hxxp://zhushou[.]officeaid02[.]com

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
08-06-2023 02:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://zhushou.officeaid02.com

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133306667635902377"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4340	chrome.exe
4340	chrome.exe
1716	chrome.exe
1716	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4340	chrome.exe
4340	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4340	chrome.exe
Token: SeCreatePagefilePrivilege	4340	chrome.exe
Token: SeShutdownPrivilege	4340	chrome.exe
Token: SeCreatePagefilePrivilege	4340	chrome.exe
Token: SeShutdownPrivilege	4340	chrome.exe
Token: SeCreatePagefilePrivilege	4340	chrome.exe
Token: SeShutdownPrivilege	4340	chrome.exe
Token: SeCreatePagefilePrivilege	4340	chrome.exe
Token: SeShutdownPrivilege	4340	chrome.exe
Token: SeCreatePagefilePrivilege	4340	chrome.exe
Token: SeShutdownPrivilege	4340	chrome.exe
Token: SeCreatePagefilePrivilege	4340	chrome.exe
Token: SeShutdownPrivilege	4340	chrome.exe
Token: SeCreatePagefilePrivilege	4340	chrome.exe
Token: SeShutdownPrivilege	4340	chrome.exe
Token: SeCreatePagefilePrivilege	4340	chrome.exe
Token: SeShutdownPrivilege	4340	chrome.exe
Token: SeCreatePagefilePrivilege	4340	chrome.exe
Token: SeShutdownPrivilege	4340	chrome.exe
Token: SeCreatePagefilePrivilege	4340	chrome.exe
Token: SeShutdownPrivilege	4340	chrome.exe
Token: SeCreatePagefilePrivilege	4340	chrome.exe
Token: SeShutdownPrivilege	4340	chrome.exe
Token: SeCreatePagefilePrivilege	4340	chrome.exe
Token: SeShutdownPrivilege	4340	chrome.exe
Token: SeCreatePagefilePrivilege	4340	chrome.exe
Token: SeShutdownPrivilege	4340	chrome.exe
Token: SeCreatePagefilePrivilege	4340	chrome.exe
Token: SeShutdownPrivilege	4340	chrome.exe
Token: SeCreatePagefilePrivilege	4340	chrome.exe
Token: SeShutdownPrivilege	4340	chrome.exe
Token: SeCreatePagefilePrivilege	4340	chrome.exe
Token: SeShutdownPrivilege	4340	chrome.exe
Token: SeCreatePagefilePrivilege	4340	chrome.exe
Token: SeShutdownPrivilege	4340	chrome.exe
Token: SeCreatePagefilePrivilege	4340	chrome.exe
Token: SeShutdownPrivilege	4340	chrome.exe
Token: SeCreatePagefilePrivilege	4340	chrome.exe
Token: SeShutdownPrivilege	4340	chrome.exe
Token: SeCreatePagefilePrivilege	4340	chrome.exe
Token: SeShutdownPrivilege	4340	chrome.exe
Token: SeCreatePagefilePrivilege	4340	chrome.exe
Token: SeShutdownPrivilege	4340	chrome.exe
Token: SeCreatePagefilePrivilege	4340	chrome.exe
Token: SeShutdownPrivilege	4340	chrome.exe
Token: SeCreatePagefilePrivilege	4340	chrome.exe
Token: SeShutdownPrivilege	4340	chrome.exe
Token: SeCreatePagefilePrivilege	4340	chrome.exe
Token: SeShutdownPrivilege	4340	chrome.exe
Token: SeCreatePagefilePrivilege	4340	chrome.exe
Token: SeShutdownPrivilege	4340	chrome.exe
Token: SeCreatePagefilePrivilege	4340	chrome.exe
Token: SeShutdownPrivilege	4340	chrome.exe
Token: SeCreatePagefilePrivilege	4340	chrome.exe
Token: SeShutdownPrivilege	4340	chrome.exe
Token: SeCreatePagefilePrivilege	4340	chrome.exe
Token: SeShutdownPrivilege	4340	chrome.exe
Token: SeCreatePagefilePrivilege	4340	chrome.exe
Token: SeShutdownPrivilege	4340	chrome.exe
Token: SeCreatePagefilePrivilege	4340	chrome.exe
Token: SeShutdownPrivilege	4340	chrome.exe
Token: SeCreatePagefilePrivilege	4340	chrome.exe
Token: SeShutdownPrivilege	4340	chrome.exe
Token: SeCreatePagefilePrivilege	4340	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4340 wrote to memory of 644	4340	chrome.exe	85
PID 4340 wrote to memory of 644	4340	chrome.exe	85
PID 4340 wrote to memory of 3252	4340	chrome.exe	86
PID 4340 wrote to memory of 3252	4340	chrome.exe	86
PID 4340 wrote to memory of 3252	4340	chrome.exe	86
PID 4340 wrote to memory of 3252	4340	chrome.exe	86
PID 4340 wrote to memory of 3252	4340	chrome.exe	86
PID 4340 wrote to memory of 3252	4340	chrome.exe	86
PID 4340 wrote to memory of 3252	4340	chrome.exe	86
PID 4340 wrote to memory of 3252	4340	chrome.exe	86
PID 4340 wrote to memory of 3252	4340	chrome.exe	86
PID 4340 wrote to memory of 3252	4340	chrome.exe	86
PID 4340 wrote to memory of 3252	4340	chrome.exe	86
PID 4340 wrote to memory of 3252	4340	chrome.exe	86
PID 4340 wrote to memory of 3252	4340	chrome.exe	86
PID 4340 wrote to memory of 3252	4340	chrome.exe	86
PID 4340 wrote to memory of 3252	4340	chrome.exe	86
PID 4340 wrote to memory of 3252	4340	chrome.exe	86
PID 4340 wrote to memory of 3252	4340	chrome.exe	86
PID 4340 wrote to memory of 3252	4340	chrome.exe	86
PID 4340 wrote to memory of 3252	4340	chrome.exe	86
PID 4340 wrote to memory of 3252	4340	chrome.exe	86
PID 4340 wrote to memory of 3252	4340	chrome.exe	86
PID 4340 wrote to memory of 3252	4340	chrome.exe	86
PID 4340 wrote to memory of 3252	4340	chrome.exe	86
PID 4340 wrote to memory of 3252	4340	chrome.exe	86
PID 4340 wrote to memory of 3252	4340	chrome.exe	86
PID 4340 wrote to memory of 3252	4340	chrome.exe	86
PID 4340 wrote to memory of 3252	4340	chrome.exe	86
PID 4340 wrote to memory of 3252	4340	chrome.exe	86
PID 4340 wrote to memory of 3252	4340	chrome.exe	86
PID 4340 wrote to memory of 3252	4340	chrome.exe	86
PID 4340 wrote to memory of 3252	4340	chrome.exe	86
PID 4340 wrote to memory of 3252	4340	chrome.exe	86
PID 4340 wrote to memory of 3252	4340	chrome.exe	86
PID 4340 wrote to memory of 3252	4340	chrome.exe	86
PID 4340 wrote to memory of 3252	4340	chrome.exe	86
PID 4340 wrote to memory of 3252	4340	chrome.exe	86
PID 4340 wrote to memory of 3252	4340	chrome.exe	86
PID 4340 wrote to memory of 3252	4340	chrome.exe	86
PID 4340 wrote to memory of 3472	4340	chrome.exe	87
PID 4340 wrote to memory of 3472	4340	chrome.exe	87
PID 4340 wrote to memory of 3564	4340	chrome.exe	88
PID 4340 wrote to memory of 3564	4340	chrome.exe	88
PID 4340 wrote to memory of 3564	4340	chrome.exe	88
PID 4340 wrote to memory of 3564	4340	chrome.exe	88
PID 4340 wrote to memory of 3564	4340	chrome.exe	88
PID 4340 wrote to memory of 3564	4340	chrome.exe	88
PID 4340 wrote to memory of 3564	4340	chrome.exe	88
PID 4340 wrote to memory of 3564	4340	chrome.exe	88
PID 4340 wrote to memory of 3564	4340	chrome.exe	88
PID 4340 wrote to memory of 3564	4340	chrome.exe	88
PID 4340 wrote to memory of 3564	4340	chrome.exe	88
PID 4340 wrote to memory of 3564	4340	chrome.exe	88
PID 4340 wrote to memory of 3564	4340	chrome.exe	88
PID 4340 wrote to memory of 3564	4340	chrome.exe	88
PID 4340 wrote to memory of 3564	4340	chrome.exe	88
PID 4340 wrote to memory of 3564	4340	chrome.exe	88
PID 4340 wrote to memory of 3564	4340	chrome.exe	88
PID 4340 wrote to memory of 3564	4340	chrome.exe	88
PID 4340 wrote to memory of 3564	4340	chrome.exe	88
PID 4340 wrote to memory of 3564	4340	chrome.exe	88
PID 4340 wrote to memory of 3564	4340	chrome.exe	88
PID 4340 wrote to memory of 3564	4340	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://zhushou.officeaid02.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb0b619758,0x7ffb0b619768,0x7ffb0b619778
  2⤵
  PID:644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1792 --field-trial-handle=1816,i,17273947315146476664,16711327818902434795,131072 /prefetch:2
  2⤵
  PID:3252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1816,i,17273947315146476664,16711327818902434795,131072 /prefetch:8
  2⤵
  PID:3472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2188 --field-trial-handle=1816,i,17273947315146476664,16711327818902434795,131072 /prefetch:8
  2⤵
  PID:3564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3036 --field-trial-handle=1816,i,17273947315146476664,16711327818902434795,131072 /prefetch:1
  2⤵
  PID:4500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3056 --field-trial-handle=1816,i,17273947315146476664,16711327818902434795,131072 /prefetch:1
  2⤵
  PID:2304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4752 --field-trial-handle=1816,i,17273947315146476664,16711327818902434795,131072 /prefetch:8
  2⤵
  PID:4572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4740 --field-trial-handle=1816,i,17273947315146476664,16711327818902434795,131072 /prefetch:8
  2⤵
  PID:1344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4632 --field-trial-handle=1816,i,17273947315146476664,16711327818902434795,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1716

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1018B

MD5
dfb50d11426f1ad2e399faa4031a34e8

SHA1
94e6f6e4122ed20d266f921994c485edf7c89ea2

SHA256
ad934281779ce94b25eaea033d4e9b107413460191dcf11ccf8bb6af74e6caba

SHA512
e72b9140c32e353f1d103a22be838babafb722c0140e7165ffb163b6b55cd350b49f155a17ea2801e703dfa454124f505aad488ff4663bce9865e075adc4746f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
8f5f799c2d53704571ca66e4a44702d1

SHA1
ed82bdcb50961d586a900aac7749e1fa8e8f8fb9

SHA256
eb295de178a2b24bfcfd7317185df01534ed463ea823378cbe7ba9088214bdd7

SHA512
a68b33f866671a5e9d2d74b200ec5f548c5f552991c2b64b974d6326b99b7ec8a9cba72de3e7a515ffbc0df6dc374b7e3b30919967486564de82634fd8b0556a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
fb9b2fcb01ff6f089f0b15bac4763041

SHA1
2b5d13863db0f1397f0526b41770f6c2f783f5ab

SHA256
7e7d739a8af75381add11003989c30792ce823f2e27004bdc9633e826d5bb32d

SHA512
103af065f808f7458f753184b00d2ee57fb719b6c3a8826e6095efa798ea8e2f4086cf3b5b59d1be1306ae46f962205c85c144729efd5f338277ddc8c74e93d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
baa27921b78d10132caa447f363677bd

SHA1
fb5aed02162e18c771f58b2d6984878a4e1914d5

SHA256
a9d501c242657362fb21c1285a655078aacc9e46a33fb409beae7a1b77d181d0

SHA512
2e6411ec9f9ed676313748f7cceb31f732c38db0c5541c1ea43f313e47146c16ac6566102965b71d0cfeab8938c0b8c9433ab40b279d4ca48d2c5ca152b16f13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
af6c2436518ca5b42852e6a7479aed8c

SHA1
7db7c31737cb1e4845f01e58bed40eb827149ce1

SHA256
4971abbb4ad1eeb3257de1fc5efb3c1810f6df07914d81a1393745b779580d3c

SHA512
bf80b25ee4f0b4dea17525c63fae8024ad990e4e62980f70312515bdcc58d5a377c53ae170accb52c1213e586e080a5f23a8983a61f2d69d68d4e3bd8bff833f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
158KB

MD5
ffcdfd9de519b2f95416dee569d24ed0

SHA1
070687fc863370bd59c97dddc819bd72cc683f16

SHA256
d4c5955b94fe3e3bb98b2aec8bdd52de55388bf1876f3fa4d4968d8da67d7442

SHA512
deea9597c1e01018f50881c029f7ae5d6a18925f828920c7ac4bb7a8596d01074e52c10c274e23b3a53257e15afff656340d92239c4d26b76e2856bec4477325

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit