hxxps://id[.]me-irsl[.]site?Verify_ID=Nx9D-2B77321DQ

Analysis

max time kernel
33s
max time network
35s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
16/06/2023, 13:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://id.me-irsl.site?Verify_ID=Nx9D-2B77321DQ

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2980	chrome.exe
2980	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe

Suspicious use of AdjustPrivilegeToken 62 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2980	chrome.exe
Token: SeCreatePagefilePrivilege	2980	chrome.exe
Token: SeShutdownPrivilege	2980	chrome.exe
Token: SeCreatePagefilePrivilege	2980	chrome.exe
Token: SeShutdownPrivilege	2980	chrome.exe
Token: SeCreatePagefilePrivilege	2980	chrome.exe
Token: SeShutdownPrivilege	2980	chrome.exe
Token: SeCreatePagefilePrivilege	2980	chrome.exe
Token: SeShutdownPrivilege	2980	chrome.exe
Token: SeCreatePagefilePrivilege	2980	chrome.exe
Token: SeShutdownPrivilege	2980	chrome.exe
Token: SeCreatePagefilePrivilege	2980	chrome.exe
Token: SeShutdownPrivilege	2980	chrome.exe
Token: SeCreatePagefilePrivilege	2980	chrome.exe
Token: SeShutdownPrivilege	2980	chrome.exe
Token: SeCreatePagefilePrivilege	2980	chrome.exe
Token: SeShutdownPrivilege	2980	chrome.exe
Token: SeCreatePagefilePrivilege	2980	chrome.exe
Token: SeShutdownPrivilege	2980	chrome.exe
Token: SeCreatePagefilePrivilege	2980	chrome.exe
Token: SeShutdownPrivilege	2980	chrome.exe
Token: SeCreatePagefilePrivilege	2980	chrome.exe
Token: SeShutdownPrivilege	2980	chrome.exe
Token: SeCreatePagefilePrivilege	2980	chrome.exe
Token: SeShutdownPrivilege	2980	chrome.exe
Token: SeCreatePagefilePrivilege	2980	chrome.exe
Token: SeShutdownPrivilege	2980	chrome.exe
Token: SeCreatePagefilePrivilege	2980	chrome.exe
Token: SeShutdownPrivilege	2980	chrome.exe
Token: SeCreatePagefilePrivilege	2980	chrome.exe
Token: SeShutdownPrivilege	2980	chrome.exe
Token: SeCreatePagefilePrivilege	2980	chrome.exe
Token: SeShutdownPrivilege	2980	chrome.exe
Token: SeCreatePagefilePrivilege	2980	chrome.exe
Token: SeShutdownPrivilege	2980	chrome.exe
Token: SeCreatePagefilePrivilege	2980	chrome.exe
Token: SeShutdownPrivilege	2980	chrome.exe
Token: SeCreatePagefilePrivilege	2980	chrome.exe
Token: SeShutdownPrivilege	2980	chrome.exe
Token: SeCreatePagefilePrivilege	2980	chrome.exe
Token: SeShutdownPrivilege	2980	chrome.exe
Token: SeCreatePagefilePrivilege	2980	chrome.exe
Token: SeShutdownPrivilege	2980	chrome.exe
Token: SeCreatePagefilePrivilege	2980	chrome.exe
Token: SeShutdownPrivilege	2980	chrome.exe
Token: SeCreatePagefilePrivilege	2980	chrome.exe
Token: SeShutdownPrivilege	2980	chrome.exe
Token: SeCreatePagefilePrivilege	2980	chrome.exe
Token: SeShutdownPrivilege	2980	chrome.exe
Token: SeCreatePagefilePrivilege	2980	chrome.exe
Token: SeShutdownPrivilege	2980	chrome.exe
Token: SeCreatePagefilePrivilege	2980	chrome.exe
Token: SeShutdownPrivilege	2980	chrome.exe
Token: SeCreatePagefilePrivilege	2980	chrome.exe
Token: SeShutdownPrivilege	2980	chrome.exe
Token: SeCreatePagefilePrivilege	2980	chrome.exe
Token: SeShutdownPrivilege	2980	chrome.exe
Token: SeCreatePagefilePrivilege	2980	chrome.exe
Token: SeShutdownPrivilege	2980	chrome.exe
Token: SeCreatePagefilePrivilege	2980	chrome.exe
Token: SeShutdownPrivilege	2980	chrome.exe
Token: SeCreatePagefilePrivilege	2980	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 4776	2980	chrome.exe	86
PID 2980 wrote to memory of 4776	2980	chrome.exe	86
PID 2980 wrote to memory of 1116	2980	chrome.exe	87
PID 2980 wrote to memory of 1116	2980	chrome.exe	87
PID 2980 wrote to memory of 1116	2980	chrome.exe	87
PID 2980 wrote to memory of 1116	2980	chrome.exe	87
PID 2980 wrote to memory of 1116	2980	chrome.exe	87
PID 2980 wrote to memory of 1116	2980	chrome.exe	87
PID 2980 wrote to memory of 1116	2980	chrome.exe	87
PID 2980 wrote to memory of 1116	2980	chrome.exe	87
PID 2980 wrote to memory of 1116	2980	chrome.exe	87
PID 2980 wrote to memory of 1116	2980	chrome.exe	87
PID 2980 wrote to memory of 1116	2980	chrome.exe	87
PID 2980 wrote to memory of 1116	2980	chrome.exe	87
PID 2980 wrote to memory of 1116	2980	chrome.exe	87
PID 2980 wrote to memory of 1116	2980	chrome.exe	87
PID 2980 wrote to memory of 1116	2980	chrome.exe	87
PID 2980 wrote to memory of 1116	2980	chrome.exe	87
PID 2980 wrote to memory of 1116	2980	chrome.exe	87
PID 2980 wrote to memory of 1116	2980	chrome.exe	87
PID 2980 wrote to memory of 1116	2980	chrome.exe	87
PID 2980 wrote to memory of 1116	2980	chrome.exe	87
PID 2980 wrote to memory of 1116	2980	chrome.exe	87
PID 2980 wrote to memory of 1116	2980	chrome.exe	87
PID 2980 wrote to memory of 1116	2980	chrome.exe	87
PID 2980 wrote to memory of 1116	2980	chrome.exe	87
PID 2980 wrote to memory of 1116	2980	chrome.exe	87
PID 2980 wrote to memory of 1116	2980	chrome.exe	87
PID 2980 wrote to memory of 1116	2980	chrome.exe	87
PID 2980 wrote to memory of 1116	2980	chrome.exe	87
PID 2980 wrote to memory of 1116	2980	chrome.exe	87
PID 2980 wrote to memory of 1116	2980	chrome.exe	87
PID 2980 wrote to memory of 1116	2980	chrome.exe	87
PID 2980 wrote to memory of 1116	2980	chrome.exe	87
PID 2980 wrote to memory of 1116	2980	chrome.exe	87
PID 2980 wrote to memory of 1116	2980	chrome.exe	87
PID 2980 wrote to memory of 1116	2980	chrome.exe	87
PID 2980 wrote to memory of 1116	2980	chrome.exe	87
PID 2980 wrote to memory of 1116	2980	chrome.exe	87
PID 2980 wrote to memory of 1116	2980	chrome.exe	87
PID 2980 wrote to memory of 2976	2980	chrome.exe	88
PID 2980 wrote to memory of 2976	2980	chrome.exe	88
PID 2980 wrote to memory of 4216	2980	chrome.exe	89
PID 2980 wrote to memory of 4216	2980	chrome.exe	89
PID 2980 wrote to memory of 4216	2980	chrome.exe	89
PID 2980 wrote to memory of 4216	2980	chrome.exe	89
PID 2980 wrote to memory of 4216	2980	chrome.exe	89
PID 2980 wrote to memory of 4216	2980	chrome.exe	89
PID 2980 wrote to memory of 4216	2980	chrome.exe	89
PID 2980 wrote to memory of 4216	2980	chrome.exe	89
PID 2980 wrote to memory of 4216	2980	chrome.exe	89
PID 2980 wrote to memory of 4216	2980	chrome.exe	89
PID 2980 wrote to memory of 4216	2980	chrome.exe	89
PID 2980 wrote to memory of 4216	2980	chrome.exe	89
PID 2980 wrote to memory of 4216	2980	chrome.exe	89
PID 2980 wrote to memory of 4216	2980	chrome.exe	89
PID 2980 wrote to memory of 4216	2980	chrome.exe	89
PID 2980 wrote to memory of 4216	2980	chrome.exe	89
PID 2980 wrote to memory of 4216	2980	chrome.exe	89
PID 2980 wrote to memory of 4216	2980	chrome.exe	89
PID 2980 wrote to memory of 4216	2980	chrome.exe	89
PID 2980 wrote to memory of 4216	2980	chrome.exe	89
PID 2980 wrote to memory of 4216	2980	chrome.exe	89
PID 2980 wrote to memory of 4216	2980	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://id.me-irsl.site?Verify_ID=Nx9D-2B77321DQ
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc83739758,0x7ffc83739768,0x7ffc83739778
  2⤵
  PID:4776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1772 --field-trial-handle=1812,i,17949324729943626417,16907791974153457817,131072 /prefetch:2
  2⤵
  PID:1116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1812,i,17949324729943626417,16907791974153457817,131072 /prefetch:8
  2⤵
  PID:2976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2236 --field-trial-handle=1812,i,17949324729943626417,16907791974153457817,131072 /prefetch:8
  2⤵
  PID:4216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3112 --field-trial-handle=1812,i,17949324729943626417,16907791974153457817,131072 /prefetch:1
  2⤵
  PID:3252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3104 --field-trial-handle=1812,i,17949324729943626417,16907791974153457817,131072 /prefetch:1
  2⤵
  PID:2028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4804 --field-trial-handle=1812,i,17949324729943626417,16907791974153457817,131072 /prefetch:1
  2⤵
  PID:4076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4980 --field-trial-handle=1812,i,17949324729943626417,16907791974153457817,131072 /prefetch:1
  2⤵
  PID:4616

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
d8ba7cb49078786cb4d5b83d08ac0972

SHA1
0efe97f8fef8ac51b42555e1e134212fcfe66b0b

SHA256
5c7b9e0bca0bdb50cdac10014e8e8eb8177d1976455403c263824b054ecd2a6f

SHA512
fea78c897cc5c52e443acb7e28f50840533aa212dbffc993b373a378a0df1834486759cc9df548baba5b13dea43403acdb8ad98730d7e309b5521c539afa90d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
19db8c7d4a592c97c2d8a13c99de8658

SHA1
14bf4d252d8e9f718210e0101e85c9b691d8c6fa

SHA256
157d6cd45db4ed4c326d8fb8bcff414716497730068a6f07ad1ce9c4224a6a82

SHA512
7cd0a34d98e6de317ff7a2666a5f84228a5e836937880a8ea6f03507f336e2e7e4ba3e6192133a5dd881e37cfd8802895793e1bc985fc449e01a2bebcc4135eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
309fb355a9b6eaf612eb93c92e253d9a

SHA1
81ad2b6b2635e9b37af8dac797f3b0a82c11bf60

SHA256
b3844dafe94715d53a44ba651c2042d27f2fabc532a55bb864cdf50481619137

SHA512
58413010ace52292a5b4db38fc1277a5efeaca6616208d1d6ae128c307c948404d0de9cdd4d512d2529643ce4a9cc676bedea3d6a4a8c76097b9f7317bf1f11a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
6543b569789399685728af805c18c941

SHA1
2d5eeb2057ec5736d1e856aad50c649cb291b082

SHA256
333f065295d916f0cc3c8f31d8c7a8c4c06f3f263c987c44f334b9862c238f71

SHA512
d014e967eb54127682984499b5dbeb119bbebbbe8fa63287c7079f8aff6fa02fce36dee26f652b2a2f7c89b56de5809d590abeffe1b64b694906b6d59f2c12a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
157KB

MD5
b5cdace668a6d1f8858cd5823965c413

SHA1
807557fbc9491bea439776a57a588ef2ca644ec9

SHA256
a6f639ae02efe376e62469653bc27e2760ba86543eabb8eb91db16b8b4106df3

SHA512
094d6199e057645cda2c466f8bfe1e4962218e6252d42a1f924decb017f77ff54aa4f950876e0747c054904a6941e214e61ecdbb40f3e97a4024c19ec54ad3ab

Download Submit