hxxps://dbszc8fnusst92tyov6wpxppegk78xwm[.]oastify[.]com

Analysis

max time kernel
150s
max time network
129s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
14/07/2023, 12:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://dbszc8fnusst92tyov6wpxppegk78xwm.oastify.com

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133338103444021229"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
364	chrome.exe
364	chrome.exe
5056	chrome.exe
5056	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
364	chrome.exe
364	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	364	chrome.exe
Token: SeCreatePagefilePrivilege	364	chrome.exe
Token: SeShutdownPrivilege	364	chrome.exe
Token: SeCreatePagefilePrivilege	364	chrome.exe
Token: SeShutdownPrivilege	364	chrome.exe
Token: SeCreatePagefilePrivilege	364	chrome.exe
Token: SeShutdownPrivilege	364	chrome.exe
Token: SeCreatePagefilePrivilege	364	chrome.exe
Token: SeShutdownPrivilege	364	chrome.exe
Token: SeCreatePagefilePrivilege	364	chrome.exe
Token: SeShutdownPrivilege	364	chrome.exe
Token: SeCreatePagefilePrivilege	364	chrome.exe
Token: SeShutdownPrivilege	364	chrome.exe
Token: SeCreatePagefilePrivilege	364	chrome.exe
Token: SeShutdownPrivilege	364	chrome.exe
Token: SeCreatePagefilePrivilege	364	chrome.exe
Token: SeShutdownPrivilege	364	chrome.exe
Token: SeCreatePagefilePrivilege	364	chrome.exe
Token: SeShutdownPrivilege	364	chrome.exe
Token: SeCreatePagefilePrivilege	364	chrome.exe
Token: SeShutdownPrivilege	364	chrome.exe
Token: SeCreatePagefilePrivilege	364	chrome.exe
Token: SeShutdownPrivilege	364	chrome.exe
Token: SeCreatePagefilePrivilege	364	chrome.exe
Token: SeShutdownPrivilege	364	chrome.exe
Token: SeCreatePagefilePrivilege	364	chrome.exe
Token: SeShutdownPrivilege	364	chrome.exe
Token: SeCreatePagefilePrivilege	364	chrome.exe
Token: SeShutdownPrivilege	364	chrome.exe
Token: SeCreatePagefilePrivilege	364	chrome.exe
Token: SeShutdownPrivilege	364	chrome.exe
Token: SeCreatePagefilePrivilege	364	chrome.exe
Token: SeShutdownPrivilege	364	chrome.exe
Token: SeCreatePagefilePrivilege	364	chrome.exe
Token: SeShutdownPrivilege	364	chrome.exe
Token: SeCreatePagefilePrivilege	364	chrome.exe
Token: SeShutdownPrivilege	364	chrome.exe
Token: SeCreatePagefilePrivilege	364	chrome.exe
Token: SeShutdownPrivilege	364	chrome.exe
Token: SeCreatePagefilePrivilege	364	chrome.exe
Token: SeShutdownPrivilege	364	chrome.exe
Token: SeCreatePagefilePrivilege	364	chrome.exe
Token: SeShutdownPrivilege	364	chrome.exe
Token: SeCreatePagefilePrivilege	364	chrome.exe
Token: SeShutdownPrivilege	364	chrome.exe
Token: SeCreatePagefilePrivilege	364	chrome.exe
Token: SeShutdownPrivilege	364	chrome.exe
Token: SeCreatePagefilePrivilege	364	chrome.exe
Token: SeShutdownPrivilege	364	chrome.exe
Token: SeCreatePagefilePrivilege	364	chrome.exe
Token: SeShutdownPrivilege	364	chrome.exe
Token: SeCreatePagefilePrivilege	364	chrome.exe
Token: SeShutdownPrivilege	364	chrome.exe
Token: SeCreatePagefilePrivilege	364	chrome.exe
Token: SeShutdownPrivilege	364	chrome.exe
Token: SeCreatePagefilePrivilege	364	chrome.exe
Token: SeShutdownPrivilege	364	chrome.exe
Token: SeCreatePagefilePrivilege	364	chrome.exe
Token: SeShutdownPrivilege	364	chrome.exe
Token: SeCreatePagefilePrivilege	364	chrome.exe
Token: SeShutdownPrivilege	364	chrome.exe
Token: SeCreatePagefilePrivilege	364	chrome.exe
Token: SeShutdownPrivilege	364	chrome.exe
Token: SeCreatePagefilePrivilege	364	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 364 wrote to memory of 1292	364	chrome.exe	70
PID 364 wrote to memory of 1292	364	chrome.exe	70
PID 364 wrote to memory of 4520	364	chrome.exe	73
PID 364 wrote to memory of 4520	364	chrome.exe	73
PID 364 wrote to memory of 4520	364	chrome.exe	73
PID 364 wrote to memory of 4520	364	chrome.exe	73
PID 364 wrote to memory of 4520	364	chrome.exe	73
PID 364 wrote to memory of 4520	364	chrome.exe	73
PID 364 wrote to memory of 4520	364	chrome.exe	73
PID 364 wrote to memory of 4520	364	chrome.exe	73
PID 364 wrote to memory of 4520	364	chrome.exe	73
PID 364 wrote to memory of 4520	364	chrome.exe	73
PID 364 wrote to memory of 4520	364	chrome.exe	73
PID 364 wrote to memory of 4520	364	chrome.exe	73
PID 364 wrote to memory of 4520	364	chrome.exe	73
PID 364 wrote to memory of 4520	364	chrome.exe	73
PID 364 wrote to memory of 4520	364	chrome.exe	73
PID 364 wrote to memory of 4520	364	chrome.exe	73
PID 364 wrote to memory of 4520	364	chrome.exe	73
PID 364 wrote to memory of 4520	364	chrome.exe	73
PID 364 wrote to memory of 4520	364	chrome.exe	73
PID 364 wrote to memory of 4520	364	chrome.exe	73
PID 364 wrote to memory of 4520	364	chrome.exe	73
PID 364 wrote to memory of 4520	364	chrome.exe	73
PID 364 wrote to memory of 4520	364	chrome.exe	73
PID 364 wrote to memory of 4520	364	chrome.exe	73
PID 364 wrote to memory of 4520	364	chrome.exe	73
PID 364 wrote to memory of 4520	364	chrome.exe	73
PID 364 wrote to memory of 4520	364	chrome.exe	73
PID 364 wrote to memory of 4520	364	chrome.exe	73
PID 364 wrote to memory of 4520	364	chrome.exe	73
PID 364 wrote to memory of 4520	364	chrome.exe	73
PID 364 wrote to memory of 4520	364	chrome.exe	73
PID 364 wrote to memory of 4520	364	chrome.exe	73
PID 364 wrote to memory of 4520	364	chrome.exe	73
PID 364 wrote to memory of 4520	364	chrome.exe	73
PID 364 wrote to memory of 4520	364	chrome.exe	73
PID 364 wrote to memory of 4520	364	chrome.exe	73
PID 364 wrote to memory of 4520	364	chrome.exe	73
PID 364 wrote to memory of 4520	364	chrome.exe	73
PID 364 wrote to memory of 1340	364	chrome.exe	72
PID 364 wrote to memory of 1340	364	chrome.exe	72
PID 364 wrote to memory of 368	364	chrome.exe	74
PID 364 wrote to memory of 368	364	chrome.exe	74
PID 364 wrote to memory of 368	364	chrome.exe	74
PID 364 wrote to memory of 368	364	chrome.exe	74
PID 364 wrote to memory of 368	364	chrome.exe	74
PID 364 wrote to memory of 368	364	chrome.exe	74
PID 364 wrote to memory of 368	364	chrome.exe	74
PID 364 wrote to memory of 368	364	chrome.exe	74
PID 364 wrote to memory of 368	364	chrome.exe	74
PID 364 wrote to memory of 368	364	chrome.exe	74
PID 364 wrote to memory of 368	364	chrome.exe	74
PID 364 wrote to memory of 368	364	chrome.exe	74
PID 364 wrote to memory of 368	364	chrome.exe	74
PID 364 wrote to memory of 368	364	chrome.exe	74
PID 364 wrote to memory of 368	364	chrome.exe	74
PID 364 wrote to memory of 368	364	chrome.exe	74
PID 364 wrote to memory of 368	364	chrome.exe	74
PID 364 wrote to memory of 368	364	chrome.exe	74
PID 364 wrote to memory of 368	364	chrome.exe	74
PID 364 wrote to memory of 368	364	chrome.exe	74
PID 364 wrote to memory of 368	364	chrome.exe	74
PID 364 wrote to memory of 368	364	chrome.exe	74

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://dbszc8fnusst92tyov6wpxppegk78xwm.oastify.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffe0a899758,0x7ffe0a899768,0x7ffe0a899778
  2⤵
  PID:1292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2008 --field-trial-handle=1760,i,12590451081808836640,8101951895777592651,131072 /prefetch:8
  2⤵
  PID:1340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1532 --field-trial-handle=1760,i,12590451081808836640,8101951895777592651,131072 /prefetch:2
  2⤵
  PID:4520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2068 --field-trial-handle=1760,i,12590451081808836640,8101951895777592651,131072 /prefetch:8
  2⤵
  PID:368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2980 --field-trial-handle=1760,i,12590451081808836640,8101951895777592651,131072 /prefetch:1
  2⤵
  PID:3852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2948 --field-trial-handle=1760,i,12590451081808836640,8101951895777592651,131072 /prefetch:1
  2⤵
  PID:5044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4848 --field-trial-handle=1760,i,12590451081808836640,8101951895777592651,131072 /prefetch:8
  2⤵
  PID:5092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4840 --field-trial-handle=1760,i,12590451081808836640,8101951895777592651,131072 /prefetch:8
  2⤵
  PID:32
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1988 --field-trial-handle=1760,i,12590451081808836640,8101951895777592651,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5056

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
a6bde971932b603539c8c2567fe06040

SHA1
f085e4d2b0053be7ed377a7f53cb277302b46ee1

SHA256
6d3214f7ee3efdd70edb9db7b3468318aa8c0e071c6875f855ff98a3e4a09e3f

SHA512
934b65f6748d0faef9a616ce2bec8584f307f5aed8b52d86d4d53bd3191362d002478e9a1b6cbf2131382fca638815d3796ce76636c4af7b27f23e183dc81935

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
74187850f84d818d61af389a3c25c575

SHA1
ffd20d41c207bb2036deae81b30f5e213e97ca7c

SHA256
7ee2709a29fb08d59b6412d273d79d81ae171f06457ef991f076f7a4373748ce

SHA512
4652cd3cbb1855c49edc5c7b2cd616d6404fb1085a64e8f1ccf80b86d82a4ac18eee7d4f2f9bdaa07e21f8f0738bdc8f117e8653b061bf6140d67ad4fe54f213

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
741acb13e8527ed9bf23e4c78ea55f86

SHA1
fec41e66e3a08a2ab2e7bc0f41d9894a711e3e6e

SHA256
0b9a934867fda4eda8a30b6702e4f22b9136809aa1c8fe894046fa7a87e61c29

SHA512
7496171a52b7b1b63d4738c8b9f14066de815a74c88b939c8ee4a99bbfa279a97e57967b1f404123bdfcf51d4e97227421a0238d3df8f53a8f92a31c70346ea2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
4be5918b3a555335e7287aecdf5471d7

SHA1
c9167c6180b13d294420fbfdbdb81c43b297844d

SHA256
958b04cdbbfd29cdd4f5e4235c9c97c6f053c6f1d2440a083d2e0b1e943dfa27

SHA512
618dfcda3f7be92a26d1e985fc729f2ac95b1ce5a47b4f5b51ea1641fe26dde8eb3f12b49a008cf47bbe1a5d4f063ffb7eb026e73d7a17745e96812670c760d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit