hxxp://68[.]178[.]203[.]196/

Analysis

max time kernel
41s
max time network
24s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
03/07/2023, 18:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://68.178.203.196/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4736	chrome.exe
4736	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4736	chrome.exe
4736	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4736	chrome.exe
Token: SeCreatePagefilePrivilege	4736	chrome.exe
Token: SeShutdownPrivilege	4736	chrome.exe
Token: SeCreatePagefilePrivilege	4736	chrome.exe
Token: SeShutdownPrivilege	4736	chrome.exe
Token: SeCreatePagefilePrivilege	4736	chrome.exe
Token: SeShutdownPrivilege	4736	chrome.exe
Token: SeCreatePagefilePrivilege	4736	chrome.exe
Token: SeShutdownPrivilege	4736	chrome.exe
Token: SeCreatePagefilePrivilege	4736	chrome.exe
Token: SeShutdownPrivilege	4736	chrome.exe
Token: SeCreatePagefilePrivilege	4736	chrome.exe
Token: SeShutdownPrivilege	4736	chrome.exe
Token: SeCreatePagefilePrivilege	4736	chrome.exe
Token: SeShutdownPrivilege	4736	chrome.exe
Token: SeCreatePagefilePrivilege	4736	chrome.exe
Token: SeShutdownPrivilege	4736	chrome.exe
Token: SeCreatePagefilePrivilege	4736	chrome.exe
Token: SeShutdownPrivilege	4736	chrome.exe
Token: SeCreatePagefilePrivilege	4736	chrome.exe
Token: SeShutdownPrivilege	4736	chrome.exe
Token: SeCreatePagefilePrivilege	4736	chrome.exe
Token: SeShutdownPrivilege	4736	chrome.exe
Token: SeCreatePagefilePrivilege	4736	chrome.exe
Token: SeShutdownPrivilege	4736	chrome.exe
Token: SeCreatePagefilePrivilege	4736	chrome.exe
Token: SeShutdownPrivilege	4736	chrome.exe
Token: SeCreatePagefilePrivilege	4736	chrome.exe
Token: SeShutdownPrivilege	4736	chrome.exe
Token: SeCreatePagefilePrivilege	4736	chrome.exe
Token: SeShutdownPrivilege	4736	chrome.exe
Token: SeCreatePagefilePrivilege	4736	chrome.exe
Token: SeShutdownPrivilege	4736	chrome.exe
Token: SeCreatePagefilePrivilege	4736	chrome.exe
Token: SeShutdownPrivilege	4736	chrome.exe
Token: SeCreatePagefilePrivilege	4736	chrome.exe
Token: SeShutdownPrivilege	4736	chrome.exe
Token: SeCreatePagefilePrivilege	4736	chrome.exe
Token: SeShutdownPrivilege	4736	chrome.exe
Token: SeCreatePagefilePrivilege	4736	chrome.exe
Token: SeShutdownPrivilege	4736	chrome.exe
Token: SeCreatePagefilePrivilege	4736	chrome.exe
Token: SeShutdownPrivilege	4736	chrome.exe
Token: SeCreatePagefilePrivilege	4736	chrome.exe
Token: SeShutdownPrivilege	4736	chrome.exe
Token: SeCreatePagefilePrivilege	4736	chrome.exe
Token: SeShutdownPrivilege	4736	chrome.exe
Token: SeCreatePagefilePrivilege	4736	chrome.exe
Token: SeShutdownPrivilege	4736	chrome.exe
Token: SeCreatePagefilePrivilege	4736	chrome.exe
Token: SeShutdownPrivilege	4736	chrome.exe
Token: SeCreatePagefilePrivilege	4736	chrome.exe
Token: SeShutdownPrivilege	4736	chrome.exe
Token: SeCreatePagefilePrivilege	4736	chrome.exe
Token: SeShutdownPrivilege	4736	chrome.exe
Token: SeCreatePagefilePrivilege	4736	chrome.exe
Token: SeShutdownPrivilege	4736	chrome.exe
Token: SeCreatePagefilePrivilege	4736	chrome.exe
Token: SeShutdownPrivilege	4736	chrome.exe
Token: SeCreatePagefilePrivilege	4736	chrome.exe
Token: SeShutdownPrivilege	4736	chrome.exe
Token: SeCreatePagefilePrivilege	4736	chrome.exe
Token: SeShutdownPrivilege	4736	chrome.exe
Token: SeCreatePagefilePrivilege	4736	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4736 wrote to memory of 4984	4736	chrome.exe	70
PID 4736 wrote to memory of 4984	4736	chrome.exe	70
PID 4736 wrote to memory of 1240	4736	chrome.exe	73
PID 4736 wrote to memory of 1240	4736	chrome.exe	73
PID 4736 wrote to memory of 1240	4736	chrome.exe	73
PID 4736 wrote to memory of 1240	4736	chrome.exe	73
PID 4736 wrote to memory of 1240	4736	chrome.exe	73
PID 4736 wrote to memory of 1240	4736	chrome.exe	73
PID 4736 wrote to memory of 1240	4736	chrome.exe	73
PID 4736 wrote to memory of 1240	4736	chrome.exe	73
PID 4736 wrote to memory of 1240	4736	chrome.exe	73
PID 4736 wrote to memory of 1240	4736	chrome.exe	73
PID 4736 wrote to memory of 1240	4736	chrome.exe	73
PID 4736 wrote to memory of 1240	4736	chrome.exe	73
PID 4736 wrote to memory of 1240	4736	chrome.exe	73
PID 4736 wrote to memory of 1240	4736	chrome.exe	73
PID 4736 wrote to memory of 1240	4736	chrome.exe	73
PID 4736 wrote to memory of 1240	4736	chrome.exe	73
PID 4736 wrote to memory of 1240	4736	chrome.exe	73
PID 4736 wrote to memory of 1240	4736	chrome.exe	73
PID 4736 wrote to memory of 1240	4736	chrome.exe	73
PID 4736 wrote to memory of 1240	4736	chrome.exe	73
PID 4736 wrote to memory of 1240	4736	chrome.exe	73
PID 4736 wrote to memory of 1240	4736	chrome.exe	73
PID 4736 wrote to memory of 1240	4736	chrome.exe	73
PID 4736 wrote to memory of 1240	4736	chrome.exe	73
PID 4736 wrote to memory of 1240	4736	chrome.exe	73
PID 4736 wrote to memory of 1240	4736	chrome.exe	73
PID 4736 wrote to memory of 1240	4736	chrome.exe	73
PID 4736 wrote to memory of 1240	4736	chrome.exe	73
PID 4736 wrote to memory of 1240	4736	chrome.exe	73
PID 4736 wrote to memory of 1240	4736	chrome.exe	73
PID 4736 wrote to memory of 1240	4736	chrome.exe	73
PID 4736 wrote to memory of 1240	4736	chrome.exe	73
PID 4736 wrote to memory of 1240	4736	chrome.exe	73
PID 4736 wrote to memory of 1240	4736	chrome.exe	73
PID 4736 wrote to memory of 1240	4736	chrome.exe	73
PID 4736 wrote to memory of 1240	4736	chrome.exe	73
PID 4736 wrote to memory of 1240	4736	chrome.exe	73
PID 4736 wrote to memory of 1240	4736	chrome.exe	73
PID 4736 wrote to memory of 4384	4736	chrome.exe	72
PID 4736 wrote to memory of 4384	4736	chrome.exe	72
PID 4736 wrote to memory of 4492	4736	chrome.exe	74
PID 4736 wrote to memory of 4492	4736	chrome.exe	74
PID 4736 wrote to memory of 4492	4736	chrome.exe	74
PID 4736 wrote to memory of 4492	4736	chrome.exe	74
PID 4736 wrote to memory of 4492	4736	chrome.exe	74
PID 4736 wrote to memory of 4492	4736	chrome.exe	74
PID 4736 wrote to memory of 4492	4736	chrome.exe	74
PID 4736 wrote to memory of 4492	4736	chrome.exe	74
PID 4736 wrote to memory of 4492	4736	chrome.exe	74
PID 4736 wrote to memory of 4492	4736	chrome.exe	74
PID 4736 wrote to memory of 4492	4736	chrome.exe	74
PID 4736 wrote to memory of 4492	4736	chrome.exe	74
PID 4736 wrote to memory of 4492	4736	chrome.exe	74
PID 4736 wrote to memory of 4492	4736	chrome.exe	74
PID 4736 wrote to memory of 4492	4736	chrome.exe	74
PID 4736 wrote to memory of 4492	4736	chrome.exe	74
PID 4736 wrote to memory of 4492	4736	chrome.exe	74
PID 4736 wrote to memory of 4492	4736	chrome.exe	74
PID 4736 wrote to memory of 4492	4736	chrome.exe	74
PID 4736 wrote to memory of 4492	4736	chrome.exe	74
PID 4736 wrote to memory of 4492	4736	chrome.exe	74
PID 4736 wrote to memory of 4492	4736	chrome.exe	74

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://68.178.203.196/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffaebb59758,0x7ffaebb59768,0x7ffaebb59778
  2⤵
  PID:4984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2020 --field-trial-handle=1768,i,12679717353073193226,7336068182571859024,131072 /prefetch:8
  2⤵
  PID:4384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1532 --field-trial-handle=1768,i,12679717353073193226,7336068182571859024,131072 /prefetch:2
  2⤵
  PID:1240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2068 --field-trial-handle=1768,i,12679717353073193226,7336068182571859024,131072 /prefetch:8
  2⤵
  PID:4492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2800 --field-trial-handle=1768,i,12679717353073193226,7336068182571859024,131072 /prefetch:1
  2⤵
  PID:2276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2760 --field-trial-handle=1768,i,12679717353073193226,7336068182571859024,131072 /prefetch:1
  2⤵
  PID:2288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4816 --field-trial-handle=1768,i,12679717353073193226,7336068182571859024,131072 /prefetch:8
  2⤵
  PID:3968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4976 --field-trial-handle=1768,i,12679717353073193226,7336068182571859024,131072 /prefetch:8
  2⤵
  PID:3012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4900 --field-trial-handle=1768,i,12679717353073193226,7336068182571859024,131072 /prefetch:8
  2⤵
  PID:624

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
5d5a97ae2aac857a22438f906db8253a

SHA1
243d3f9f0229b6ca8a8b64aee56fa4f14013f269

SHA256
ba7c95674af3e003307ce02c5d01d57e0889f4307f977af03ee8237de7c99fb3

SHA512
8a11fe4a57a610a4efa77ad4cc06ba628d1ec8876e629e537d7de021781f4a0c401e8b7225899dc0c85fed5417b36ad867f7362b1eae44242b431e2d953f23b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
536B

MD5
921f7bd0180974a981115595e098adbe

SHA1
e967c15ff1324570b9f4de191fea20dbd32b7273

SHA256
e51b6605a7ace851573a1e0a2148ac733b1bc1d1d0cc8da86149b2895d727033

SHA512
391c30666923e1f49b2dfb4c9cdc153b12ca8ceaa02153b10f1d29097e4d108db1f215d88459a4301a2de21bffef24f68e7bd91f6b9d313f64dc102034facf3d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
224b28748742feb7a2ac3e2aa6a650ae

SHA1
309a888488e55963de5a8b92a6abd102d6800408

SHA256
29402261f581ff089d97d9445857cf406c6e18257f8ed58418e7d9e7aef0c6af

SHA512
bba5b701362d863799731fd7b0e70ec8c830fe245ca9cdaf5c15e4a7665e7264de811b43e30e26c1c4f53eb07b9ebbaeb10fe6083e419e0b6e972e313db8b258

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
0aa546096505badaa292c78a13c21088

SHA1
0d56c3bee2ba7a28c2938fdb00869b7880e64335

SHA256
b6cc78d2bcb34ca8c60430aba2731ae6d6158d98a0f9c3c6b27cc938be4e15ca

SHA512
883790849eaf85b94cc40858fed3470837107de9f3df616e82d835e2e4305faafa0ea9894c4f332375436e1c0d813ce976127496b73c0dfec84dc0d47ea62ef0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
9f17ccf5c036f59d91786ba5562c8076

SHA1
812c201273bc01120f7cb52583bd35ed9c6f9cea

SHA256
eb87032a28db370b60e8ade2bd1c7f3457a0b420974d872360d6ef32f3dd282d

SHA512
7a85fd54896f19e89e25f7df9abcec61a33c55a784d1282136e29fdb685225a28ac22a8723c897d2c01656fe98a4e624bc74aebdc7c1eb9d81a7a9b5b4f8a8d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
af81cf43f04cc2522deb0eab33d19c76

SHA1
df78409008c95e3304c96e99419c1ad11d0bad77

SHA256
b2c87598bb90c8b8ab3755fcadd9bbfb5cc96d602bde38bb145ea877b94b99c9

SHA512
88d829431fa4aed6cb4646300bcc8679b4925f295c7024909f57fb9b0f25d0f458ac482ee3d5df76fd12336f08e69650de256a1015af0777b998dd90cacd62ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit