hxxp://3[.]126[.]26[.]85/

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2023, 04:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://3.126.26.85/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133330924358166834"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4672	chrome.exe
4672	chrome.exe
224	chrome.exe
224	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4672 wrote to memory of 4052	4672	chrome.exe	76
PID 4672 wrote to memory of 4052	4672	chrome.exe	76
PID 4672 wrote to memory of 4564	4672	chrome.exe	87
PID 4672 wrote to memory of 4564	4672	chrome.exe	87
PID 4672 wrote to memory of 4564	4672	chrome.exe	87
PID 4672 wrote to memory of 4564	4672	chrome.exe	87
PID 4672 wrote to memory of 4564	4672	chrome.exe	87
PID 4672 wrote to memory of 4564	4672	chrome.exe	87
PID 4672 wrote to memory of 4564	4672	chrome.exe	87
PID 4672 wrote to memory of 4564	4672	chrome.exe	87
PID 4672 wrote to memory of 4564	4672	chrome.exe	87
PID 4672 wrote to memory of 4564	4672	chrome.exe	87
PID 4672 wrote to memory of 4564	4672	chrome.exe	87
PID 4672 wrote to memory of 4564	4672	chrome.exe	87
PID 4672 wrote to memory of 4564	4672	chrome.exe	87
PID 4672 wrote to memory of 4564	4672	chrome.exe	87
PID 4672 wrote to memory of 4564	4672	chrome.exe	87
PID 4672 wrote to memory of 4564	4672	chrome.exe	87
PID 4672 wrote to memory of 4564	4672	chrome.exe	87
PID 4672 wrote to memory of 4564	4672	chrome.exe	87
PID 4672 wrote to memory of 4564	4672	chrome.exe	87
PID 4672 wrote to memory of 4564	4672	chrome.exe	87
PID 4672 wrote to memory of 4564	4672	chrome.exe	87
PID 4672 wrote to memory of 4564	4672	chrome.exe	87
PID 4672 wrote to memory of 4564	4672	chrome.exe	87
PID 4672 wrote to memory of 4564	4672	chrome.exe	87
PID 4672 wrote to memory of 4564	4672	chrome.exe	87
PID 4672 wrote to memory of 4564	4672	chrome.exe	87
PID 4672 wrote to memory of 4564	4672	chrome.exe	87
PID 4672 wrote to memory of 4564	4672	chrome.exe	87
PID 4672 wrote to memory of 4564	4672	chrome.exe	87
PID 4672 wrote to memory of 4564	4672	chrome.exe	87
PID 4672 wrote to memory of 4564	4672	chrome.exe	87
PID 4672 wrote to memory of 4564	4672	chrome.exe	87
PID 4672 wrote to memory of 4564	4672	chrome.exe	87
PID 4672 wrote to memory of 4564	4672	chrome.exe	87
PID 4672 wrote to memory of 4564	4672	chrome.exe	87
PID 4672 wrote to memory of 4564	4672	chrome.exe	87
PID 4672 wrote to memory of 4564	4672	chrome.exe	87
PID 4672 wrote to memory of 4564	4672	chrome.exe	87
PID 4672 wrote to memory of 5004	4672	chrome.exe	89
PID 4672 wrote to memory of 5004	4672	chrome.exe	89
PID 4672 wrote to memory of 4736	4672	chrome.exe	88
PID 4672 wrote to memory of 4736	4672	chrome.exe	88
PID 4672 wrote to memory of 4736	4672	chrome.exe	88
PID 4672 wrote to memory of 4736	4672	chrome.exe	88
PID 4672 wrote to memory of 4736	4672	chrome.exe	88
PID 4672 wrote to memory of 4736	4672	chrome.exe	88
PID 4672 wrote to memory of 4736	4672	chrome.exe	88
PID 4672 wrote to memory of 4736	4672	chrome.exe	88
PID 4672 wrote to memory of 4736	4672	chrome.exe	88
PID 4672 wrote to memory of 4736	4672	chrome.exe	88
PID 4672 wrote to memory of 4736	4672	chrome.exe	88
PID 4672 wrote to memory of 4736	4672	chrome.exe	88
PID 4672 wrote to memory of 4736	4672	chrome.exe	88
PID 4672 wrote to memory of 4736	4672	chrome.exe	88
PID 4672 wrote to memory of 4736	4672	chrome.exe	88
PID 4672 wrote to memory of 4736	4672	chrome.exe	88
PID 4672 wrote to memory of 4736	4672	chrome.exe	88
PID 4672 wrote to memory of 4736	4672	chrome.exe	88
PID 4672 wrote to memory of 4736	4672	chrome.exe	88
PID 4672 wrote to memory of 4736	4672	chrome.exe	88
PID 4672 wrote to memory of 4736	4672	chrome.exe	88
PID 4672 wrote to memory of 4736	4672	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://3.126.26.85/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa46a89758,0x7ffa46a89768,0x7ffa46a89778
  2⤵
  PID:4052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1732 --field-trial-handle=1876,i,157569528721709327,13191070777730945142,131072 /prefetch:2
  2⤵
  PID:4564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2216 --field-trial-handle=1876,i,157569528721709327,13191070777730945142,131072 /prefetch:8
  2⤵
  PID:4736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1876,i,157569528721709327,13191070777730945142,131072 /prefetch:8
  2⤵
  PID:5004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3016 --field-trial-handle=1876,i,157569528721709327,13191070777730945142,131072 /prefetch:1
  2⤵
  PID:1096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2980 --field-trial-handle=1876,i,157569528721709327,13191070777730945142,131072 /prefetch:1
  2⤵
  PID:3068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4828 --field-trial-handle=1876,i,157569528721709327,13191070777730945142,131072 /prefetch:8
  2⤵
  PID:1412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4928 --field-trial-handle=1876,i,157569528721709327,13191070777730945142,131072 /prefetch:8
  2⤵
  PID:4904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5044 --field-trial-handle=1876,i,157569528721709327,13191070777730945142,131072 /prefetch:8
  2⤵
  PID:5100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4916 --field-trial-handle=1876,i,157569528721709327,13191070777730945142,131072 /prefetch:1
  2⤵
  PID:3212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3296 --field-trial-handle=1876,i,157569528721709327,13191070777730945142,131072 /prefetch:1
  2⤵
  PID:2168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4848 --field-trial-handle=1876,i,157569528721709327,13191070777730945142,131072 /prefetch:1
  2⤵
  PID:2124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3256 --field-trial-handle=1876,i,157569528721709327,13191070777730945142,131072 /prefetch:1
  2⤵
  PID:1660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4836 --field-trial-handle=1876,i,157569528721709327,13191070777730945142,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:224

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4244

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
c3e574fdb6d786bc1e59901bed987a89

SHA1
137e871affb6035dd528da1dff7da514fade4429

SHA256
9da7681755059de4c73338c330a0b2b735937b9300fa596c0c5294ada7d23191

SHA512
dd5b99dc6f6aaad1bbf072aa73f6d8d69978172cb290f516015dd2dd9ae1ab1672a340db3cd54cb98eb397da86716e5c556c2f908314a3191491b82db27ec3fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
98780554b0901916a922ba9cd9d48375

SHA1
3b155978dae59758d6b7b7fce24151255b9dcd0c

SHA256
ccf40ce32d5b8ea18bfa67a6e37e8d7763c5f827d71e25cb150d3d85578701a2

SHA512
c061d52a24962ff4ab1275e3bc30f929860f256d1b7ec3e5891e0429a96c454277cfe1a53e124efa6b51e4a278fb586316c6d33a204d56e97b6d7595c7b0597e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
9d747684577987c714c6116dce7a6140

SHA1
31ba171ba0391d0a422d7b2f342d2cabcfa8bc36

SHA256
7721c4b22dacb18b4af5e87f5ad6d15f32b73ff142d32f0dfbf0fbcc5e344194

SHA512
20f1cd91112fc5c9b494c797f4f145881197f93f0460176605b42e983444849834dd2ac326ef07794ed4698bcd30823637ea85f2f4163b90177f6489bd288f8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
ffc8bed93796eca1446237a5a28b9f9b

SHA1
c5938f5cc9cac17734b645820859320ec8f25659

SHA256
6f33306ec98c215fe4afb8ebc031c15a9bf76a75db9b072923412404f99023c3

SHA512
ad0f008fde3cd42c2da0655a9cc9e63525654cfdf62191e20942a04d151f869e82dded0ce2c11fe83846066f6011d3be804fdf74c4674ac41215e65235aba574

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
171KB

MD5
0c7229960325c31c72cbd19b68aef155

SHA1
c18e76df57eb4ac06dc426ae1f5883359db34ae7

SHA256
b19ab15f595a5439a7f2906d0534bd25922fea69e548fa7316a0cfddeed79e39

SHA512
d58a60122e8e355690f7b33b0b4386aa61582d34609f66b8b43303a09fa7cf934fbfe991a45db8f020f11c1523bc47fee4110af0b9fb2e7a7e28e3d1a921e8e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit