hxxps://lt-system[.]elmenus[.]com/lt/

Analysis

max time kernel
34s
max time network
37s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
12/07/2023, 14:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://lt-system.elmenus.com/lt/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133336462973278433"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1452	chrome.exe
1452	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1452	chrome.exe
1452	chrome.exe
1452	chrome.exe
1452	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1452	chrome.exe
Token: SeCreatePagefilePrivilege	1452	chrome.exe
Token: SeShutdownPrivilege	1452	chrome.exe
Token: SeCreatePagefilePrivilege	1452	chrome.exe
Token: SeShutdownPrivilege	1452	chrome.exe
Token: SeCreatePagefilePrivilege	1452	chrome.exe
Token: SeShutdownPrivilege	1452	chrome.exe
Token: SeCreatePagefilePrivilege	1452	chrome.exe
Token: SeShutdownPrivilege	1452	chrome.exe
Token: SeCreatePagefilePrivilege	1452	chrome.exe
Token: SeShutdownPrivilege	1452	chrome.exe
Token: SeCreatePagefilePrivilege	1452	chrome.exe
Token: SeShutdownPrivilege	1452	chrome.exe
Token: SeCreatePagefilePrivilege	1452	chrome.exe
Token: SeShutdownPrivilege	1452	chrome.exe
Token: SeCreatePagefilePrivilege	1452	chrome.exe
Token: SeShutdownPrivilege	1452	chrome.exe
Token: SeCreatePagefilePrivilege	1452	chrome.exe
Token: SeShutdownPrivilege	1452	chrome.exe
Token: SeCreatePagefilePrivilege	1452	chrome.exe
Token: SeShutdownPrivilege	1452	chrome.exe
Token: SeCreatePagefilePrivilege	1452	chrome.exe
Token: SeShutdownPrivilege	1452	chrome.exe
Token: SeCreatePagefilePrivilege	1452	chrome.exe
Token: SeShutdownPrivilege	1452	chrome.exe
Token: SeCreatePagefilePrivilege	1452	chrome.exe
Token: SeShutdownPrivilege	1452	chrome.exe
Token: SeCreatePagefilePrivilege	1452	chrome.exe
Token: SeShutdownPrivilege	1452	chrome.exe
Token: SeCreatePagefilePrivilege	1452	chrome.exe
Token: SeShutdownPrivilege	1452	chrome.exe
Token: SeCreatePagefilePrivilege	1452	chrome.exe
Token: SeShutdownPrivilege	1452	chrome.exe
Token: SeCreatePagefilePrivilege	1452	chrome.exe
Token: SeShutdownPrivilege	1452	chrome.exe
Token: SeCreatePagefilePrivilege	1452	chrome.exe
Token: SeShutdownPrivilege	1452	chrome.exe
Token: SeCreatePagefilePrivilege	1452	chrome.exe
Token: SeShutdownPrivilege	1452	chrome.exe
Token: SeCreatePagefilePrivilege	1452	chrome.exe
Token: SeShutdownPrivilege	1452	chrome.exe
Token: SeCreatePagefilePrivilege	1452	chrome.exe
Token: SeShutdownPrivilege	1452	chrome.exe
Token: SeCreatePagefilePrivilege	1452	chrome.exe
Token: SeShutdownPrivilege	1452	chrome.exe
Token: SeCreatePagefilePrivilege	1452	chrome.exe
Token: SeShutdownPrivilege	1452	chrome.exe
Token: SeCreatePagefilePrivilege	1452	chrome.exe
Token: SeShutdownPrivilege	1452	chrome.exe
Token: SeCreatePagefilePrivilege	1452	chrome.exe
Token: SeShutdownPrivilege	1452	chrome.exe
Token: SeCreatePagefilePrivilege	1452	chrome.exe
Token: SeShutdownPrivilege	1452	chrome.exe
Token: SeCreatePagefilePrivilege	1452	chrome.exe
Token: SeShutdownPrivilege	1452	chrome.exe
Token: SeCreatePagefilePrivilege	1452	chrome.exe
Token: SeShutdownPrivilege	1452	chrome.exe
Token: SeCreatePagefilePrivilege	1452	chrome.exe
Token: SeShutdownPrivilege	1452	chrome.exe
Token: SeCreatePagefilePrivilege	1452	chrome.exe
Token: SeShutdownPrivilege	1452	chrome.exe
Token: SeCreatePagefilePrivilege	1452	chrome.exe
Token: SeShutdownPrivilege	1452	chrome.exe
Token: SeCreatePagefilePrivilege	1452	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1452	chrome.exe
1452	chrome.exe
1452	chrome.exe
1452	chrome.exe
1452	chrome.exe
1452	chrome.exe
1452	chrome.exe
1452	chrome.exe
1452	chrome.exe
1452	chrome.exe
1452	chrome.exe
1452	chrome.exe
1452	chrome.exe
1452	chrome.exe
1452	chrome.exe
1452	chrome.exe
1452	chrome.exe
1452	chrome.exe
1452	chrome.exe
1452	chrome.exe
1452	chrome.exe
1452	chrome.exe
1452	chrome.exe
1452	chrome.exe
1452	chrome.exe
1452	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1452	chrome.exe
1452	chrome.exe
1452	chrome.exe
1452	chrome.exe
1452	chrome.exe
1452	chrome.exe
1452	chrome.exe
1452	chrome.exe
1452	chrome.exe
1452	chrome.exe
1452	chrome.exe
1452	chrome.exe
1452	chrome.exe
1452	chrome.exe
1452	chrome.exe
1452	chrome.exe
1452	chrome.exe
1452	chrome.exe
1452	chrome.exe
1452	chrome.exe
1452	chrome.exe
1452	chrome.exe
1452	chrome.exe
1452	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1452 wrote to memory of 5092	1452	chrome.exe	38
PID 1452 wrote to memory of 5092	1452	chrome.exe	38
PID 1452 wrote to memory of 3592	1452	chrome.exe	88
PID 1452 wrote to memory of 3592	1452	chrome.exe	88
PID 1452 wrote to memory of 3592	1452	chrome.exe	88
PID 1452 wrote to memory of 3592	1452	chrome.exe	88
PID 1452 wrote to memory of 3592	1452	chrome.exe	88
PID 1452 wrote to memory of 3592	1452	chrome.exe	88
PID 1452 wrote to memory of 3592	1452	chrome.exe	88
PID 1452 wrote to memory of 3592	1452	chrome.exe	88
PID 1452 wrote to memory of 3592	1452	chrome.exe	88
PID 1452 wrote to memory of 3592	1452	chrome.exe	88
PID 1452 wrote to memory of 3592	1452	chrome.exe	88
PID 1452 wrote to memory of 3592	1452	chrome.exe	88
PID 1452 wrote to memory of 3592	1452	chrome.exe	88
PID 1452 wrote to memory of 3592	1452	chrome.exe	88
PID 1452 wrote to memory of 3592	1452	chrome.exe	88
PID 1452 wrote to memory of 3592	1452	chrome.exe	88
PID 1452 wrote to memory of 3592	1452	chrome.exe	88
PID 1452 wrote to memory of 3592	1452	chrome.exe	88
PID 1452 wrote to memory of 3592	1452	chrome.exe	88
PID 1452 wrote to memory of 3592	1452	chrome.exe	88
PID 1452 wrote to memory of 3592	1452	chrome.exe	88
PID 1452 wrote to memory of 3592	1452	chrome.exe	88
PID 1452 wrote to memory of 3592	1452	chrome.exe	88
PID 1452 wrote to memory of 3592	1452	chrome.exe	88
PID 1452 wrote to memory of 3592	1452	chrome.exe	88
PID 1452 wrote to memory of 3592	1452	chrome.exe	88
PID 1452 wrote to memory of 3592	1452	chrome.exe	88
PID 1452 wrote to memory of 3592	1452	chrome.exe	88
PID 1452 wrote to memory of 3592	1452	chrome.exe	88
PID 1452 wrote to memory of 3592	1452	chrome.exe	88
PID 1452 wrote to memory of 3592	1452	chrome.exe	88
PID 1452 wrote to memory of 3592	1452	chrome.exe	88
PID 1452 wrote to memory of 3592	1452	chrome.exe	88
PID 1452 wrote to memory of 3592	1452	chrome.exe	88
PID 1452 wrote to memory of 3592	1452	chrome.exe	88
PID 1452 wrote to memory of 3592	1452	chrome.exe	88
PID 1452 wrote to memory of 3592	1452	chrome.exe	88
PID 1452 wrote to memory of 3592	1452	chrome.exe	88
PID 1452 wrote to memory of 1692	1452	chrome.exe	92
PID 1452 wrote to memory of 1692	1452	chrome.exe	92
PID 1452 wrote to memory of 60	1452	chrome.exe	89
PID 1452 wrote to memory of 60	1452	chrome.exe	89
PID 1452 wrote to memory of 60	1452	chrome.exe	89
PID 1452 wrote to memory of 60	1452	chrome.exe	89
PID 1452 wrote to memory of 60	1452	chrome.exe	89
PID 1452 wrote to memory of 60	1452	chrome.exe	89
PID 1452 wrote to memory of 60	1452	chrome.exe	89
PID 1452 wrote to memory of 60	1452	chrome.exe	89
PID 1452 wrote to memory of 60	1452	chrome.exe	89
PID 1452 wrote to memory of 60	1452	chrome.exe	89
PID 1452 wrote to memory of 60	1452	chrome.exe	89
PID 1452 wrote to memory of 60	1452	chrome.exe	89
PID 1452 wrote to memory of 60	1452	chrome.exe	89
PID 1452 wrote to memory of 60	1452	chrome.exe	89
PID 1452 wrote to memory of 60	1452	chrome.exe	89
PID 1452 wrote to memory of 60	1452	chrome.exe	89
PID 1452 wrote to memory of 60	1452	chrome.exe	89
PID 1452 wrote to memory of 60	1452	chrome.exe	89
PID 1452 wrote to memory of 60	1452	chrome.exe	89
PID 1452 wrote to memory of 60	1452	chrome.exe	89
PID 1452 wrote to memory of 60	1452	chrome.exe	89
PID 1452 wrote to memory of 60	1452	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://lt-system.elmenus.com/lt/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa5e9a9758,0x7ffa5e9a9768,0x7ffa5e9a9778
  2⤵
  PID:5092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1700 --field-trial-handle=1720,i,16431406532069189205,9341032708813245717,131072 /prefetch:2
  2⤵
  PID:3592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2220 --field-trial-handle=1720,i,16431406532069189205,9341032708813245717,131072 /prefetch:8
  2⤵
  PID:60
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3032 --field-trial-handle=1720,i,16431406532069189205,9341032708813245717,131072 /prefetch:1
  2⤵
  PID:820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3052 --field-trial-handle=1720,i,16431406532069189205,9341032708813245717,131072 /prefetch:1
  2⤵
  PID:4904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1720,i,16431406532069189205,9341032708813245717,131072 /prefetch:8
  2⤵
  PID:1692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4728 --field-trial-handle=1720,i,16431406532069189205,9341032708813245717,131072 /prefetch:8
  2⤵
  PID:232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5296 --field-trial-handle=1720,i,16431406532069189205,9341032708813245717,131072 /prefetch:8
  2⤵
  PID:3600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4876 --field-trial-handle=1720,i,16431406532069189205,9341032708813245717,131072 /prefetch:8
  2⤵
  PID:4516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4708 --field-trial-handle=1720,i,16431406532069189205,9341032708813245717,131072 /prefetch:1
  2⤵
  PID:408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5220 --field-trial-handle=1720,i,16431406532069189205,9341032708813245717,131072 /prefetch:1
  2⤵
  PID:232

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
dda2bd821fc0f2c32b1e713a42b7e261

SHA1
29052d70c854f5cad3c4094b4f282e442b0d7f47

SHA256
40449b7dd9a57caf4ca1936941ce0b64cc1d6541f28b6c117d04fc55f81eed24

SHA512
16ecd18fbad59328210fc7d5da4f49dd932433696d1830194c706613d82f700f61ce22955f29196c38bb602f1d64c0aea273495aa75f9e45966244bc6add0eab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
ec9a00b8ae306c070ca4aa955140c0ea

SHA1
80a75ddb12e7bb8a938be565f387a9125a06f371

SHA256
8e6e7a3dc69826917b583fcfad0f839caa8b2d0b7758bc435b2646c6942e7a3e

SHA512
4594056ebbdb792d6fb34d64daffd47dbe130aa1b53640b22a2addaec0af40073c7bbd248cf0a1dd73355a621c8322435d3d788a8c53ef60c437c6cbb9c4f7cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
705B

MD5
1c088f4156d15b922848eac1cb66aa21

SHA1
b4b64b1d92bb85195a9d9221c421fa6393e6ff50

SHA256
dbd5a8f267e351a45699c041d7d8f8c7c2afd56c5cd1088067f6cf6ad73e06ca

SHA512
c7e1c56be5206ed7ae25169f29b20c96a33ade295c74f2da57a01f269ae9604fd5b372959057e8c53a5b939d8d4d5f33ca89c97cbe9d3cede2540750faaffbd1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
7c383a62f873d9d40b77a4989b003ebb

SHA1
da5bf7565aef9f3634735ce53ff790cba4a0f657

SHA256
d8618c67b342a2909192b3a03e373ec19156d570af967898ea7e48e9af4e39e1

SHA512
f194348ac2a819a460d304d495b1e116b096e6046ffa1e668103a98066631cb58274239091a1223e4dbc814a5e284f74e92706e46d888488289e20e189e65425

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
47c8e3a69c15bba42176f0da33ceae66

SHA1
381d201a2d14764b4a210498e3bcc47e4e0a6cd9

SHA256
6ae3af5b3498f4173d0b3c53f817afa2a1d49b65035be2d6042df49ed5f00542

SHA512
4d3fc29b8fbe27ad433d8928e6e96ea78c0ca9c1025f2c2d2256a2177f5b975dbf665741f9ccdf1e85e49163a3e4fdfb2e8203ead737800a183b7f9a8c941577

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
173KB

MD5
9dad9700ac2d32ea73abc2cd379251ba

SHA1
a68440d5f69bd089dbd467e9eb6e9926d553b98b

SHA256
e92aa531d095656dd6a170e63619576b064726caa4b52921f74414a15886138c

SHA512
2ec479584916fff313f7fe58df797f47434df6bdc43112d69f07eb4fa44d2b0cbef2c9e180d312c52f650eb48283f450042cfcfd950cbcde69466a6fdd8468c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
173KB

MD5
15c63d7d87d910d1897aea75ba12e6f7

SHA1
9e26e6d392c9c2da1b30e670ddaa7e1ac4ab6b31

SHA256
6e362cce03b82b7dcefb010d537651c73fd40e788e4589ed54abf3586b1efae4

SHA512
057cb46045563a7be319a4e89a87e68bbb3e79ee716bf12a156c8e1b3220df2bdcfd2bedfeb27965eb97e1978e076df6185b802c094ff21b4f4eca551f7bda49

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit