hxxp://c[.]randdspecialist[.]uk/D-2B-6R0-2VHJV-IPCFI-765V50WW4

Analysis

max time kernel
21s
max time network
27s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
21/07/2023, 13:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

http://c.randdspecialist.uk/D-2B-6R0-2VHJV-IPCFI-765V50WW4

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133344187052751066"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1904	chrome.exe
1904	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 3080	1904	chrome.exe	72
PID 1904 wrote to memory of 3080	1904	chrome.exe	72
PID 1904 wrote to memory of 3924	1904	chrome.exe	87
PID 1904 wrote to memory of 3924	1904	chrome.exe	87
PID 1904 wrote to memory of 3924	1904	chrome.exe	87
PID 1904 wrote to memory of 3924	1904	chrome.exe	87
PID 1904 wrote to memory of 3924	1904	chrome.exe	87
PID 1904 wrote to memory of 3924	1904	chrome.exe	87
PID 1904 wrote to memory of 3924	1904	chrome.exe	87
PID 1904 wrote to memory of 3924	1904	chrome.exe	87
PID 1904 wrote to memory of 3924	1904	chrome.exe	87
PID 1904 wrote to memory of 3924	1904	chrome.exe	87
PID 1904 wrote to memory of 3924	1904	chrome.exe	87
PID 1904 wrote to memory of 3924	1904	chrome.exe	87
PID 1904 wrote to memory of 3924	1904	chrome.exe	87
PID 1904 wrote to memory of 3924	1904	chrome.exe	87
PID 1904 wrote to memory of 3924	1904	chrome.exe	87
PID 1904 wrote to memory of 3924	1904	chrome.exe	87
PID 1904 wrote to memory of 3924	1904	chrome.exe	87
PID 1904 wrote to memory of 3924	1904	chrome.exe	87
PID 1904 wrote to memory of 3924	1904	chrome.exe	87
PID 1904 wrote to memory of 3924	1904	chrome.exe	87
PID 1904 wrote to memory of 3924	1904	chrome.exe	87
PID 1904 wrote to memory of 3924	1904	chrome.exe	87
PID 1904 wrote to memory of 3924	1904	chrome.exe	87
PID 1904 wrote to memory of 3924	1904	chrome.exe	87
PID 1904 wrote to memory of 3924	1904	chrome.exe	87
PID 1904 wrote to memory of 3924	1904	chrome.exe	87
PID 1904 wrote to memory of 3924	1904	chrome.exe	87
PID 1904 wrote to memory of 3924	1904	chrome.exe	87
PID 1904 wrote to memory of 3924	1904	chrome.exe	87
PID 1904 wrote to memory of 3924	1904	chrome.exe	87
PID 1904 wrote to memory of 3924	1904	chrome.exe	87
PID 1904 wrote to memory of 3924	1904	chrome.exe	87
PID 1904 wrote to memory of 3924	1904	chrome.exe	87
PID 1904 wrote to memory of 3924	1904	chrome.exe	87
PID 1904 wrote to memory of 3924	1904	chrome.exe	87
PID 1904 wrote to memory of 3924	1904	chrome.exe	87
PID 1904 wrote to memory of 3924	1904	chrome.exe	87
PID 1904 wrote to memory of 3924	1904	chrome.exe	87
PID 1904 wrote to memory of 4028	1904	chrome.exe	88
PID 1904 wrote to memory of 4028	1904	chrome.exe	88
PID 1904 wrote to memory of 4972	1904	chrome.exe	89
PID 1904 wrote to memory of 4972	1904	chrome.exe	89
PID 1904 wrote to memory of 4972	1904	chrome.exe	89
PID 1904 wrote to memory of 4972	1904	chrome.exe	89
PID 1904 wrote to memory of 4972	1904	chrome.exe	89
PID 1904 wrote to memory of 4972	1904	chrome.exe	89
PID 1904 wrote to memory of 4972	1904	chrome.exe	89
PID 1904 wrote to memory of 4972	1904	chrome.exe	89
PID 1904 wrote to memory of 4972	1904	chrome.exe	89
PID 1904 wrote to memory of 4972	1904	chrome.exe	89
PID 1904 wrote to memory of 4972	1904	chrome.exe	89
PID 1904 wrote to memory of 4972	1904	chrome.exe	89
PID 1904 wrote to memory of 4972	1904	chrome.exe	89
PID 1904 wrote to memory of 4972	1904	chrome.exe	89
PID 1904 wrote to memory of 4972	1904	chrome.exe	89
PID 1904 wrote to memory of 4972	1904	chrome.exe	89
PID 1904 wrote to memory of 4972	1904	chrome.exe	89
PID 1904 wrote to memory of 4972	1904	chrome.exe	89
PID 1904 wrote to memory of 4972	1904	chrome.exe	89
PID 1904 wrote to memory of 4972	1904	chrome.exe	89
PID 1904 wrote to memory of 4972	1904	chrome.exe	89
PID 1904 wrote to memory of 4972	1904	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://c.randdspecialist.uk/D-2B-6R0-2VHJV-IPCFI-765V50WW4
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8d6899758,0x7ff8d6899768,0x7ff8d6899778
  2⤵
  PID:3080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1708 --field-trial-handle=1828,i,9735155937144697758,4792963228719107733,131072 /prefetch:2
  2⤵
  PID:3924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1828,i,9735155937144697758,4792963228719107733,131072 /prefetch:8
  2⤵
  PID:4028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1828,i,9735155937144697758,4792963228719107733,131072 /prefetch:8
  2⤵
  PID:4972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3060 --field-trial-handle=1828,i,9735155937144697758,4792963228719107733,131072 /prefetch:1
  2⤵
  PID:3736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3008 --field-trial-handle=1828,i,9735155937144697758,4792963228719107733,131072 /prefetch:1
  2⤵
  PID:1964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4496 --field-trial-handle=1828,i,9735155937144697758,4792963228719107733,131072 /prefetch:1
  2⤵
  PID:2840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5000 --field-trial-handle=1828,i,9735155937144697758,4792963228719107733,131072 /prefetch:8
  2⤵
  PID:1552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3740 --field-trial-handle=1828,i,9735155937144697758,4792963228719107733,131072 /prefetch:8
  2⤵
  PID:2788

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
09dab52d9974f3bb12ea41f1701c63c4

SHA1
f8b19ab4685ca03c4b2fd6a4039f15b9e9f54c4e

SHA256
0861c4102d9012db3296e8ed4d02e9efc24dd00f19c4c1fb164473bfbc974e0b

SHA512
d0ad39bcdab623a119b58691406a23785fbd57ed90df22eee6b3bf7bfa58af85dca83fe4ae9b528bfbf87828f2c1b32dfecba55a5095c0a9f81a9cac32763101

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
011ba2986d17ae7e61dfcecdd6a4d3ed

SHA1
7135cbafdd8bb4b0852f478b0aef93b352e27ba1

SHA256
9a93c7c548c4246f47a6eb1d0eafecacc6adec9d59045a1bc7217b8656d831bd

SHA512
c89840831170277b6ad77566a9b597cf05f76d50a3366191ab3f310611e8432d8d0f39e0fb2df991685e412f236166107fa58202bcb1e298fc0a3d63751b20c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
ba9dd99418ab44c12adac5caf2b3b717

SHA1
38f2626a271ad82d6e794f14770cbe8670ba7deb

SHA256
e15547289bb4407cdcc23342562a680ddab4f1e6890e5a0524e3afab374aed4b

SHA512
9fdb261ef98731cd7f82a0570fb29ac434b9cd954f5bcc475df9f89c6844905e8d5e347b1cd9ab94083a08fcde6aa6a442515aeceb1490b31bff93c202218e38

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
2553dee933c4fb917f0aece831d4445b

SHA1
9d6f1160cde1b14cd68768c95ccddf2f9c22c7fa

SHA256
c58919f417806c980bc11b3666b0e673d18f2cf2fe56178e64b2e1c10ca6e382

SHA512
8a2471c5752a5ae42d7cb51b58e6ffdd3652bc85cefedf338a535d80f8ef46b8c7ed684230090d8942c9e54763aa5f7bb68199a49cc708d0eaeaefe95035a8ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
623cca459fae0e3be5e3515b001f4080

SHA1
77f2bab2ab78fb89da4489d0ada518718d3fa55c

SHA256
65980d9dc42d561d296538dc4f42cdad5b4500f7b8c69a84e3a1a7749817221c

SHA512
0bfa2e2948a21f01aa5ce7474917427330f97cb29485e0349c66d7777d516eb68cc3132d8b22b7784ca6a41d39409a2660d26d166a2c1e4e1a4360d9d356272f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
067d2794c01bbddcd4803887fbbbcfae

SHA1
a2185a114c6aa9bd1f5614a1fd04232de89ca7e1

SHA256
bdf425e124bbac00c5581ac7136aaf7a659b7a3fc70d1241af33c18b9e49f5c7

SHA512
48c293a39dd5d124448f512393ecf7fc391543976b835edc37dd83d9a4e846917609cd2b7cbb589bef3ae2ef531ec02d249751235a3fb805e20c3a9cac705a53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit