hxxps://mailhq[.]info/ls[.]php?d=ZW5jb2RlZFVSTD1odHRwOi8vd3d3LmRvbmJvb3plci5uZXQvbmV3LWd1YXJhbnRlZWQtaXNzdWUv

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
19/07/2023, 21:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mailhq.info/ls.php?d=ZW5jb2RlZFVSTD1odHRwOi8vd3d3LmRvbmJvb3plci5uZXQvbmV3LWd1YXJhbnRlZWQtaXNzdWUv

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133342751429403257"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2252	chrome.exe
2252	chrome.exe
3004	chrome.exe
3004	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 4332	2252	chrome.exe	77
PID 2252 wrote to memory of 4332	2252	chrome.exe	77
PID 2252 wrote to memory of 992	2252	chrome.exe	87
PID 2252 wrote to memory of 992	2252	chrome.exe	87
PID 2252 wrote to memory of 992	2252	chrome.exe	87
PID 2252 wrote to memory of 992	2252	chrome.exe	87
PID 2252 wrote to memory of 992	2252	chrome.exe	87
PID 2252 wrote to memory of 992	2252	chrome.exe	87
PID 2252 wrote to memory of 992	2252	chrome.exe	87
PID 2252 wrote to memory of 992	2252	chrome.exe	87
PID 2252 wrote to memory of 992	2252	chrome.exe	87
PID 2252 wrote to memory of 992	2252	chrome.exe	87
PID 2252 wrote to memory of 992	2252	chrome.exe	87
PID 2252 wrote to memory of 992	2252	chrome.exe	87
PID 2252 wrote to memory of 992	2252	chrome.exe	87
PID 2252 wrote to memory of 992	2252	chrome.exe	87
PID 2252 wrote to memory of 992	2252	chrome.exe	87
PID 2252 wrote to memory of 992	2252	chrome.exe	87
PID 2252 wrote to memory of 992	2252	chrome.exe	87
PID 2252 wrote to memory of 992	2252	chrome.exe	87
PID 2252 wrote to memory of 992	2252	chrome.exe	87
PID 2252 wrote to memory of 992	2252	chrome.exe	87
PID 2252 wrote to memory of 992	2252	chrome.exe	87
PID 2252 wrote to memory of 992	2252	chrome.exe	87
PID 2252 wrote to memory of 992	2252	chrome.exe	87
PID 2252 wrote to memory of 992	2252	chrome.exe	87
PID 2252 wrote to memory of 992	2252	chrome.exe	87
PID 2252 wrote to memory of 992	2252	chrome.exe	87
PID 2252 wrote to memory of 992	2252	chrome.exe	87
PID 2252 wrote to memory of 992	2252	chrome.exe	87
PID 2252 wrote to memory of 992	2252	chrome.exe	87
PID 2252 wrote to memory of 992	2252	chrome.exe	87
PID 2252 wrote to memory of 992	2252	chrome.exe	87
PID 2252 wrote to memory of 992	2252	chrome.exe	87
PID 2252 wrote to memory of 992	2252	chrome.exe	87
PID 2252 wrote to memory of 992	2252	chrome.exe	87
PID 2252 wrote to memory of 992	2252	chrome.exe	87
PID 2252 wrote to memory of 992	2252	chrome.exe	87
PID 2252 wrote to memory of 992	2252	chrome.exe	87
PID 2252 wrote to memory of 992	2252	chrome.exe	87
PID 2252 wrote to memory of 1800	2252	chrome.exe	89
PID 2252 wrote to memory of 1800	2252	chrome.exe	89
PID 2252 wrote to memory of 3904	2252	chrome.exe	88
PID 2252 wrote to memory of 3904	2252	chrome.exe	88
PID 2252 wrote to memory of 3904	2252	chrome.exe	88
PID 2252 wrote to memory of 3904	2252	chrome.exe	88
PID 2252 wrote to memory of 3904	2252	chrome.exe	88
PID 2252 wrote to memory of 3904	2252	chrome.exe	88
PID 2252 wrote to memory of 3904	2252	chrome.exe	88
PID 2252 wrote to memory of 3904	2252	chrome.exe	88
PID 2252 wrote to memory of 3904	2252	chrome.exe	88
PID 2252 wrote to memory of 3904	2252	chrome.exe	88
PID 2252 wrote to memory of 3904	2252	chrome.exe	88
PID 2252 wrote to memory of 3904	2252	chrome.exe	88
PID 2252 wrote to memory of 3904	2252	chrome.exe	88
PID 2252 wrote to memory of 3904	2252	chrome.exe	88
PID 2252 wrote to memory of 3904	2252	chrome.exe	88
PID 2252 wrote to memory of 3904	2252	chrome.exe	88
PID 2252 wrote to memory of 3904	2252	chrome.exe	88
PID 2252 wrote to memory of 3904	2252	chrome.exe	88
PID 2252 wrote to memory of 3904	2252	chrome.exe	88
PID 2252 wrote to memory of 3904	2252	chrome.exe	88
PID 2252 wrote to memory of 3904	2252	chrome.exe	88
PID 2252 wrote to memory of 3904	2252	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://mailhq.info/ls.php?d=ZW5jb2RlZFVSTD1odHRwOi8vd3d3LmRvbmJvb3plci5uZXQvbmV3LWd1YXJhbnRlZWQtaXNzdWUv
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffa9bd9758,0x7fffa9bd9768,0x7fffa9bd9778
  2⤵
  PID:4332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1628 --field-trial-handle=1868,i,5727874223215746933,8269432914154006716,131072 /prefetch:2
  2⤵
  PID:992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2208 --field-trial-handle=1868,i,5727874223215746933,8269432914154006716,131072 /prefetch:8
  2⤵
  PID:3904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1868,i,5727874223215746933,8269432914154006716,131072 /prefetch:8
  2⤵
  PID:1800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3032 --field-trial-handle=1868,i,5727874223215746933,8269432914154006716,131072 /prefetch:1
  2⤵
  PID:2660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3064 --field-trial-handle=1868,i,5727874223215746933,8269432914154006716,131072 /prefetch:1
  2⤵
  PID:4312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2512 --field-trial-handle=1868,i,5727874223215746933,8269432914154006716,131072 /prefetch:1
  2⤵
  PID:1680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5100 --field-trial-handle=1868,i,5727874223215746933,8269432914154006716,131072 /prefetch:8
  2⤵
  PID:1972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 --field-trial-handle=1868,i,5727874223215746933,8269432914154006716,131072 /prefetch:8
  2⤵
  PID:2868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1836 --field-trial-handle=1868,i,5727874223215746933,8269432914154006716,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3004

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1596

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
4430682a3f5b4bb1ab9a91dd5f8405c5

SHA1
9e6fd78bc29897c8a209db0b275e8b827f5f2c3f

SHA256
55198ee52ca954d13042caca5abb4450fa2c3b189ef463518f9b776604c3545c

SHA512
3b044917d08f3e1d2fcd5594a18e3d3020e44bb3cfe933e6bc47686909bd2b9b05c39a770299bda35599864e17bdb6b3155febd677305c7808d5397f5b81fddd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
70cb2710b38106844f8e2d1a41e2cd10

SHA1
7f390a5471ae6509a7b714bdb155e4d83c2c27d1

SHA256
eb590171a679e4cf43ba60bdfc8a89d30614f2c6967e3ffe5204dfd79031c222

SHA512
3464ccdd0bc7e80b71c8f4d737c53981ecae94c93b763542515b63ca4d95ee67f2a4c102bca57f2eaa08b311a01e656999e97bfd5094051a28a3401e30790634

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
7f2f539f5e58a2589ed5b217208c1afb

SHA1
d65a7a14ec2bccf0a76c3b2e0a80f9709ca304dc

SHA256
9b0fa85c2cb489795bdde6345e82598f9c03f4021c78348e687f2b37e6596e4c

SHA512
125bfed205252c3b2609224b1d937494ea3bd07751995e9888d596c10a0e33fc54726bd2adac0bb4302db5c98959182faddfa10bbbe3cd4bc73fcaab6d8aa3c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
97119180647a8f1b15d31c577098e544

SHA1
47df4e476515515e9eed4decfceda51c8fb7c1af

SHA256
312761d1cc49bd6dabcad272d805fd317bd740604132865375d0c92082fbb34d

SHA512
101e3b2ddefc628f873b7f82e850240cc00d4f3136957852e19d83dcebf2341d2af35de9808c6582de6e026b78cb7bf2b49d7d0283016eea3a0f52da5acb1f16

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
012a188072b457918a02d31c1c3504a1

SHA1
436e3c1df88c7cf150eb615217215ee82c8291b8

SHA256
ca778a6aa71123e6f517edbc3b92721d19845a412d8076267e0579fde65096c6

SHA512
afeca4053250a71f98fea6bfa1a480902c53edcd5323d0c9e88d479a02b6b70a5fd48aca9a8c4169d08bc29c982facc2cee0b20f883494bca7ced53340adde60

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
ccb60bbb4e380662f550a7cf1ca2324b

SHA1
fbad3dfee70d173b6e307eefaa387c84e53bba0f

SHA256
8d5746b759ff1336da3b9695e991dd6fe387d0a4093fe31ac12efd6728120d41

SHA512
0d78fc40740dc36c20bf4e0116fe051d764214d6288712cdc39bc3142fd181abfa9dac3a421f686fd50521eedb51a0329821a38308caf1be798bd8c31d095982

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit