hxxp://guterhelmet[.]com

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2023, 13:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://guterhelmet.com

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2704	chrome.exe
2704	chrome.exe
980	chrome.exe
980	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 2880	2704	chrome.exe	80
PID 2704 wrote to memory of 2880	2704	chrome.exe	80
PID 2704 wrote to memory of 3460	2704	chrome.exe	83
PID 2704 wrote to memory of 3460	2704	chrome.exe	83
PID 2704 wrote to memory of 3460	2704	chrome.exe	83
PID 2704 wrote to memory of 3460	2704	chrome.exe	83
PID 2704 wrote to memory of 3460	2704	chrome.exe	83
PID 2704 wrote to memory of 3460	2704	chrome.exe	83
PID 2704 wrote to memory of 3460	2704	chrome.exe	83
PID 2704 wrote to memory of 3460	2704	chrome.exe	83
PID 2704 wrote to memory of 3460	2704	chrome.exe	83
PID 2704 wrote to memory of 3460	2704	chrome.exe	83
PID 2704 wrote to memory of 3460	2704	chrome.exe	83
PID 2704 wrote to memory of 3460	2704	chrome.exe	83
PID 2704 wrote to memory of 3460	2704	chrome.exe	83
PID 2704 wrote to memory of 3460	2704	chrome.exe	83
PID 2704 wrote to memory of 3460	2704	chrome.exe	83
PID 2704 wrote to memory of 3460	2704	chrome.exe	83
PID 2704 wrote to memory of 3460	2704	chrome.exe	83
PID 2704 wrote to memory of 3460	2704	chrome.exe	83
PID 2704 wrote to memory of 3460	2704	chrome.exe	83
PID 2704 wrote to memory of 3460	2704	chrome.exe	83
PID 2704 wrote to memory of 3460	2704	chrome.exe	83
PID 2704 wrote to memory of 3460	2704	chrome.exe	83
PID 2704 wrote to memory of 3460	2704	chrome.exe	83
PID 2704 wrote to memory of 3460	2704	chrome.exe	83
PID 2704 wrote to memory of 3460	2704	chrome.exe	83
PID 2704 wrote to memory of 3460	2704	chrome.exe	83
PID 2704 wrote to memory of 3460	2704	chrome.exe	83
PID 2704 wrote to memory of 3460	2704	chrome.exe	83
PID 2704 wrote to memory of 3460	2704	chrome.exe	83
PID 2704 wrote to memory of 3460	2704	chrome.exe	83
PID 2704 wrote to memory of 3460	2704	chrome.exe	83
PID 2704 wrote to memory of 3460	2704	chrome.exe	83
PID 2704 wrote to memory of 3460	2704	chrome.exe	83
PID 2704 wrote to memory of 3460	2704	chrome.exe	83
PID 2704 wrote to memory of 3460	2704	chrome.exe	83
PID 2704 wrote to memory of 3460	2704	chrome.exe	83
PID 2704 wrote to memory of 3460	2704	chrome.exe	83
PID 2704 wrote to memory of 3460	2704	chrome.exe	83
PID 2704 wrote to memory of 456	2704	chrome.exe	85
PID 2704 wrote to memory of 456	2704	chrome.exe	85
PID 2704 wrote to memory of 5112	2704	chrome.exe	84
PID 2704 wrote to memory of 5112	2704	chrome.exe	84
PID 2704 wrote to memory of 5112	2704	chrome.exe	84
PID 2704 wrote to memory of 5112	2704	chrome.exe	84
PID 2704 wrote to memory of 5112	2704	chrome.exe	84
PID 2704 wrote to memory of 5112	2704	chrome.exe	84
PID 2704 wrote to memory of 5112	2704	chrome.exe	84
PID 2704 wrote to memory of 5112	2704	chrome.exe	84
PID 2704 wrote to memory of 5112	2704	chrome.exe	84
PID 2704 wrote to memory of 5112	2704	chrome.exe	84
PID 2704 wrote to memory of 5112	2704	chrome.exe	84
PID 2704 wrote to memory of 5112	2704	chrome.exe	84
PID 2704 wrote to memory of 5112	2704	chrome.exe	84
PID 2704 wrote to memory of 5112	2704	chrome.exe	84
PID 2704 wrote to memory of 5112	2704	chrome.exe	84
PID 2704 wrote to memory of 5112	2704	chrome.exe	84
PID 2704 wrote to memory of 5112	2704	chrome.exe	84
PID 2704 wrote to memory of 5112	2704	chrome.exe	84
PID 2704 wrote to memory of 5112	2704	chrome.exe	84
PID 2704 wrote to memory of 5112	2704	chrome.exe	84
PID 2704 wrote to memory of 5112	2704	chrome.exe	84
PID 2704 wrote to memory of 5112	2704	chrome.exe	84

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xb8,0x108,0x7ff848079758,0x7ff848079768,0x7ff848079778
1⤵
PID:2880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://guterhelmet.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1740 --field-trial-handle=1860,i,7022708704722020577,3367911109740891182,131072 /prefetch:2
  2⤵
  PID:3460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2200 --field-trial-handle=1860,i,7022708704722020577,3367911109740891182,131072 /prefetch:8
  2⤵
  PID:5112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=1860,i,7022708704722020577,3367911109740891182,131072 /prefetch:8
  2⤵
  PID:456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2904 --field-trial-handle=1860,i,7022708704722020577,3367911109740891182,131072 /prefetch:1
  2⤵
  PID:4692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2884 --field-trial-handle=1860,i,7022708704722020577,3367911109740891182,131072 /prefetch:1
  2⤵
  PID:2164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4600 --field-trial-handle=1860,i,7022708704722020577,3367911109740891182,131072 /prefetch:1
  2⤵
  PID:1580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 --field-trial-handle=1860,i,7022708704722020577,3367911109740891182,131072 /prefetch:8
  2⤵
  PID:4268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5144 --field-trial-handle=1860,i,7022708704722020577,3367911109740891182,131072 /prefetch:8
  2⤵
  PID:500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 --field-trial-handle=1860,i,7022708704722020577,3367911109740891182,131072 /prefetch:8
  2⤵
  PID:4376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=996 --field-trial-handle=1860,i,7022708704722020577,3367911109740891182,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:980

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
cad492a05a3f06a995bca16852138e6e

SHA1
b0542645442bc5f91c1d6804d8f385aac8fd088e

SHA256
bdf5f6baae9180ce15e37593d544e782d37f088c8a0b40046b50a15739eea4f7

SHA512
6c272708d5bb1a5f0197a6d7814ba2ab60528be54ddac3edceb62aa5cf5ca0574f8b3bb395ff6d151a328e5d06f44221e01bece57360277eab3ae7710040f153

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
989a0e0dfef93b9c794a05df51f8d594

SHA1
6b27b210ad74b3549f7faf1edb7096a3799f09dc

SHA256
898def30683fe4ca54a82cc7a756e0e9abb2e4746654cca707fad089283cace5

SHA512
2884adedc4986f146f5e07095c8f3038246662f7f4d612eaa4fb1a1f71199eb6cf6c9a037970716a709fa85688a7467f1fe7392a138c49c5d4998365f3ca78d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
87bd2877797a006d5534709a21ec2c52

SHA1
4db1c22598ea5358735509f773a0f5e2a0bec624

SHA256
4768e0da9a9dedc40052c5fc2ffc52520c50058b0d94f6da754e705b245d72f7

SHA512
0eba7f8f44638e3bf1deebcb772da5951b1ffc225cabddd74204cf702bf2869546f8103f0cabdb3ed6ac99ea8b4befd2ae01c5dd707bc1285c8ab1928e5264f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
3d5bc03f145bc53449ccadb2e57e3910

SHA1
3a718d2a3e6c3f907e91969ce926e1f97106dfc8

SHA256
148a2e83ec338b15ca8bf376d44b1b0f9103cd696817a4e0dab64045d962e4d0

SHA512
fddc5933fab1c02e15b53394622a6bdc369179086997d16e2ea15307e0dbdcf62b046d4ac045656f4244ad6e6d50935eb2303300b991202eaa931cbe1018dff2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
be282d68c32504c11e295b5b121959ac

SHA1
b9571f6397c5526ebe978407762f9afc5c3ab29a

SHA256
c9c2a335a57096c56ca6049492213773a4889d5a8019daae2454ed4130d5c5c8

SHA512
ea967b0f919509909b54ffb9e5a8e903254d14fbff34474cac4d6806a63bc421a4608226658632a920bc2688bb1b92fcaea7b9317d0983d35a21e096db3f4965

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
cd3c1821858ee758ba1f2cf8c0b05442

SHA1
aebe1e40fb3609f8f7cb8fb07ee43aeb943816f8

SHA256
aa56dcc6914cdaac9fdcaa0a1f2ae5547822b1eb1244c8859daa022ef5ba502d

SHA512
98eb9ce1443379104ae89407842c89f5dbdfe9a2ab03331bb869ef0145c486893230c1c79bf1858c64e4f8654397e385441cec1da369f53fd329e1bc583782cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
faaaf71df34211144649132b26d50847

SHA1
b902d78ec583c63e1f70f8d0625898f8178e54e5

SHA256
3f80b71c9abf1180356bf26325afc0746c9a93bc583ec210b513a0701d6f6099

SHA512
345b6d42696f9c0ee43a9e6bafdd13b4ff42d2a09ff16deff08bfa781cda406979ff0be6f8cbdcb788c220161798ea88877fa6bb92539922706161912c63c856

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit