe	87
PID 3344 wrote to memory of 216	3344	chrome.exe	87
PID 3344 wrote to memory of 216	3344	chrome.exe	87
PID 3344 wrote to memory of 216	3344	chrome.exe	87
PID 3344 wrote to memory of 232	3344	chrome.exe	88
PID 3344 wrote to memory of 232	3344	chrome.exe	88
PID 3344 wrote to memory of 4156	3344	chrome.exe	89
PID 3344 wrote to memory of 4156	3344	chrome.exe	89
PID 3344 wrote to memory of 4156	3344	chrome.exe	89
PID 3344 wrote to memory of 4156	3344	chrome.exe	89
PID 3344 wrote to memory of 4156	3344	chrome.exe	89
PID 3344 wrote to memory of 4156	3344	chrome.exe	89
PID 3344 wrote to memory of 4156	3344	chrome.exe	89
PID 3344 wrote to memory of 4156	3344	chrome.exe	89
PID 3344 wrote to memory of 4156	3344	chrome.exe	89
PID 3344 wrote to memory of 4156	3344	chrome.exe	89
PID 3344 wrote to memory of 4156	3344	chrome.exe	89
PID 3344 wrote to memory of 4156	3344	chrome.exe	89
PID 3344 wrote to memory of 4156	3344	chrome.exe	89
PID 3344 wrote to memory of 4156	3344	chrome.exe	89
PID 3344 wrote to memory of 4156	3344	chrome.exe	89
PID 3344 wrote to memory of 4156	3344	chrome.exe	89
PID 3344 wrote to memory of 4156	3344	chrome.exe	89
PID 3344 wrote to memory of 4156	3344	chrome.exe	89
PID 3344 wrote to memory of 4156	3344	chrome.exe	89
PID 3344 wrote to memory of 4156	3344	chrome.exe	89
PID 3344 wrote to memory of 4156	3344	chrome.exe	89
PID 3344 wrote to memory of 4156	3344	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://ncv.microsoft.com/qsBvusAjQS
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd74129758,0x7ffd74129768,0x7ffd74129778
  2⤵
  PID:2180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1756 --field-trial-handle=1776,i,400301814158446660,2231539954714175670,131072 /prefetch:2
  2⤵
  PID:216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1776,i,400301814158446660,2231539954714175670,131072 /prefetch:8
  2⤵
  PID:232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2216 --field-trial-handle=1776,i,400301814158446660,2231539954714175670,131072 /prefetch:8
  2⤵
  PID:4156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3124 --field-trial-handle=1776,i,400301814158446660,2231539954714175670,131072 /prefetch:1
  2⤵
  PID:4648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3132 --field-trial-handle=1776,i,400301814158446660,2231539954714175670,131072 /prefetch:1
  2⤵
  PID:1868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5000 --field-trial-handle=1776,i,400301814158446660,2231539954714175670,131072 /prefetch:8
  2⤵
  PID:3660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 --field-trial-handle=1776,i,400301814158446660,2231539954714175670,131072 /prefetch:8
  2⤵
  PID:1508

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
24d774d712ce23b39bd1d68db0f1700c

SHA1
1f8e6ae6c4b5bd46678673c64e3c0614b1f5b588

SHA256
0c5e101d4ca62d003d5c92632d4b0cd91b4af2e804c64d8e8af3e513efefd4ed

SHA512
a672477dfcb249de03c803d6f0cf2844399d61573a6cc544ea834ab1cfc28e61d6873cc97fc93d3c7484af1e0aa10539e1bcf24d35acd25c211df34a69679166

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
c5e38200dde90e586ffa7f51f15d11b5

SHA1
cbbc6b01b691b050e469c56de7235c6e31f6caf6

SHA256
4309625a379a893b8e3a1388abef4ac79198ef6ddc36ea1979e0393fb3225404

SHA512
4da794acb9f2c47468890fb095a17e93c3c8e6a476ad534be02ede137425642573765bb0e3db2c734b423b1ca9331ebabacd49a602d1a311aa38a368aaf1f1ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
873B

MD5
31215e7ab8ccd883e89a930112f90c2f

SHA1
6cf24d81148a5ef45d99ce4268bff7e6a77e6e0b

SHA256
104882b237c3526dc4a51267724e142b1025c635ad4ef6ec7085f550db2b2c53

SHA512
d27c7d81a473673c6da51f3a6af385f1b881e469aacb894491ce845c8120d01c9ed1cc8a1521fa317ca9a7bafad38fa17f6bda17f03a0dab338edb0962cce21c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
873B

MD5
1b6468c7e1ad9f98b4ec0c9a0912910b

SHA1
e6b6758b17671e984f29a3b652d6f24fcacebd38

SHA256
f6e2e806f91425f4b0bf55ad1f042c2a1a884e2c0f5de655c31ab705202db420

SHA512
6ec51286686ef318530cfa89284c5e9176d00ae6ad6bb13dde98eab6ada264d59bf6fb45107b239514c2a859db33b2d5bd6b576006a041a51f35c57da630baf8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
873B

MD5
f058b85b4968206eb68889639f32c808

SHA1
5f9a49d57cee70b80479f0e8473c8d92cb87bd5f

SHA256
1f604bdf73cd0d5fc266bdfcedbc7cbdaaf32f155b1ff4d49309c9816fea7810

SHA512
35c86cd83c4be46ac6f54e1a92df4df343d741064643d58b8b78acf2571be5667e242611133d912193f2ec132afdcf3b7d8c0d4925170730467401f51e5b792a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
119b2724d037c71db58463a7f3ba0f25

SHA1
e720111f325e2261c30fc35d72cb80895e2843dc

SHA256
c2ac82520ad4c39e2fd268d8fa424170fde604d1060daffa714847baa1daefc8

SHA512
c4923ced4bb125f4d7b45b4697a714cbee249f1b4a4b0dd834476cc9df7751309c2391068f15c5600e44e998ef2043ec9c2f366cea90791054c5e7dceaec8cf8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
a921b0b8300332378ac5e184b9e67360

SHA1
98afb1417f5526e4edd7a22d99acef0429a760a6

SHA256
beb1fff035ebf025d6071dd01fa403528836a013b9ce563be3453dd314a728db

SHA512
c184afde043b6aa26da6f8b120d2ca9186582576daa6085c31ec061210ae578cfde970f0920201d6768ab2e1d974760a99b89b313764fa1567d0c94fd23d5f80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1

Filesize
264KB

MD5
21a86071f5bff611e22d1687c0ecaec3

SHA1
71a0f09fe003feedc94159dae80497245b5ad3e6

SHA256
54f854ab817b69d2bb2dfe25dcf626d03d99294d62233b44de77157d5e38f833

SHA512
46070dabe2281ae7f1349c8d53f1fd671d34daecf57d7c2208fe3fcf30666f0c989dcc7bd8fb7f23c79a2f7cca304c0d437125dc08c1169f0be5b01fb53057e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
157KB

MD5
61dffb44f0a33a09293e5883f4f0aa7b

SHA1
ab30b92a5b53f4132f9f66e654b540a8db137106

SHA256
aa1940e366bdce697e5a4aa55c9f8c2569989974a2d0b540bcae59e38048cb37

SHA512
066ba2e4a456555361f9c32c9a8b4ac1ccb59f242fa99ef9d939e0d0e0325b3c02d0a7019e071da5d4647a1da197e208d8d73bba245a103b85514dfd77b23c4b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
157KB

MD5
2e50f662324be060914a585b4933e154

SHA1
eb09e63b6f1d32d09b0958a2cb4961b28117f2fc

SHA256
fc5542ebbc795e8950c7b296d9fb8eab8b1c96daedfe00525e95db438f7ec71f

SHA512
a6905aa94fb347544531edb4b554f2cec19cecdab9a00fbac91c59ce353164bd695ad53ff65f35f51ca1c847912546f07e858bb9a1f1c773c50a62137424746d

Download Submit