hxxps://news[.]aiccampaign[.]com[:]443/p?h=HwOLjtfiW2yHAKsD1stCKxBj7FkaC&activityId=10248378&target=hxxp://a4lxqd[.]bmairs[.]com/dGlmZmFueS5oYXRjaEBsZWRjb3IuY29t

Analysis

max time kernel
74s
max time network
77s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
08-06-2023 15:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://news.aiccampaign.com:443/p?h=HwOLjtfiW2yHAKsD1stCKxBj7FkaC&activityId=10248378&target=http://a4lxqd.bmairs.com/dGlmZmFueS5oYXRjaEBsZWRjb3IuY29t

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133307134188076692"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3500	chrome.exe
3500	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3500 wrote to memory of 3848	3500	chrome.exe	83
PID 3500 wrote to memory of 3848	3500	chrome.exe	83
PID 3500 wrote to memory of 1284	3500	chrome.exe	84
PID 3500 wrote to memory of 1284	3500	chrome.exe	84
PID 3500 wrote to memory of 1284	3500	chrome.exe	84
PID 3500 wrote to memory of 1284	3500	chrome.exe	84
PID 3500 wrote to memory of 1284	3500	chrome.exe	84
PID 3500 wrote to memory of 1284	3500	chrome.exe	84
PID 3500 wrote to memory of 1284	3500	chrome.exe	84
PID 3500 wrote to memory of 1284	3500	chrome.exe	84
PID 3500 wrote to memory of 1284	3500	chrome.exe	84
PID 3500 wrote to memory of 1284	3500	chrome.exe	84
PID 3500 wrote to memory of 1284	3500	chrome.exe	84
PID 3500 wrote to memory of 1284	3500	chrome.exe	84
PID 3500 wrote to memory of 1284	3500	chrome.exe	84
PID 3500 wrote to memory of 1284	3500	chrome.exe	84
PID 3500 wrote to memory of 1284	3500	chrome.exe	84
PID 3500 wrote to memory of 1284	3500	chrome.exe	84
PID 3500 wrote to memory of 1284	3500	chrome.exe	84
PID 3500 wrote to memory of 1284	3500	chrome.exe	84
PID 3500 wrote to memory of 1284	3500	chrome.exe	84
PID 3500 wrote to memory of 1284	3500	chrome.exe	84
PID 3500 wrote to memory of 1284	3500	chrome.exe	84
PID 3500 wrote to memory of 1284	3500	chrome.exe	84
PID 3500 wrote to memory of 1284	3500	chrome.exe	84
PID 3500 wrote to memory of 1284	3500	chrome.exe	84
PID 3500 wrote to memory of 1284	3500	chrome.exe	84
PID 3500 wrote to memory of 1284	3500	chrome.exe	84
PID 3500 wrote to memory of 1284	3500	chrome.exe	84
PID 3500 wrote to memory of 1284	3500	chrome.exe	84
PID 3500 wrote to memory of 1284	3500	chrome.exe	84
PID 3500 wrote to memory of 1284	3500	chrome.exe	84
PID 3500 wrote to memory of 1284	3500	chrome.exe	84
PID 3500 wrote to memory of 1284	3500	chrome.exe	84
PID 3500 wrote to memory of 1284	3500	chrome.exe	84
PID 3500 wrote to memory of 1284	3500	chrome.exe	84
PID 3500 wrote to memory of 1284	3500	chrome.exe	84
PID 3500 wrote to memory of 1284	3500	chrome.exe	84
PID 3500 wrote to memory of 1284	3500	chrome.exe	84
PID 3500 wrote to memory of 1284	3500	chrome.exe	84
PID 3500 wrote to memory of 652	3500	chrome.exe	85
PID 3500 wrote to memory of 652	3500	chrome.exe	85
PID 3500 wrote to memory of 1252	3500	chrome.exe	86
PID 3500 wrote to memory of 1252	3500	chrome.exe	86
PID 3500 wrote to memory of 1252	3500	chrome.exe	86
PID 3500 wrote to memory of 1252	3500	chrome.exe	86
PID 3500 wrote to memory of 1252	3500	chrome.exe	86
PID 3500 wrote to memory of 1252	3500	chrome.exe	86
PID 3500 wrote to memory of 1252	3500	chrome.exe	86
PID 3500 wrote to memory of 1252	3500	chrome.exe	86
PID 3500 wrote to memory of 1252	3500	chrome.exe	86
PID 3500 wrote to memory of 1252	3500	chrome.exe	86
PID 3500 wrote to memory of 1252	3500	chrome.exe	86
PID 3500 wrote to memory of 1252	3500	chrome.exe	86
PID 3500 wrote to memory of 1252	3500	chrome.exe	86
PID 3500 wrote to memory of 1252	3500	chrome.exe	86
PID 3500 wrote to memory of 1252	3500	chrome.exe	86
PID 3500 wrote to memory of 1252	3500	chrome.exe	86
PID 3500 wrote to memory of 1252	3500	chrome.exe	86
PID 3500 wrote to memory of 1252	3500	chrome.exe	86
PID 3500 wrote to memory of 1252	3500	chrome.exe	86
PID 3500 wrote to memory of 1252	3500	chrome.exe	86
PID 3500 wrote to memory of 1252	3500	chrome.exe	86
PID 3500 wrote to memory of 1252	3500	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://news.aiccampaign.com:443/p?h=HwOLjtfiW2yHAKsD1stCKxBj7FkaC&activityId=10248378&target=http://a4lxqd.bmairs.com/dGlmZmFueS5oYXRjaEBsZWRjb3IuY29t
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffacf7e9758,0x7ffacf7e9768,0x7ffacf7e9778
  2⤵
  PID:3848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1732 --field-trial-handle=1908,i,9622082512229082617,8567205124761324838,131072 /prefetch:2
  2⤵
  PID:1284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1908,i,9622082512229082617,8567205124761324838,131072 /prefetch:8
  2⤵
  PID:652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 --field-trial-handle=1908,i,9622082512229082617,8567205124761324838,131072 /prefetch:8
  2⤵
  PID:1252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3124 --field-trial-handle=1908,i,9622082512229082617,8567205124761324838,131072 /prefetch:1
  2⤵
  PID:324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3136 --field-trial-handle=1908,i,9622082512229082617,8567205124761324838,131072 /prefetch:1
  2⤵
  PID:116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4696 --field-trial-handle=1908,i,9622082512229082617,8567205124761324838,131072 /prefetch:1
  2⤵
  PID:5028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4912 --field-trial-handle=1908,i,9622082512229082617,8567205124761324838,131072 /prefetch:1
  2⤵
  PID:1948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3200 --field-trial-handle=1908,i,9622082512229082617,8567205124761324838,131072 /prefetch:1
  2⤵
  PID:4004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3324 --field-trial-handle=1908,i,9622082512229082617,8567205124761324838,131072 /prefetch:1
  2⤵
  PID:3360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5352 --field-trial-handle=1908,i,9622082512229082617,8567205124761324838,131072 /prefetch:8
  2⤵
  PID:2724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3808 --field-trial-handle=1908,i,9622082512229082617,8567205124761324838,131072 /prefetch:8
  2⤵
  PID:4752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4356 --field-trial-handle=1908,i,9622082512229082617,8567205124761324838,131072 /prefetch:1
  2⤵
  PID:4284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3296 --field-trial-handle=1908,i,9622082512229082617,8567205124761324838,131072 /prefetch:1
  2⤵
  PID:2056

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
c1b65e78c9c487126676394c69283af7

SHA1
112fff74dab2b80600e2b585c768936750f782b7

SHA256
22972431c18ea69d5563cfd21feb62268252d800f2e6e4124494b1be6be9734f

SHA512
d6d4cafc9c01176986afb9e79c319288a73852c1295e339230f9a8329a379c981a9866824b96485d0edcdbbc550b003b6d4ed4e77f97431429db62580661f1f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
ebf1d01b73f9f59d22476149833a3b73

SHA1
698afd30665270bf0d04b54eb39640d122274b11

SHA256
03e168e3581d3fde5bc337167a34d8bd2f2269865a3fcc50bdd16632b22f0e07

SHA512
7a0b488e2033af6d48575958e9e7e2982adb7fe090b2654600ca8f34bb1bffdcae2cd7d5bb0ac5ace4a10a8570bd7e92f38c6ed28c09ced6606f49be95c41106

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
db2b5cbd893dd3c3ab0e71ed5c1962fa

SHA1
2ce65c28a1b58c854a17d66aa6dcbbabcb4f4810

SHA256
aac1b311457bb0d9627ca4b5af4109c618007cdfbd5f173ec16069d7527cfad7

SHA512
7a674bf740cdfd1c31cd7de4498340d0a487139f071d041695b70e6e9111a0f4ac0927b586fd5d87b42a94cd1780a58b6fe2c09d141e59c3bf3e7b1f0287635d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
eff660da658da4ee816272b001f01b37

SHA1
30128eb186502a20f6dc5097276721fd148e3579

SHA256
71c0a9a77afbc846ced36c3bbc1bf3c360739ec050e43470b703d2fea52728f0

SHA512
19c68a9b35c6cafd481922a3ef0523e23b3f94c099bf2837fa67c7652b2c0180dda178b1460efc1664d541fa30cfdc8e50e767de045dac16c0aeb62f215ffa32

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
158KB

MD5
4ec476dce05dcc8c3ec71b35e6e59709

SHA1
8dec9f502bcec89a49cb9a772e7aa52c0e5fdb19

SHA256
b91f9943a0c300863b2846307b12033df6bd647ce7642436e2172114b33ea582

SHA512
b7382e0a5d57548bf8fb59c1dcfbacf7de30a6417f6091739254ba476e26208bc51b77c76a46b5db1f721a59f168157f41e9c8d8423ce0d39219af45b3c1ff9a

Download Submit