hxxp://ww25[.]ips[.]es/ips2002/ips2002CLASEA3[.]crl?subid1=20230609-1800-0257-9472-31385a28acc7

Analysis

max time kernel
60s
max time network
61s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
09-06-2023 12:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://ww25.ips.es/ips2002/ips2002CLASEA3.crl?subid1=20230609-1800-0257-9472-31385a28acc7

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133307874625802808"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4632	chrome.exe
4632	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4632	chrome.exe
Token: SeCreatePagefilePrivilege	4632	chrome.exe
Token: SeShutdownPrivilege	4632	chrome.exe
Token: SeCreatePagefilePrivilege	4632	chrome.exe
Token: SeShutdownPrivilege	4632	chrome.exe
Token: SeCreatePagefilePrivilege	4632	chrome.exe
Token: SeShutdownPrivilege	4632	chrome.exe
Token: SeCreatePagefilePrivilege	4632	chrome.exe
Token: SeShutdownPrivilege	4632	chrome.exe
Token: SeCreatePagefilePrivilege	4632	chrome.exe
Token: SeShutdownPrivilege	4632	chrome.exe
Token: SeCreatePagefilePrivilege	4632	chrome.exe
Token: SeShutdownPrivilege	4632	chrome.exe
Token: SeCreatePagefilePrivilege	4632	chrome.exe
Token: SeShutdownPrivilege	4632	chrome.exe
Token: SeCreatePagefilePrivilege	4632	chrome.exe
Token: SeShutdownPrivilege	4632	chrome.exe
Token: SeCreatePagefilePrivilege	4632	chrome.exe
Token: SeShutdownPrivilege	4632	chrome.exe
Token: SeCreatePagefilePrivilege	4632	chrome.exe
Token: SeShutdownPrivilege	4632	chrome.exe
Token: SeCreatePagefilePrivilege	4632	chrome.exe
Token: SeShutdownPrivilege	4632	chrome.exe
Token: SeCreatePagefilePrivilege	4632	chrome.exe
Token: SeShutdownPrivilege	4632	chrome.exe
Token: SeCreatePagefilePrivilege	4632	chrome.exe
Token: SeShutdownPrivilege	4632	chrome.exe
Token: SeCreatePagefilePrivilege	4632	chrome.exe
Token: SeShutdownPrivilege	4632	chrome.exe
Token: SeCreatePagefilePrivilege	4632	chrome.exe
Token: SeShutdownPrivilege	4632	chrome.exe
Token: SeCreatePagefilePrivilege	4632	chrome.exe
Token: SeShutdownPrivilege	4632	chrome.exe
Token: SeCreatePagefilePrivilege	4632	chrome.exe
Token: SeShutdownPrivilege	4632	chrome.exe
Token: SeCreatePagefilePrivilege	4632	chrome.exe
Token: SeShutdownPrivilege	4632	chrome.exe
Token: SeCreatePagefilePrivilege	4632	chrome.exe
Token: SeShutdownPrivilege	4632	chrome.exe
Token: SeCreatePagefilePrivilege	4632	chrome.exe
Token: SeShutdownPrivilege	4632	chrome.exe
Token: SeCreatePagefilePrivilege	4632	chrome.exe
Token: SeShutdownPrivilege	4632	chrome.exe
Token: SeCreatePagefilePrivilege	4632	chrome.exe
Token: SeShutdownPrivilege	4632	chrome.exe
Token: SeCreatePagefilePrivilege	4632	chrome.exe
Token: SeShutdownPrivilege	4632	chrome.exe
Token: SeCreatePagefilePrivilege	4632	chrome.exe
Token: SeShutdownPrivilege	4632	chrome.exe
Token: SeCreatePagefilePrivilege	4632	chrome.exe
Token: SeShutdownPrivilege	4632	chrome.exe
Token: SeCreatePagefilePrivilege	4632	chrome.exe
Token: SeShutdownPrivilege	4632	chrome.exe
Token: SeCreatePagefilePrivilege	4632	chrome.exe
Token: SeShutdownPrivilege	4632	chrome.exe
Token: SeCreatePagefilePrivilege	4632	chrome.exe
Token: SeShutdownPrivilege	4632	chrome.exe
Token: SeCreatePagefilePrivilege	4632	chrome.exe
Token: SeShutdownPrivilege	4632	chrome.exe
Token: SeCreatePagefilePrivilege	4632	chrome.exe
Token: SeShutdownPrivilege	4632	chrome.exe
Token: SeCreatePagefilePrivilege	4632	chrome.exe
Token: SeShutdownPrivilege	4632	chrome.exe
Token: SeCreatePagefilePrivilege	4632	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4632 wrote to memory of 4572	4632	chrome.exe	84
PID 4632 wrote to memory of 4572	4632	chrome.exe	84
PID 4632 wrote to memory of 2884	4632	chrome.exe	85
PID 4632 wrote to memory of 2884	4632	chrome.exe	85
PID 4632 wrote to memory of 2884	4632	chrome.exe	85
PID 4632 wrote to memory of 2884	4632	chrome.exe	85
PID 4632 wrote to memory of 2884	4632	chrome.exe	85
PID 4632 wrote to memory of 2884	4632	chrome.exe	85
PID 4632 wrote to memory of 2884	4632	chrome.exe	85
PID 4632 wrote to memory of 2884	4632	chrome.exe	85
PID 4632 wrote to memory of 2884	4632	chrome.exe	85
PID 4632 wrote to memory of 2884	4632	chrome.exe	85
PID 4632 wrote to memory of 2884	4632	chrome.exe	85
PID 4632 wrote to memory of 2884	4632	chrome.exe	85
PID 4632 wrote to memory of 2884	4632	chrome.exe	85
PID 4632 wrote to memory of 2884	4632	chrome.exe	85
PID 4632 wrote to memory of 2884	4632	chrome.exe	85
PID 4632 wrote to memory of 2884	4632	chrome.exe	85
PID 4632 wrote to memory of 2884	4632	chrome.exe	85
PID 4632 wrote to memory of 2884	4632	chrome.exe	85
PID 4632 wrote to memory of 2884	4632	chrome.exe	85
PID 4632 wrote to memory of 2884	4632	chrome.exe	85
PID 4632 wrote to memory of 2884	4632	chrome.exe	85
PID 4632 wrote to memory of 2884	4632	chrome.exe	85
PID 4632 wrote to memory of 2884	4632	chrome.exe	85
PID 4632 wrote to memory of 2884	4632	chrome.exe	85
PID 4632 wrote to memory of 2884	4632	chrome.exe	85
PID 4632 wrote to memory of 2884	4632	chrome.exe	85
PID 4632 wrote to memory of 2884	4632	chrome.exe	85
PID 4632 wrote to memory of 2884	4632	chrome.exe	85
PID 4632 wrote to memory of 2884	4632	chrome.exe	85
PID 4632 wrote to memory of 2884	4632	chrome.exe	85
PID 4632 wrote to memory of 2884	4632	chrome.exe	85
PID 4632 wrote to memory of 2884	4632	chrome.exe	85
PID 4632 wrote to memory of 2884	4632	chrome.exe	85
PID 4632 wrote to memory of 2884	4632	chrome.exe	85
PID 4632 wrote to memory of 2884	4632	chrome.exe	85
PID 4632 wrote to memory of 2884	4632	chrome.exe	85
PID 4632 wrote to memory of 2884	4632	chrome.exe	85
PID 4632 wrote to memory of 2884	4632	chrome.exe	85
PID 4632 wrote to memory of 1684	4632	chrome.exe	86
PID 4632 wrote to memory of 1684	4632	chrome.exe	86
PID 4632 wrote to memory of 1496	4632	chrome.exe	87
PID 4632 wrote to memory of 1496	4632	chrome.exe	87
PID 4632 wrote to memory of 1496	4632	chrome.exe	87
PID 4632 wrote to memory of 1496	4632	chrome.exe	87
PID 4632 wrote to memory of 1496	4632	chrome.exe	87
PID 4632 wrote to memory of 1496	4632	chrome.exe	87
PID 4632 wrote to memory of 1496	4632	chrome.exe	87
PID 4632 wrote to memory of 1496	4632	chrome.exe	87
PID 4632 wrote to memory of 1496	4632	chrome.exe	87
PID 4632 wrote to memory of 1496	4632	chrome.exe	87
PID 4632 wrote to memory of 1496	4632	chrome.exe	87
PID 4632 wrote to memory of 1496	4632	chrome.exe	87
PID 4632 wrote to memory of 1496	4632	chrome.exe	87
PID 4632 wrote to memory of 1496	4632	chrome.exe	87
PID 4632 wrote to memory of 1496	4632	chrome.exe	87
PID 4632 wrote to memory of 1496	4632	chrome.exe	87
PID 4632 wrote to memory of 1496	4632	chrome.exe	87
PID 4632 wrote to memory of 1496	4632	chrome.exe	87
PID 4632 wrote to memory of 1496	4632	chrome.exe	87
PID 4632 wrote to memory of 1496	4632	chrome.exe	87
PID 4632 wrote to memory of 1496	4632	chrome.exe	87
PID 4632 wrote to memory of 1496	4632	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://ww25.ips.es/ips2002/ips2002CLASEA3.crl?subid1=20230609-1800-0257-9472-31385a28acc7
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffade449758,0x7ffade449768,0x7ffade449778
  2⤵
  PID:4572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1816 --field-trial-handle=1796,i,2922579434882992116,11299637022579923310,131072 /prefetch:2
  2⤵
  PID:2884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1796,i,2922579434882992116,11299637022579923310,131072 /prefetch:8
  2⤵
  PID:1684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2164 --field-trial-handle=1796,i,2922579434882992116,11299637022579923310,131072 /prefetch:8
  2⤵
  PID:1496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3040 --field-trial-handle=1796,i,2922579434882992116,11299637022579923310,131072 /prefetch:1
  2⤵
  PID:1900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3060 --field-trial-handle=1796,i,2922579434882992116,11299637022579923310,131072 /prefetch:1
  2⤵
  PID:2868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4512 --field-trial-handle=1796,i,2922579434882992116,11299637022579923310,131072 /prefetch:1
  2⤵
  PID:1308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3500 --field-trial-handle=1796,i,2922579434882992116,11299637022579923310,131072 /prefetch:8
  2⤵
  PID:3328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4972 --field-trial-handle=1796,i,2922579434882992116,11299637022579923310,131072 /prefetch:8
  2⤵
  PID:3104

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
7268e3768e1da65b8cdc26a410129487

SHA1
8bdb38feae0e4eba0aa5e70d6e4ccd2a38e7e545

SHA256
9d114d7a10bb19820b4be379da38e08e75d0fba7045052ae4e6defdd7330355f

SHA512
91f262779d5603416875fe1f5703f97992764eead870c7cb978499d3055058d01756ba963f0c8d3f8024f12aab5a84ad0ba2dbb555ecfa3f5e0bffe844387289

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
f41806e3487038a34bec77fc5a5814ac

SHA1
4521a902cf017c9601f1e8a5b9f81533c4011fd4

SHA256
07d6cacfc2cf46f923d8209fd42968003889262ac257b21e8620f7a8ce46468d

SHA512
e57b5989a6263ae1eb32e495fe59ec291a44a5f177dc2237b264a88ca2f28fd5c3f7782afd232105d8f9a24175513d895811ce0e0303840ec468743734641dcb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
f7ac8be5355fe745544557ed6395deca

SHA1
76869404fd4817cb10f5f19f50a72058c73848bd

SHA256
76bc978a74829f1231fad4cb4bdf0423e192427aaf464396358c2917b21d69d6

SHA512
5c873ac3d977218742c26221850c0dd91dea69519abe6e3033c8fa6f4be7054b0453c60fa0182e5d7dc7986db308a91864e978510ee1d69dffd63569437fbe60

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
e4978172657a1d2cfddf49391e4be1b0

SHA1
cc640d5f2dae90ce3552b0c812fa313babc81514

SHA256
8c8047031e4267a8d4c4f04c4dcd1030ff34fc567259810f1266605fe55ab9cc

SHA512
75a6184f93497e3400f140645c2b4779223da3850dc0f8bc4686dc2bfce15ac24538e2fc34a647157550849d7435f9fcf1fd7691d65a258c3ccf57765b51a8c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
158KB

MD5
dfdc71ab2c607ce8c3a6ed8454a5da35

SHA1
143f994ccee5750c81c4aa3e3e4d1c4eb3f5ec70

SHA256
d0874dfe8d230f14759035fee5a35376f5c07514dd83bab94fa89189abfea47b

SHA512
aa9cbac529713f6e175d7a62d59c52d749b8f9e5de5747bedc6d51de3e5238df872d811244598637c173098e563fe2aea6d44a551de6f47fb0bf7fa4038c02d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit