hxxps://aka[.]ms/vmsettings

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
21-07-2023 15:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://aka.ms/vmsettings

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{EAE95BAF-AF94-4F4C-B1A4-C04AC4A70100}.catalogItem	svchost.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	svchost.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133344267384707193"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3088	chrome.exe
3088	chrome.exe
4436	chrome.exe
4436	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3088 wrote to memory of 1952	3088	chrome.exe	85
PID 3088 wrote to memory of 1952	3088	chrome.exe	85
PID 3088 wrote to memory of 3436	3088	chrome.exe	88
PID 3088 wrote to memory of 3436	3088	chrome.exe	88
PID 3088 wrote to memory of 3436	3088	chrome.exe	88
PID 3088 wrote to memory of 3436	3088	chrome.exe	88
PID 3088 wrote to memory of 3436	3088	chrome.exe	88
PID 3088 wrote to memory of 3436	3088	chrome.exe	88
PID 3088 wrote to memory of 3436	3088	chrome.exe	88
PID 3088 wrote to memory of 3436	3088	chrome.exe	88
PID 3088 wrote to memory of 3436	3088	chrome.exe	88
PID 3088 wrote to memory of 3436	3088	chrome.exe	88
PID 3088 wrote to memory of 3436	3088	chrome.exe	88
PID 3088 wrote to memory of 3436	3088	chrome.exe	88
PID 3088 wrote to memory of 3436	3088	chrome.exe	88
PID 3088 wrote to memory of 3436	3088	chrome.exe	88
PID 3088 wrote to memory of 3436	3088	chrome.exe	88
PID 3088 wrote to memory of 3436	3088	chrome.exe	88
PID 3088 wrote to memory of 3436	3088	chrome.exe	88
PID 3088 wrote to memory of 3436	3088	chrome.exe	88
PID 3088 wrote to memory of 3436	3088	chrome.exe	88
PID 3088 wrote to memory of 3436	3088	chrome.exe	88
PID 3088 wrote to memory of 3436	3088	chrome.exe	88
PID 3088 wrote to memory of 3436	3088	chrome.exe	88
PID 3088 wrote to memory of 3436	3088	chrome.exe	88
PID 3088 wrote to memory of 3436	3088	chrome.exe	88
PID 3088 wrote to memory of 3436	3088	chrome.exe	88
PID 3088 wrote to memory of 3436	3088	chrome.exe	88
PID 3088 wrote to memory of 3436	3088	chrome.exe	88
PID 3088 wrote to memory of 3436	3088	chrome.exe	88
PID 3088 wrote to memory of 3436	3088	chrome.exe	88
PID 3088 wrote to memory of 3436	3088	chrome.exe	88
PID 3088 wrote to memory of 3436	3088	chrome.exe	88
PID 3088 wrote to memory of 3436	3088	chrome.exe	88
PID 3088 wrote to memory of 3436	3088	chrome.exe	88
PID 3088 wrote to memory of 3436	3088	chrome.exe	88
PID 3088 wrote to memory of 3436	3088	chrome.exe	88
PID 3088 wrote to memory of 3436	3088	chrome.exe	88
PID 3088 wrote to memory of 3436	3088	chrome.exe	88
PID 3088 wrote to memory of 3436	3088	chrome.exe	88
PID 3088 wrote to memory of 488	3088	chrome.exe	90
PID 3088 wrote to memory of 488	3088	chrome.exe	90
PID 3088 wrote to memory of 4696	3088	chrome.exe	89
PID 3088 wrote to memory of 4696	3088	chrome.exe	89
PID 3088 wrote to memory of 4696	3088	chrome.exe	89
PID 3088 wrote to memory of 4696	3088	chrome.exe	89
PID 3088 wrote to memory of 4696	3088	chrome.exe	89
PID 3088 wrote to memory of 4696	3088	chrome.exe	89
PID 3088 wrote to memory of 4696	3088	chrome.exe	89
PID 3088 wrote to memory of 4696	3088	chrome.exe	89
PID 3088 wrote to memory of 4696	3088	chrome.exe	89
PID 3088 wrote to memory of 4696	3088	chrome.exe	89
PID 3088 wrote to memory of 4696	3088	chrome.exe	89
PID 3088 wrote to memory of 4696	3088	chrome.exe	89
PID 3088 wrote to memory of 4696	3088	chrome.exe	89
PID 3088 wrote to memory of 4696	3088	chrome.exe	89
PID 3088 wrote to memory of 4696	3088	chrome.exe	89
PID 3088 wrote to memory of 4696	3088	chrome.exe	89
PID 3088 wrote to memory of 4696	3088	chrome.exe	89
PID 3088 wrote to memory of 4696	3088	chrome.exe	89
PID 3088 wrote to memory of 4696	3088	chrome.exe	89
PID 3088 wrote to memory of 4696	3088	chrome.exe	89
PID 3088 wrote to memory of 4696	3088	chrome.exe	89
PID 3088 wrote to memory of 4696	3088	chrome.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://aka.ms/vmsettings
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffec2c09758,0x7ffec2c09768,0x7ffec2c09778
  2⤵
  PID:1952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1644 --field-trial-handle=1792,i,16748215724243027739,688038882401068987,131072 /prefetch:2
  2⤵
  PID:3436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2212 --field-trial-handle=1792,i,16748215724243027739,688038882401068987,131072 /prefetch:8
  2⤵
  PID:4696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 --field-trial-handle=1792,i,16748215724243027739,688038882401068987,131072 /prefetch:8
  2⤵
  PID:488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2952 --field-trial-handle=1792,i,16748215724243027739,688038882401068987,131072 /prefetch:1
  2⤵
  PID:1340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2940 --field-trial-handle=1792,i,16748215724243027739,688038882401068987,131072 /prefetch:1
  2⤵
  PID:3852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4488 --field-trial-handle=1792,i,16748215724243027739,688038882401068987,131072 /prefetch:1
  2⤵
  PID:2976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3920 --field-trial-handle=1792,i,16748215724243027739,688038882401068987,131072 /prefetch:1
  2⤵
  PID:3412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4868 --field-trial-handle=1792,i,16748215724243027739,688038882401068987,131072 /prefetch:8
  2⤵
  PID:2856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4872 --field-trial-handle=1792,i,16748215724243027739,688038882401068987,131072 /prefetch:8
  2⤵
  PID:4068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 --field-trial-handle=1792,i,16748215724243027739,688038882401068987,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4436

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:3336

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
456B

MD5
3741282dfbf6087fe2e401bdc389910e

SHA1
50ce29ce465fdbd284e830b835ab041fb60ee4f6

SHA256
0e62ad1e8618a945260b73213b1376141f14169e2c63d775d7689008b05493ef

SHA512
a1ed2042311ee7fea2993113066e0c002319d20a9eeaf26984de30397258b12b6784719eaa8edff957b84b50a1037a9282c37173d38e1e954e06fd3694cc1f51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
33a8b5a7a81957971f54b598e432cff0

SHA1
0524864c5e105bb0eda4a9673a9f1e6fae385b5c

SHA256
b3aca8e34259333638458fbb692fb9b76008dbea98610474eddc1b5d2e0c9f86

SHA512
e571fd5fcc959343a911a63a95dffd844db5043625177926a20d5c74780bc96901e64411ab50bc30785f1a25028722cacca8f5bef7f4803073c8d6d4e35c4987

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
874B

MD5
d921dc5ca963b04029b1401f4d9658da

SHA1
fad85bb18d4742da9fb2493a9c54a8dcee119d71

SHA256
476b41eb359828980b0391a5ea621d1c2c12b866e8ee16a66766e46a8115c0a0

SHA512
1365a10dff03e270d14dd0eef3184202e8d22a251a77bd8dbbba325f54f267fefe5de39377dc9d2cd7cb920e932ec4c9de2d42566223b0bd9364474a0253cbb0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
fd0fcbba73b2e310fd42cd76a74e45ac

SHA1
dc347afb08fe807e72e5c15d4ff04348441b59e5

SHA256
d6ad6d43f660f32ff73adca389662041007c36103e00bdbed48fa6a3ae00f8ed

SHA512
b24c72577a8602e28382b30536adead4482b8285b6d77a62ed3776f9667f2b89e6af7baf79666d18147a03b2bf1efc3e41e64a52667b8436c215dcf70b310b5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
14ca808c180f782876ca214901bbf844

SHA1
b9c70755b6b63431815666cc025d18d9a7a30db4

SHA256
02d9910ae426d5c7f6039b98e0877243b67d5c9222e5675f06d450134075aec1

SHA512
f0cf5355c2ebad349c921b9b960a90bba7f45a876a47a785db5014237131e7802f8c753068adafc6fa6e9eaf3abb52be9ff9d97398df7f6dc2b66adad04dbdef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit