hxxp://adtrk[.]tw

Analysis

max time kernel
149s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2023 06:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://adtrk.tw

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133324921280747054"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2460	chrome.exe
2460	chrome.exe
900	chrome.exe
900	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 1552	2460	chrome.exe	85
PID 2460 wrote to memory of 1552	2460	chrome.exe	85
PID 2460 wrote to memory of 1372	2460	chrome.exe	86
PID 2460 wrote to memory of 1372	2460	chrome.exe	86
PID 2460 wrote to memory of 1372	2460	chrome.exe	86
PID 2460 wrote to memory of 1372	2460	chrome.exe	86
PID 2460 wrote to memory of 1372	2460	chrome.exe	86
PID 2460 wrote to memory of 1372	2460	chrome.exe	86
PID 2460 wrote to memory of 1372	2460	chrome.exe	86
PID 2460 wrote to memory of 1372	2460	chrome.exe	86
PID 2460 wrote to memory of 1372	2460	chrome.exe	86
PID 2460 wrote to memory of 1372	2460	chrome.exe	86
PID 2460 wrote to memory of 1372	2460	chrome.exe	86
PID 2460 wrote to memory of 1372	2460	chrome.exe	86
PID 2460 wrote to memory of 1372	2460	chrome.exe	86
PID 2460 wrote to memory of 1372	2460	chrome.exe	86
PID 2460 wrote to memory of 1372	2460	chrome.exe	86
PID 2460 wrote to memory of 1372	2460	chrome.exe	86
PID 2460 wrote to memory of 1372	2460	chrome.exe	86
PID 2460 wrote to memory of 1372	2460	chrome.exe	86
PID 2460 wrote to memory of 1372	2460	chrome.exe	86
PID 2460 wrote to memory of 1372	2460	chrome.exe	86
PID 2460 wrote to memory of 1372	2460	chrome.exe	86
PID 2460 wrote to memory of 1372	2460	chrome.exe	86
PID 2460 wrote to memory of 1372	2460	chrome.exe	86
PID 2460 wrote to memory of 1372	2460	chrome.exe	86
PID 2460 wrote to memory of 1372	2460	chrome.exe	86
PID 2460 wrote to memory of 1372	2460	chrome.exe	86
PID 2460 wrote to memory of 1372	2460	chrome.exe	86
PID 2460 wrote to memory of 1372	2460	chrome.exe	86
PID 2460 wrote to memory of 1372	2460	chrome.exe	86
PID 2460 wrote to memory of 1372	2460	chrome.exe	86
PID 2460 wrote to memory of 1372	2460	chrome.exe	86
PID 2460 wrote to memory of 1372	2460	chrome.exe	86
PID 2460 wrote to memory of 1372	2460	chrome.exe	86
PID 2460 wrote to memory of 1372	2460	chrome.exe	86
PID 2460 wrote to memory of 1372	2460	chrome.exe	86
PID 2460 wrote to memory of 1372	2460	chrome.exe	86
PID 2460 wrote to memory of 1372	2460	chrome.exe	86
PID 2460 wrote to memory of 1372	2460	chrome.exe	86
PID 2460 wrote to memory of 3764	2460	chrome.exe	87
PID 2460 wrote to memory of 3764	2460	chrome.exe	87
PID 2460 wrote to memory of 1220	2460	chrome.exe	88
PID 2460 wrote to memory of 1220	2460	chrome.exe	88
PID 2460 wrote to memory of 1220	2460	chrome.exe	88
PID 2460 wrote to memory of 1220	2460	chrome.exe	88
PID 2460 wrote to memory of 1220	2460	chrome.exe	88
PID 2460 wrote to memory of 1220	2460	chrome.exe	88
PID 2460 wrote to memory of 1220	2460	chrome.exe	88
PID 2460 wrote to memory of 1220	2460	chrome.exe	88
PID 2460 wrote to memory of 1220	2460	chrome.exe	88
PID 2460 wrote to memory of 1220	2460	chrome.exe	88
PID 2460 wrote to memory of 1220	2460	chrome.exe	88
PID 2460 wrote to memory of 1220	2460	chrome.exe	88
PID 2460 wrote to memory of 1220	2460	chrome.exe	88
PID 2460 wrote to memory of 1220	2460	chrome.exe	88
PID 2460 wrote to memory of 1220	2460	chrome.exe	88
PID 2460 wrote to memory of 1220	2460	chrome.exe	88
PID 2460 wrote to memory of 1220	2460	chrome.exe	88
PID 2460 wrote to memory of 1220	2460	chrome.exe	88
PID 2460 wrote to memory of 1220	2460	chrome.exe	88
PID 2460 wrote to memory of 1220	2460	chrome.exe	88
PID 2460 wrote to memory of 1220	2460	chrome.exe	88
PID 2460 wrote to memory of 1220	2460	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://adtrk.tw
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe743b9758,0x7ffe743b9768,0x7ffe743b9778
  2⤵
  PID:1552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1828 --field-trial-handle=1848,i,15611292537099248935,12007449438144607071,131072 /prefetch:2
  2⤵
  PID:1372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 --field-trial-handle=1848,i,15611292537099248935,12007449438144607071,131072 /prefetch:8
  2⤵
  PID:3764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2220 --field-trial-handle=1848,i,15611292537099248935,12007449438144607071,131072 /prefetch:8
  2⤵
  PID:1220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3032 --field-trial-handle=1848,i,15611292537099248935,12007449438144607071,131072 /prefetch:1
  2⤵
  PID:3084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3044 --field-trial-handle=1848,i,15611292537099248935,12007449438144607071,131072 /prefetch:1
  2⤵
  PID:1236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4432 --field-trial-handle=1848,i,15611292537099248935,12007449438144607071,131072 /prefetch:1
  2⤵
  PID:3772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4740 --field-trial-handle=1848,i,15611292537099248935,12007449438144607071,131072 /prefetch:8
  2⤵
  PID:3512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4892 --field-trial-handle=1848,i,15611292537099248935,12007449438144607071,131072 /prefetch:8
  2⤵
  PID:2964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4760 --field-trial-handle=1848,i,15611292537099248935,12007449438144607071,131072 /prefetch:8
  2⤵
  PID:2364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4660 --field-trial-handle=1848,i,15611292537099248935,12007449438144607071,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:900

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
18308948dfdeb015756940b9c1d28952

SHA1
547ebfebe51d882f6c0f5e895eb0f733573ae9ad

SHA256
7e31a00a0c3c9a2b4496abf715b3b769fe6355434e93cdd1c4a1272d46fcbd52

SHA512
a1f300024b8ac71cdc71e97703a4ad1c2a9455b93f0df4cdb784d6514fa165d23b70a48f4c4d43f287362811cac7d97865ec2931734b24a8fd35aee3e949db53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b426ff3095ca14c69c7e470c05b2bbb5

SHA1
ac25b25a87c213a6b6081956dcaf1a9d67cf71d7

SHA256
d2e72b63bdf7ec690f289ec86bb71d10ed15dc5333e88bb0ddc4e10d807ae45c

SHA512
9132d724abee4fe36a8dc53ea9aa3b6e27cd61edf9603c233cbc1e2f9928e6c9ed1aca130d3a086b1e70431c0276edbd6979ef3f8ffe8a216d6fba647736d46b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
73df934ac21c7e1127265686941cfe2f

SHA1
a48f4931b2d42e4a0462c64619f48aa7afb8da01

SHA256
523adafd0846c32582250989a2417c17ea88bde0bd5e7eb6e092d0896511bd6f

SHA512
431c0efa27cdeb95e76e2c46114f1b4f5eb0da1d3838c56fffde40c61b7e2809a9cf3d50651259ddc173d957befdfc8f216c607b71d17f1722dc1a35d4237986

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
174KB

MD5
3dac0be46714dd4e62a982f8104b2632

SHA1
12a1a04acbb0fc361e19b0ce5f69a89d5ffc8850

SHA256
88bc108fd483ed46a73a6b0b4fe26db103eef07a496084d78ffacc87e3bf03e7

SHA512
4655fa02532683001456c7089f52e6cef6e91caabb1e99c131b3133c86a1a021db4b6d6862cd389f597c4e5ebe4ccf5713a73da1e91863f68be8a9df69a89212

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit