hxxps://www[.]timesheetz[.]net/EtzWeb/u/b9bb0ab5b9

Analysis

max time kernel
1800s
max time network
1695s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2023 04:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.timesheetz.net/EtzWeb/u/b9bb0ab5b9

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133325729943635291"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2328	chrome.exe
2328	chrome.exe
3356	chrome.exe
3356	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2328	chrome.exe
2328	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeCreatePagefilePrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeCreatePagefilePrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeCreatePagefilePrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeCreatePagefilePrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeCreatePagefilePrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeCreatePagefilePrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeCreatePagefilePrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeCreatePagefilePrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeCreatePagefilePrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeCreatePagefilePrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeCreatePagefilePrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeCreatePagefilePrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeCreatePagefilePrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeCreatePagefilePrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeCreatePagefilePrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeCreatePagefilePrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeCreatePagefilePrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeCreatePagefilePrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeCreatePagefilePrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeCreatePagefilePrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeCreatePagefilePrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeCreatePagefilePrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeCreatePagefilePrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeCreatePagefilePrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeCreatePagefilePrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeCreatePagefilePrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeCreatePagefilePrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeCreatePagefilePrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeCreatePagefilePrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeCreatePagefilePrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeCreatePagefilePrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeCreatePagefilePrivilege	2328	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 3948	2328	chrome.exe	87
PID 2328 wrote to memory of 3948	2328	chrome.exe	87
PID 2328 wrote to memory of 3860	2328	chrome.exe	88
PID 2328 wrote to memory of 3860	2328	chrome.exe	88
PID 2328 wrote to memory of 3860	2328	chrome.exe	88
PID 2328 wrote to memory of 3860	2328	chrome.exe	88
PID 2328 wrote to memory of 3860	2328	chrome.exe	88
PID 2328 wrote to memory of 3860	2328	chrome.exe	88
PID 2328 wrote to memory of 3860	2328	chrome.exe	88
PID 2328 wrote to memory of 3860	2328	chrome.exe	88
PID 2328 wrote to memory of 3860	2328	chrome.exe	88
PID 2328 wrote to memory of 3860	2328	chrome.exe	88
PID 2328 wrote to memory of 3860	2328	chrome.exe	88
PID 2328 wrote to memory of 3860	2328	chrome.exe	88
PID 2328 wrote to memory of 3860	2328	chrome.exe	88
PID 2328 wrote to memory of 3860	2328	chrome.exe	88
PID 2328 wrote to memory of 3860	2328	chrome.exe	88
PID 2328 wrote to memory of 3860	2328	chrome.exe	88
PID 2328 wrote to memory of 3860	2328	chrome.exe	88
PID 2328 wrote to memory of 3860	2328	chrome.exe	88
PID 2328 wrote to memory of 3860	2328	chrome.exe	88
PID 2328 wrote to memory of 3860	2328	chrome.exe	88
PID 2328 wrote to memory of 3860	2328	chrome.exe	88
PID 2328 wrote to memory of 3860	2328	chrome.exe	88
PID 2328 wrote to memory of 3860	2328	chrome.exe	88
PID 2328 wrote to memory of 3860	2328	chrome.exe	88
PID 2328 wrote to memory of 3860	2328	chrome.exe	88
PID 2328 wrote to memory of 3860	2328	chrome.exe	88
PID 2328 wrote to memory of 3860	2328	chrome.exe	88
PID 2328 wrote to memory of 3860	2328	chrome.exe	88
PID 2328 wrote to memory of 3860	2328	chrome.exe	88
PID 2328 wrote to memory of 3860	2328	chrome.exe	88
PID 2328 wrote to memory of 3860	2328	chrome.exe	88
PID 2328 wrote to memory of 3860	2328	chrome.exe	88
PID 2328 wrote to memory of 3860	2328	chrome.exe	88
PID 2328 wrote to memory of 3860	2328	chrome.exe	88
PID 2328 wrote to memory of 3860	2328	chrome.exe	88
PID 2328 wrote to memory of 3860	2328	chrome.exe	88
PID 2328 wrote to memory of 3860	2328	chrome.exe	88
PID 2328 wrote to memory of 3860	2328	chrome.exe	88
PID 2328 wrote to memory of 1696	2328	chrome.exe	89
PID 2328 wrote to memory of 1696	2328	chrome.exe	89
PID 2328 wrote to memory of 896	2328	chrome.exe	90
PID 2328 wrote to memory of 896	2328	chrome.exe	90
PID 2328 wrote to memory of 896	2328	chrome.exe	90
PID 2328 wrote to memory of 896	2328	chrome.exe	90
PID 2328 wrote to memory of 896	2328	chrome.exe	90
PID 2328 wrote to memory of 896	2328	chrome.exe	90
PID 2328 wrote to memory of 896	2328	chrome.exe	90
PID 2328 wrote to memory of 896	2328	chrome.exe	90
PID 2328 wrote to memory of 896	2328	chrome.exe	90
PID 2328 wrote to memory of 896	2328	chrome.exe	90
PID 2328 wrote to memory of 896	2328	chrome.exe	90
PID 2328 wrote to memory of 896	2328	chrome.exe	90
PID 2328 wrote to memory of 896	2328	chrome.exe	90
PID 2328 wrote to memory of 896	2328	chrome.exe	90
PID 2328 wrote to memory of 896	2328	chrome.exe	90
PID 2328 wrote to memory of 896	2328	chrome.exe	90
PID 2328 wrote to memory of 896	2328	chrome.exe	90
PID 2328 wrote to memory of 896	2328	chrome.exe	90
PID 2328 wrote to memory of 896	2328	chrome.exe	90
PID 2328 wrote to memory of 896	2328	chrome.exe	90
PID 2328 wrote to memory of 896	2328	chrome.exe	90
PID 2328 wrote to memory of 896	2328	chrome.exe	90

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://www.timesheetz.net/EtzWeb/u/b9bb0ab5b9
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaa5d89758,0x7ffaa5d89768,0x7ffaa5d89778
  2⤵
  PID:3948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1796 --field-trial-handle=1868,i,10096392286561979197,17038932296292878859,131072 /prefetch:2
  2⤵
  PID:3860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1868,i,10096392286561979197,17038932296292878859,131072 /prefetch:8
  2⤵
  PID:1696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2164 --field-trial-handle=1868,i,10096392286561979197,17038932296292878859,131072 /prefetch:8
  2⤵
  PID:896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3144 --field-trial-handle=1868,i,10096392286561979197,17038932296292878859,131072 /prefetch:1
  2⤵
  PID:1652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3108 --field-trial-handle=1868,i,10096392286561979197,17038932296292878859,131072 /prefetch:1
  2⤵
  PID:2144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4740 --field-trial-handle=1868,i,10096392286561979197,17038932296292878859,131072 /prefetch:8
  2⤵
  PID:3824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4956 --field-trial-handle=1868,i,10096392286561979197,17038932296292878859,131072 /prefetch:8
  2⤵
  PID:3828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=824 --field-trial-handle=1868,i,10096392286561979197,17038932296292878859,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3356

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4292

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
668788b2589b26311b64189095e3be5a

SHA1
1d1e14683567eda56e48518876ec2815acbfac74

SHA256
3d4786ee7697bd24df9897544c110075663619fe79fb758245bec2ec27b89ad5

SHA512
933d4f48b9369cafe157653e5c83daf39c38a71d688d05119e2cf84d3f77d2ba2778ca7f0256470b3872048013a4eff516d5fbaee8d295672da2931e5ba5cc1d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
6c88f0156663b9791dc3f935aacadbdc

SHA1
d91744ca18d3225a5db7a949c3768679df445f09

SHA256
8832becbd01be0f7e7f21d1879fbecfc942b86d2a708228b0348f9f44ce3c072

SHA512
e508a388ecc25ac1b51b0808bb09527a417ce06b2ba8f251a4ba2cdc489f2a2a4d7b7ae61cdc6265a6d2d7efe9cff89455037451ce0d3ed023727246247bbaac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
874B

MD5
0a895834429b211e04c8d59e73ac3ca7

SHA1
905a19dc4d61695ba71d0e637b976b1303fe63eb

SHA256
22d1b03229226f80efcd0c0f1f88755e67bdc58950396fb25cef596da1de0da4

SHA512
78a9cc2982f4c20b58831ecb24eaea2e9711c397c3d595baed977d94b8a4578f86cfba88076f81221bdd8b4c734efb2d12d68f095c757569ad2ec6c7f0f5fce6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
90543014c4ec6c18d54b6a19e985b043

SHA1
02df5f98ea906e21c3bc527e8692d86f48c2bd1c

SHA256
aecab85f8ee72202ff2454e1f45ea9190ba6233b966e92e8c9f42d8da860ef22

SHA512
e406c10e27096c0eeacf22f415124b08085eb0e315a665be4a49cafa7e48238dd289524b40ba8877c4a0e317bb798ce9aa3c930e6fd15fce3f882228f0a7b9e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
6fbfe29aac0d5d2a36da302fdcd703ea

SHA1
d04ce6e8e77756807025bde8ddffb50e9a166e6d

SHA256
75b6708f09ced6a2bac7b27538ff91f6b0af928491de395ae8d927f91aa95fda

SHA512
996f81321e600e5981c92c736e3dfd0e9c2e3dc0c2a0791b0e82c031e154fe08b248719f4b65b76c017db6feca4ab74746079e4ccca6ceb19c373d835b2529e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
ca2dd00a040afc04bff8b52a1927b2f3

SHA1
130b22523b1eb628e565eed91c6c1c6489260a64

SHA256
252a5e4b2ba1eed4a4aa14447bdabdedcfd3921a0972485cfbdb099e70b61d42

SHA512
1e1b51440b508d7574b7ae0b7c865eabb29ad9d4ab97acf1053172ebd4eba9924e6d2c9df7d191de172c1db9da98e28139642b322a10517a62b21c1988e7be82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
172KB

MD5
934a5d80abda8b4fa5139267e9ad8e69

SHA1
d6eca3d03a70c63eae023b6ef11583c73bbe328b

SHA256
d80f4797d793350f91a2b2e71c4188e26ea984d9af508f4530c99987cbcaaecb

SHA512
40bfbce13c3220e55f3ff1fcacd75f8d02e513ed3bae5b62bd06370bc9009481c75fc3ec80a1b6d8e821347a50b9a8bf7b8a39d3fd7fc070056dd8c59cfe7186

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit