hxxp://api[.]ipify[.]org

Analysis

max time kernel
149s
max time network
132s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
15-07-2023 10:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://api.ipify.org

Score

6^/10

Malware Config

Signatures

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	api.ipify.org

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133338902786717540"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4436	chrome.exe
4436	chrome.exe
2572	chrome.exe
2572	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4436	chrome.exe
4436	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4436	chrome.exe
Token: SeCreatePagefilePrivilege	4436	chrome.exe
Token: SeShutdownPrivilege	4436	chrome.exe
Token: SeCreatePagefilePrivilege	4436	chrome.exe
Token: SeShutdownPrivilege	4436	chrome.exe
Token: SeCreatePagefilePrivilege	4436	chrome.exe
Token: SeShutdownPrivilege	4436	chrome.exe
Token: SeCreatePagefilePrivilege	4436	chrome.exe
Token: SeShutdownPrivilege	4436	chrome.exe
Token: SeCreatePagefilePrivilege	4436	chrome.exe
Token: SeShutdownPrivilege	4436	chrome.exe
Token: SeCreatePagefilePrivilege	4436	chrome.exe
Token: SeShutdownPrivilege	4436	chrome.exe
Token: SeCreatePagefilePrivilege	4436	chrome.exe
Token: SeShutdownPrivilege	4436	chrome.exe
Token: SeCreatePagefilePrivilege	4436	chrome.exe
Token: SeShutdownPrivilege	4436	chrome.exe
Token: SeCreatePagefilePrivilege	4436	chrome.exe
Token: SeShutdownPrivilege	4436	chrome.exe
Token: SeCreatePagefilePrivilege	4436	chrome.exe
Token: SeShutdownPrivilege	4436	chrome.exe
Token: SeCreatePagefilePrivilege	4436	chrome.exe
Token: SeShutdownPrivilege	4436	chrome.exe
Token: SeCreatePagefilePrivilege	4436	chrome.exe
Token: SeShutdownPrivilege	4436	chrome.exe
Token: SeCreatePagefilePrivilege	4436	chrome.exe
Token: SeShutdownPrivilege	4436	chrome.exe
Token: SeCreatePagefilePrivilege	4436	chrome.exe
Token: SeShutdownPrivilege	4436	chrome.exe
Token: SeCreatePagefilePrivilege	4436	chrome.exe
Token: SeShutdownPrivilege	4436	chrome.exe
Token: SeCreatePagefilePrivilege	4436	chrome.exe
Token: SeShutdownPrivilege	4436	chrome.exe
Token: SeCreatePagefilePrivilege	4436	chrome.exe
Token: SeShutdownPrivilege	4436	chrome.exe
Token: SeCreatePagefilePrivilege	4436	chrome.exe
Token: SeShutdownPrivilege	4436	chrome.exe
Token: SeCreatePagefilePrivilege	4436	chrome.exe
Token: SeShutdownPrivilege	4436	chrome.exe
Token: SeCreatePagefilePrivilege	4436	chrome.exe
Token: SeShutdownPrivilege	4436	chrome.exe
Token: SeCreatePagefilePrivilege	4436	chrome.exe
Token: SeShutdownPrivilege	4436	chrome.exe
Token: SeCreatePagefilePrivilege	4436	chrome.exe
Token: SeShutdownPrivilege	4436	chrome.exe
Token: SeCreatePagefilePrivilege	4436	chrome.exe
Token: SeShutdownPrivilege	4436	chrome.exe
Token: SeCreatePagefilePrivilege	4436	chrome.exe
Token: SeShutdownPrivilege	4436	chrome.exe
Token: SeCreatePagefilePrivilege	4436	chrome.exe
Token: SeShutdownPrivilege	4436	chrome.exe
Token: SeCreatePagefilePrivilege	4436	chrome.exe
Token: SeShutdownPrivilege	4436	chrome.exe
Token: SeCreatePagefilePrivilege	4436	chrome.exe
Token: SeShutdownPrivilege	4436	chrome.exe
Token: SeCreatePagefilePrivilege	4436	chrome.exe
Token: SeShutdownPrivilege	4436	chrome.exe
Token: SeCreatePagefilePrivilege	4436	chrome.exe
Token: SeShutdownPrivilege	4436	chrome.exe
Token: SeCreatePagefilePrivilege	4436	chrome.exe
Token: SeShutdownPrivilege	4436	chrome.exe
Token: SeCreatePagefilePrivilege	4436	chrome.exe
Token: SeShutdownPrivilege	4436	chrome.exe
Token: SeCreatePagefilePrivilege	4436	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4436	chrome.exe
4436	chrome.exe
4436	chrome.exe
4436	chrome.exe
4436	chrome.exe
4436	chrome.exe
4436	chrome.exe
4436	chrome.exe
4436	chrome.exe
4436	chrome.exe
4436	chrome.exe
4436	chrome.exe
4436	chrome.exe
4436	chrome.exe
4436	chrome.exe
4436	chrome.exe
4436	chrome.exe
4436	chrome.exe
4436	chrome.exe
4436	chrome.exe
4436	chrome.exe
4436	chrome.exe
4436	chrome.exe
4436	chrome.exe
4436	chrome.exe
4436	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4436	chrome.exe
4436	chrome.exe
4436	chrome.exe
4436	chrome.exe
4436	chrome.exe
4436	chrome.exe
4436	chrome.exe
4436	chrome.exe
4436	chrome.exe
4436	chrome.exe
4436	chrome.exe
4436	chrome.exe
4436	chrome.exe
4436	chrome.exe
4436	chrome.exe
4436	chrome.exe
4436	chrome.exe
4436	chrome.exe
4436	chrome.exe
4436	chrome.exe
4436	chrome.exe
4436	chrome.exe
4436	chrome.exe
4436	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4436 wrote to memory of 1016	4436	chrome.exe	60
PID 4436 wrote to memory of 1016	4436	chrome.exe	60
PID 4436 wrote to memory of 1612	4436	chrome.exe	73
PID 4436 wrote to memory of 1612	4436	chrome.exe	73
PID 4436 wrote to memory of 1612	4436	chrome.exe	73
PID 4436 wrote to memory of 1612	4436	chrome.exe	73
PID 4436 wrote to memory of 1612	4436	chrome.exe	73
PID 4436 wrote to memory of 1612	4436	chrome.exe	73
PID 4436 wrote to memory of 1612	4436	chrome.exe	73
PID 4436 wrote to memory of 1612	4436	chrome.exe	73
PID 4436 wrote to memory of 1612	4436	chrome.exe	73
PID 4436 wrote to memory of 1612	4436	chrome.exe	73
PID 4436 wrote to memory of 1612	4436	chrome.exe	73
PID 4436 wrote to memory of 1612	4436	chrome.exe	73
PID 4436 wrote to memory of 1612	4436	chrome.exe	73
PID 4436 wrote to memory of 1612	4436	chrome.exe	73
PID 4436 wrote to memory of 1612	4436	chrome.exe	73
PID 4436 wrote to memory of 1612	4436	chrome.exe	73
PID 4436 wrote to memory of 1612	4436	chrome.exe	73
PID 4436 wrote to memory of 1612	4436	chrome.exe	73
PID 4436 wrote to memory of 1612	4436	chrome.exe	73
PID 4436 wrote to memory of 1612	4436	chrome.exe	73
PID 4436 wrote to memory of 1612	4436	chrome.exe	73
PID 4436 wrote to memory of 1612	4436	chrome.exe	73
PID 4436 wrote to memory of 1612	4436	chrome.exe	73
PID 4436 wrote to memory of 1612	4436	chrome.exe	73
PID 4436 wrote to memory of 1612	4436	chrome.exe	73
PID 4436 wrote to memory of 1612	4436	chrome.exe	73
PID 4436 wrote to memory of 1612	4436	chrome.exe	73
PID 4436 wrote to memory of 1612	4436	chrome.exe	73
PID 4436 wrote to memory of 1612	4436	chrome.exe	73
PID 4436 wrote to memory of 1612	4436	chrome.exe	73
PID 4436 wrote to memory of 1612	4436	chrome.exe	73
PID 4436 wrote to memory of 1612	4436	chrome.exe	73
PID 4436 wrote to memory of 1612	4436	chrome.exe	73
PID 4436 wrote to memory of 1612	4436	chrome.exe	73
PID 4436 wrote to memory of 1612	4436	chrome.exe	73
PID 4436 wrote to memory of 1612	4436	chrome.exe	73
PID 4436 wrote to memory of 1612	4436	chrome.exe	73
PID 4436 wrote to memory of 1612	4436	chrome.exe	73
PID 4436 wrote to memory of 1152	4436	chrome.exe	72
PID 4436 wrote to memory of 1152	4436	chrome.exe	72
PID 4436 wrote to memory of 1836	4436	chrome.exe	74
PID 4436 wrote to memory of 1836	4436	chrome.exe	74
PID 4436 wrote to memory of 1836	4436	chrome.exe	74
PID 4436 wrote to memory of 1836	4436	chrome.exe	74
PID 4436 wrote to memory of 1836	4436	chrome.exe	74
PID 4436 wrote to memory of 1836	4436	chrome.exe	74
PID 4436 wrote to memory of 1836	4436	chrome.exe	74
PID 4436 wrote to memory of 1836	4436	chrome.exe	74
PID 4436 wrote to memory of 1836	4436	chrome.exe	74
PID 4436 wrote to memory of 1836	4436	chrome.exe	74
PID 4436 wrote to memory of 1836	4436	chrome.exe	74
PID 4436 wrote to memory of 1836	4436	chrome.exe	74
PID 4436 wrote to memory of 1836	4436	chrome.exe	74
PID 4436 wrote to memory of 1836	4436	chrome.exe	74
PID 4436 wrote to memory of 1836	4436	chrome.exe	74
PID 4436 wrote to memory of 1836	4436	chrome.exe	74
PID 4436 wrote to memory of 1836	4436	chrome.exe	74
PID 4436 wrote to memory of 1836	4436	chrome.exe	74
PID 4436 wrote to memory of 1836	4436	chrome.exe	74
PID 4436 wrote to memory of 1836	4436	chrome.exe	74
PID 4436 wrote to memory of 1836	4436	chrome.exe	74
PID 4436 wrote to memory of 1836	4436	chrome.exe	74

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://api.ipify.org
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xd0,0xd4,0xd8,0xac,0xdc,0x7ff974f79758,0x7ff974f79768,0x7ff974f79778
  2⤵
  PID:1016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1808 --field-trial-handle=1820,i,17230227143917835929,13758855789946687457,131072 /prefetch:8
  2⤵
  PID:1152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1524 --field-trial-handle=1820,i,17230227143917835929,13758855789946687457,131072 /prefetch:2
  2⤵
  PID:1612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2060 --field-trial-handle=1820,i,17230227143917835929,13758855789946687457,131072 /prefetch:8
  2⤵
  PID:1836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2720 --field-trial-handle=1820,i,17230227143917835929,13758855789946687457,131072 /prefetch:1
  2⤵
  PID:5052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2704 --field-trial-handle=1820,i,17230227143917835929,13758855789946687457,131072 /prefetch:1
  2⤵
  PID:4932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4180 --field-trial-handle=1820,i,17230227143917835929,13758855789946687457,131072 /prefetch:8
  2⤵
  PID:2064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4296 --field-trial-handle=1820,i,17230227143917835929,13758855789946687457,131072 /prefetch:8
  2⤵
  PID:3812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4088 --field-trial-handle=1820,i,17230227143917835929,13758855789946687457,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2572

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
0ba9051af4d193cb94ea42291aee8cda

SHA1
93bf7042b10585168c17f6ee8001a3b0b96004da

SHA256
039b84f214974623a22d2522482217e9a03885070d7cded3457e9bb310cbd200

SHA512
c7b509976144786e52fc3dac45d442de1d3658ece176929ef3fa36504b5f8ad7b49da8366ae84fb536786151c994ab3a3b255438611e99e7d0301f6f2ebecedd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
c28806c758fdeef79b41f2dcfeb3b612

SHA1
0a3ba3922c0b5d34eb913673673e1656fa1e738c

SHA256
cf9a1d80f5191f0f53cfdee6ea110342e24663d7d6f27d16d242658c7948e9a1

SHA512
cd4df501581f26b5d581e92a227402d225998b42436c25cefd25075ec0041da3ed66a0e648b55d8a6c730779762e5f53ca32ab5ff82987813bd16fdd9192539d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
6ed0db1f3ee5aa1371ed7c83c7c0c57e

SHA1
b320be451bf580b6205877ce3b670a2eef6e848d

SHA256
26fb4d1d96c405303834e95725743660ac80d789128d3af76a38aea263613388

SHA512
3f41d8b2d0862172823b94de0e1593961ab2a467bee90243d4b8a59151f2b1a1fec20e9b1a8900c109b014eaeb05c06cab469c00e9ded04e56003edc18d6a320

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
c01ef063e5b069a2b55635ccab55a70b

SHA1
e7945bd6596676128d981ca3b837abf036bc063c

SHA256
f91af7a9b169a36bb040228eebbe9e9eefe7212cf5bf739c76811dc7cf759ce6

SHA512
4e2ede7e53cfcf4c03d4bd22325e0705090dd14275a8b6a9d8a2f84fd9e9a61e8b12187d638844ecd7b62e2ec1b7e95745e54f2d14a18177eaaf5f9c952fe9aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit