hxxps://urlz[.]fr/mEKn

Analysis

max time kernel
21s
max time network
26s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2023, 07:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://urlz.fr/mEKn

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133335324595088395"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3392	chrome.exe
3392	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3392 wrote to memory of 4772	3392	chrome.exe	22
PID 3392 wrote to memory of 4772	3392	chrome.exe	22
PID 3392 wrote to memory of 1164	3392	chrome.exe	87
PID 3392 wrote to memory of 1164	3392	chrome.exe	87
PID 3392 wrote to memory of 1164	3392	chrome.exe	87
PID 3392 wrote to memory of 1164	3392	chrome.exe	87
PID 3392 wrote to memory of 1164	3392	chrome.exe	87
PID 3392 wrote to memory of 1164	3392	chrome.exe	87
PID 3392 wrote to memory of 1164	3392	chrome.exe	87
PID 3392 wrote to memory of 1164	3392	chrome.exe	87
PID 3392 wrote to memory of 1164	3392	chrome.exe	87
PID 3392 wrote to memory of 1164	3392	chrome.exe	87
PID 3392 wrote to memory of 1164	3392	chrome.exe	87
PID 3392 wrote to memory of 1164	3392	chrome.exe	87
PID 3392 wrote to memory of 1164	3392	chrome.exe	87
PID 3392 wrote to memory of 1164	3392	chrome.exe	87
PID 3392 wrote to memory of 1164	3392	chrome.exe	87
PID 3392 wrote to memory of 1164	3392	chrome.exe	87
PID 3392 wrote to memory of 1164	3392	chrome.exe	87
PID 3392 wrote to memory of 1164	3392	chrome.exe	87
PID 3392 wrote to memory of 1164	3392	chrome.exe	87
PID 3392 wrote to memory of 1164	3392	chrome.exe	87
PID 3392 wrote to memory of 1164	3392	chrome.exe	87
PID 3392 wrote to memory of 1164	3392	chrome.exe	87
PID 3392 wrote to memory of 1164	3392	chrome.exe	87
PID 3392 wrote to memory of 1164	3392	chrome.exe	87
PID 3392 wrote to memory of 1164	3392	chrome.exe	87
PID 3392 wrote to memory of 1164	3392	chrome.exe	87
PID 3392 wrote to memory of 1164	3392	chrome.exe	87
PID 3392 wrote to memory of 1164	3392	chrome.exe	87
PID 3392 wrote to memory of 1164	3392	chrome.exe	87
PID 3392 wrote to memory of 1164	3392	chrome.exe	87
PID 3392 wrote to memory of 1164	3392	chrome.exe	87
PID 3392 wrote to memory of 1164	3392	chrome.exe	87
PID 3392 wrote to memory of 1164	3392	chrome.exe	87
PID 3392 wrote to memory of 1164	3392	chrome.exe	87
PID 3392 wrote to memory of 1164	3392	chrome.exe	87
PID 3392 wrote to memory of 1164	3392	chrome.exe	87
PID 3392 wrote to memory of 1164	3392	chrome.exe	87
PID 3392 wrote to memory of 1164	3392	chrome.exe	87
PID 3392 wrote to memory of 4336	3392	chrome.exe	88
PID 3392 wrote to memory of 4336	3392	chrome.exe	88
PID 3392 wrote to memory of 2020	3392	chrome.exe	89
PID 3392 wrote to memory of 2020	3392	chrome.exe	89
PID 3392 wrote to memory of 2020	3392	chrome.exe	89
PID 3392 wrote to memory of 2020	3392	chrome.exe	89
PID 3392 wrote to memory of 2020	3392	chrome.exe	89
PID 3392 wrote to memory of 2020	3392	chrome.exe	89
PID 3392 wrote to memory of 2020	3392	chrome.exe	89
PID 3392 wrote to memory of 2020	3392	chrome.exe	89
PID 3392 wrote to memory of 2020	3392	chrome.exe	89
PID 3392 wrote to memory of 2020	3392	chrome.exe	89
PID 3392 wrote to memory of 2020	3392	chrome.exe	89
PID 3392 wrote to memory of 2020	3392	chrome.exe	89
PID 3392 wrote to memory of 2020	3392	chrome.exe	89
PID 3392 wrote to memory of 2020	3392	chrome.exe	89
PID 3392 wrote to memory of 2020	3392	chrome.exe	89
PID 3392 wrote to memory of 2020	3392	chrome.exe	89
PID 3392 wrote to memory of 2020	3392	chrome.exe	89
PID 3392 wrote to memory of 2020	3392	chrome.exe	89
PID 3392 wrote to memory of 2020	3392	chrome.exe	89
PID 3392 wrote to memory of 2020	3392	chrome.exe	89
PID 3392 wrote to memory of 2020	3392	chrome.exe	89
PID 3392 wrote to memory of 2020	3392	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://urlz.fr/mEKn
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff833d89758,0x7ff833d89768,0x7ff833d89778
  2⤵
  PID:4772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1736 --field-trial-handle=1884,i,8630201054822180226,6077469833275640563,131072 /prefetch:2
  2⤵
  PID:1164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1884,i,8630201054822180226,6077469833275640563,131072 /prefetch:8
  2⤵
  PID:4336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 --field-trial-handle=1884,i,8630201054822180226,6077469833275640563,131072 /prefetch:8
  2⤵
  PID:2020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3044 --field-trial-handle=1884,i,8630201054822180226,6077469833275640563,131072 /prefetch:1
  2⤵
  PID:3708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3052 --field-trial-handle=1884,i,8630201054822180226,6077469833275640563,131072 /prefetch:1
  2⤵
  PID:4484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3716 --field-trial-handle=1884,i,8630201054822180226,6077469833275640563,131072 /prefetch:1
  2⤵
  PID:2536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4656 --field-trial-handle=1884,i,8630201054822180226,6077469833275640563,131072 /prefetch:1
  2⤵
  PID:2232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4852 --field-trial-handle=1884,i,8630201054822180226,6077469833275640563,131072 /prefetch:1
  2⤵
  PID:5084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3076 --field-trial-handle=1884,i,8630201054822180226,6077469833275640563,131072 /prefetch:1
  2⤵
  PID:1912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4676 --field-trial-handle=1884,i,8630201054822180226,6077469833275640563,131072 /prefetch:1
  2⤵
  PID:208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5516 --field-trial-handle=1884,i,8630201054822180226,6077469833275640563,131072 /prefetch:8
  2⤵
  PID:1624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5680 --field-trial-handle=1884,i,8630201054822180226,6077469833275640563,131072 /prefetch:8
  2⤵
  PID:4592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5808 --field-trial-handle=1884,i,8630201054822180226,6077469833275640563,131072 /prefetch:8
  2⤵
  PID:2480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4928 --field-trial-handle=1884,i,8630201054822180226,6077469833275640563,131072 /prefetch:1
  2⤵
  PID:4500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4752 --field-trial-handle=1884,i,8630201054822180226,6077469833275640563,131072 /prefetch:1
  2⤵
  PID:4000

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3416

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
330B

MD5
cedb20fec72f3c94095f106a85152f59

SHA1
391c40f2e116fcc075ac0f512d41c971d4da352f

SHA256
e9937a1fbb7cb30827869edcef4918e9eeffe8d59a25e8326b3a6690f6b52ac1

SHA512
07f76f6bb1920bbd9f556f35aa9eac6f62d0d2aac4807167c2393a14f7b5805d7a83bffb51e6dcd2fc89826d41062f2578f2c442726dfdf3bbc29527e49b2297

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
872B

MD5
6c656fd89808a713f5ff86c25c9af1c1

SHA1
7d32de4d08217cc29264cec7acb8c92869fe45d4

SHA256
c68c8fd82a8f0364624b767596ac282b92aa113df3fea9c596f8fd92f2deebf4

SHA512
6067914a41b584d53246339e849ba4bff43eab37dbf2b1a71fb70bf3bfbca46becd07e4e0f8018f0b3af9136c5d8dd68dcf89e8f0552d16c1eba20bee46752c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
ee01ee6e606df199995257e04960924b

SHA1
04f74da57156f963ca2b72f273fc29b9fb2dd61b

SHA256
7064e182ccf01e258738b1f3860acfd8a0585fd657fb6590f7cf09abc4af5581

SHA512
ea776c4356c250725e88119a2050f00f5291efca5023f54c1163c65af88f4ab44f7e2cf4c1f2596b8c54db4d8fbf83d74068c4be79cd50d014a815982928102a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
c26589445dbd6ad32dc47a75a2005878

SHA1
47e255d745c6b5573d620bded57a1e355a0d96af

SHA256
029a94f30367e0f902461e609f7cff60c4c64c7e068288e5d9b4e2703a26a65d

SHA512
f4129143c580868f4f9fac823aebc3b25b0df85b9eb8f7cbc415c09402d239d94031ceb0864e7a59fafdddc80a1dd91d8d1cf71067cf17798f9966daeb6a02e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
172KB

MD5
c39bf96738749cb44eb4a9aa1fdc168d

SHA1
ee68a12cd8b1bdd32895adecce09e5208ad9a4b4

SHA256
9f7e804ffc45778df893a386d0863a58502abb105f70683d50e17da5df2c42bf

SHA512
514277137427efe87904f7339ef3804873b830428cad240f0a9990b716a9d1d7dee0306f10827d2d48c1b6dfa40a38bfe39267f7a114f05ed6b842a201073cf6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit