hxxps://airds[.]mt[.]gov/MyDevice

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
12-07-2023 20:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://airds.mt.gov/MyDevice

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133336668505354058"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4732	chrome.exe
4732	chrome.exe
5092	chrome.exe
5092	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4732	chrome.exe
4732	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4732	chrome.exe
Token: SeCreatePagefilePrivilege	4732	chrome.exe
Token: SeShutdownPrivilege	4732	chrome.exe
Token: SeCreatePagefilePrivilege	4732	chrome.exe
Token: SeShutdownPrivilege	4732	chrome.exe
Token: SeCreatePagefilePrivilege	4732	chrome.exe
Token: SeShutdownPrivilege	4732	chrome.exe
Token: SeCreatePagefilePrivilege	4732	chrome.exe
Token: SeShutdownPrivilege	4732	chrome.exe
Token: SeCreatePagefilePrivilege	4732	chrome.exe
Token: SeShutdownPrivilege	4732	chrome.exe
Token: SeCreatePagefilePrivilege	4732	chrome.exe
Token: SeShutdownPrivilege	4732	chrome.exe
Token: SeCreatePagefilePrivilege	4732	chrome.exe
Token: SeShutdownPrivilege	4732	chrome.exe
Token: SeCreatePagefilePrivilege	4732	chrome.exe
Token: SeShutdownPrivilege	4732	chrome.exe
Token: SeCreatePagefilePrivilege	4732	chrome.exe
Token: SeShutdownPrivilege	4732	chrome.exe
Token: SeCreatePagefilePrivilege	4732	chrome.exe
Token: SeShutdownPrivilege	4732	chrome.exe
Token: SeCreatePagefilePrivilege	4732	chrome.exe
Token: SeShutdownPrivilege	4732	chrome.exe
Token: SeCreatePagefilePrivilege	4732	chrome.exe
Token: SeShutdownPrivilege	4732	chrome.exe
Token: SeCreatePagefilePrivilege	4732	chrome.exe
Token: SeShutdownPrivilege	4732	chrome.exe
Token: SeCreatePagefilePrivilege	4732	chrome.exe
Token: SeShutdownPrivilege	4732	chrome.exe
Token: SeCreatePagefilePrivilege	4732	chrome.exe
Token: SeShutdownPrivilege	4732	chrome.exe
Token: SeCreatePagefilePrivilege	4732	chrome.exe
Token: SeShutdownPrivilege	4732	chrome.exe
Token: SeCreatePagefilePrivilege	4732	chrome.exe
Token: SeShutdownPrivilege	4732	chrome.exe
Token: SeCreatePagefilePrivilege	4732	chrome.exe
Token: SeShutdownPrivilege	4732	chrome.exe
Token: SeCreatePagefilePrivilege	4732	chrome.exe
Token: SeShutdownPrivilege	4732	chrome.exe
Token: SeCreatePagefilePrivilege	4732	chrome.exe
Token: SeShutdownPrivilege	4732	chrome.exe
Token: SeCreatePagefilePrivilege	4732	chrome.exe
Token: SeShutdownPrivilege	4732	chrome.exe
Token: SeCreatePagefilePrivilege	4732	chrome.exe
Token: SeShutdownPrivilege	4732	chrome.exe
Token: SeCreatePagefilePrivilege	4732	chrome.exe
Token: SeShutdownPrivilege	4732	chrome.exe
Token: SeCreatePagefilePrivilege	4732	chrome.exe
Token: SeShutdownPrivilege	4732	chrome.exe
Token: SeCreatePagefilePrivilege	4732	chrome.exe
Token: SeShutdownPrivilege	4732	chrome.exe
Token: SeCreatePagefilePrivilege	4732	chrome.exe
Token: SeShutdownPrivilege	4732	chrome.exe
Token: SeCreatePagefilePrivilege	4732	chrome.exe
Token: SeShutdownPrivilege	4732	chrome.exe
Token: SeCreatePagefilePrivilege	4732	chrome.exe
Token: SeShutdownPrivilege	4732	chrome.exe
Token: SeCreatePagefilePrivilege	4732	chrome.exe
Token: SeShutdownPrivilege	4732	chrome.exe
Token: SeCreatePagefilePrivilege	4732	chrome.exe
Token: SeShutdownPrivilege	4732	chrome.exe
Token: SeCreatePagefilePrivilege	4732	chrome.exe
Token: SeShutdownPrivilege	4732	chrome.exe
Token: SeCreatePagefilePrivilege	4732	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4732 wrote to memory of 740	4732	chrome.exe	84
PID 4732 wrote to memory of 740	4732	chrome.exe	84
PID 4732 wrote to memory of 4080	4732	chrome.exe	87
PID 4732 wrote to memory of 4080	4732	chrome.exe	87
PID 4732 wrote to memory of 4080	4732	chrome.exe	87
PID 4732 wrote to memory of 4080	4732	chrome.exe	87
PID 4732 wrote to memory of 4080	4732	chrome.exe	87
PID 4732 wrote to memory of 4080	4732	chrome.exe	87
PID 4732 wrote to memory of 4080	4732	chrome.exe	87
PID 4732 wrote to memory of 4080	4732	chrome.exe	87
PID 4732 wrote to memory of 4080	4732	chrome.exe	87
PID 4732 wrote to memory of 4080	4732	chrome.exe	87
PID 4732 wrote to memory of 4080	4732	chrome.exe	87
PID 4732 wrote to memory of 4080	4732	chrome.exe	87
PID 4732 wrote to memory of 4080	4732	chrome.exe	87
PID 4732 wrote to memory of 4080	4732	chrome.exe	87
PID 4732 wrote to memory of 4080	4732	chrome.exe	87
PID 4732 wrote to memory of 4080	4732	chrome.exe	87
PID 4732 wrote to memory of 4080	4732	chrome.exe	87
PID 4732 wrote to memory of 4080	4732	chrome.exe	87
PID 4732 wrote to memory of 4080	4732	chrome.exe	87
PID 4732 wrote to memory of 4080	4732	chrome.exe	87
PID 4732 wrote to memory of 4080	4732	chrome.exe	87
PID 4732 wrote to memory of 4080	4732	chrome.exe	87
PID 4732 wrote to memory of 4080	4732	chrome.exe	87
PID 4732 wrote to memory of 4080	4732	chrome.exe	87
PID 4732 wrote to memory of 4080	4732	chrome.exe	87
PID 4732 wrote to memory of 4080	4732	chrome.exe	87
PID 4732 wrote to memory of 4080	4732	chrome.exe	87
PID 4732 wrote to memory of 4080	4732	chrome.exe	87
PID 4732 wrote to memory of 4080	4732	chrome.exe	87
PID 4732 wrote to memory of 4080	4732	chrome.exe	87
PID 4732 wrote to memory of 4080	4732	chrome.exe	87
PID 4732 wrote to memory of 4080	4732	chrome.exe	87
PID 4732 wrote to memory of 4080	4732	chrome.exe	87
PID 4732 wrote to memory of 4080	4732	chrome.exe	87
PID 4732 wrote to memory of 4080	4732	chrome.exe	87
PID 4732 wrote to memory of 4080	4732	chrome.exe	87
PID 4732 wrote to memory of 4080	4732	chrome.exe	87
PID 4732 wrote to memory of 4080	4732	chrome.exe	87
PID 4732 wrote to memory of 3204	4732	chrome.exe	89
PID 4732 wrote to memory of 3204	4732	chrome.exe	89
PID 4732 wrote to memory of 4104	4732	chrome.exe	88
PID 4732 wrote to memory of 4104	4732	chrome.exe	88
PID 4732 wrote to memory of 4104	4732	chrome.exe	88
PID 4732 wrote to memory of 4104	4732	chrome.exe	88
PID 4732 wrote to memory of 4104	4732	chrome.exe	88
PID 4732 wrote to memory of 4104	4732	chrome.exe	88
PID 4732 wrote to memory of 4104	4732	chrome.exe	88
PID 4732 wrote to memory of 4104	4732	chrome.exe	88
PID 4732 wrote to memory of 4104	4732	chrome.exe	88
PID 4732 wrote to memory of 4104	4732	chrome.exe	88
PID 4732 wrote to memory of 4104	4732	chrome.exe	88
PID 4732 wrote to memory of 4104	4732	chrome.exe	88
PID 4732 wrote to memory of 4104	4732	chrome.exe	88
PID 4732 wrote to memory of 4104	4732	chrome.exe	88
PID 4732 wrote to memory of 4104	4732	chrome.exe	88
PID 4732 wrote to memory of 4104	4732	chrome.exe	88
PID 4732 wrote to memory of 4104	4732	chrome.exe	88
PID 4732 wrote to memory of 4104	4732	chrome.exe	88
PID 4732 wrote to memory of 4104	4732	chrome.exe	88
PID 4732 wrote to memory of 4104	4732	chrome.exe	88
PID 4732 wrote to memory of 4104	4732	chrome.exe	88
PID 4732 wrote to memory of 4104	4732	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://airds.mt.gov/MyDevice
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcc42c9758,0x7ffcc42c9768,0x7ffcc42c9778
  2⤵
  PID:740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1720 --field-trial-handle=1924,i,11154798762007821772,14891435942789046703,131072 /prefetch:2
  2⤵
  PID:4080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2232 --field-trial-handle=1924,i,11154798762007821772,14891435942789046703,131072 /prefetch:8
  2⤵
  PID:4104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1924,i,11154798762007821772,14891435942789046703,131072 /prefetch:8
  2⤵
  PID:3204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3064 --field-trial-handle=1924,i,11154798762007821772,14891435942789046703,131072 /prefetch:1
  2⤵
  PID:3028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3056 --field-trial-handle=1924,i,11154798762007821772,14891435942789046703,131072 /prefetch:1
  2⤵
  PID:5052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4856 --field-trial-handle=1924,i,11154798762007821772,14891435942789046703,131072 /prefetch:8
  2⤵
  PID:556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4948 --field-trial-handle=1924,i,11154798762007821772,14891435942789046703,131072 /prefetch:8
  2⤵
  PID:1648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1832 --field-trial-handle=1924,i,11154798762007821772,14891435942789046703,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5092

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2096

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\20fd28d8-1162-4f58-a2a5-b4067a79923c.tmp

Filesize
6KB

MD5
260ad292602463216551076b4834dd8b

SHA1
a03e330f80ffb41aafdf24f03481794662f39fee

SHA256
c7796583e1c93d714d43591a0a32fa4e94c2c311fba3ab59051510404d570e05

SHA512
83db12bf900521ca03cded881b43d45e80c7c20a1865f811c3255b40cd3cf3452783b6569cb9df4bbe0f1f37df697ff62fa126ef3737da030b2cdcce92704080

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
45a789e7c13bc23df9b344caa36db386

SHA1
14c7d466f02a4196b594e28d496524960eb0826b

SHA256
3d3f58dad08805f729f95a8101f8ec72dfa28858776c100c369e3e309a728e63

SHA512
28bc7783427217bb941629262cc6ec3a779bce24b9ddd0f3d5b14ea127f44091af4c1a29ee406dc7ea7ff57f4d491db603119c16634c20becb4c7fcd916f2a7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
5ba28ffc1a6009157846a2c830e6a45b

SHA1
5719ea61bfe7b59ad76eaa055ebc85331d682223

SHA256
39290c066f8355c206a61849e2d1f13b007af4cf1e39eecc72392717c13feb8e

SHA512
a60def8ef38650c6375b079213ad1c82ffac46ee1784c10dd18b894f716eefb853aa63b3123bd088e488e65d76609bb5c0c2dbaea95969d2f57a6175ea0ca007

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
3f97035f60ed08bcd5899dbfbc82f08b

SHA1
eeb4592488b540092b5f2da1c59ba303a0aa5b1f

SHA256
b7678a262151a046ed09baafb5a53bc7f272edfb60c4dd3763eead8e061eee05

SHA512
e2461d42fde395fff6e967a8f7e15a969ba0009ae54ae70fdcd84e31333c07a85ce67163df6691c227b94c33fa125de0879ce49226d7f5ea60008545aca75791

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
c1db989e8580e668766795b889b4935f

SHA1
3b1c0c80efbf25f83add09b131a31de4402e3fe7

SHA256
6646b98a814f350829400dd824ec977e3547a0d304008d85ad82349d50148b59

SHA512
bfc9e57cb2c5cd25ea3d8b661fdf719947caebc49b93a2b3f3dff879fa35fd622d93a76cd9393549af7f4fd91a9b678ec1a0e6053f5a3621d23daf94714a4147

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
5de380b1f3e963ef31528bdadfdefd25

SHA1
95b323d9f163202b5b4011992115facfac458853

SHA256
c1084cc4f1a09ceed9fd5acabc52d54c5b684596ff445d3ef6417461f975ec68

SHA512
c1f0eb7e8afe10283f81247ebb5de7388092deb8334acbe17597f4b6fd640a430dd8cccb5c0e773bb7ab8eea2734db68f0884f3e8a9bedfd94e4300c429c62ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
173KB

MD5
03bf4e55db26582887cdd6fc6434314d

SHA1
e88d2029b5036b57d5957ba9b43dcaefd8ab5f48

SHA256
0a54a24cda89a581bc732d8492f99ef472bec1f27017895e8b4abfea0b064d2d

SHA512
07b1274643fd3fad5a69b893436f8828b797bf7518ef83a8c9afb8bc93eefc0aed50f01f65fdbd0cb0062aad38c23985184b4fd63de36936fdc67894e9c56050

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit