hxxps://sp-cloud[.]kp[.]org/sites/services-myTechGuru/Standards/Pages/TSKB[.]aspx#OSP

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
23/07/2023, 04:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://sp-cloud.kp.org/sites/services-myTechGuru/Standards/Pages/TSKB.aspx#OSP

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133345606374406148"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3296	chrome.exe
3296	chrome.exe
1344	chrome.exe
1344	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3296	chrome.exe
3296	chrome.exe
3296	chrome.exe
3296	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3296	chrome.exe
Token: SeCreatePagefilePrivilege	3296	chrome.exe
Token: SeShutdownPrivilege	3296	chrome.exe
Token: SeCreatePagefilePrivilege	3296	chrome.exe
Token: SeShutdownPrivilege	3296	chrome.exe
Token: SeCreatePagefilePrivilege	3296	chrome.exe
Token: SeShutdownPrivilege	3296	chrome.exe
Token: SeCreatePagefilePrivilege	3296	chrome.exe
Token: SeShutdownPrivilege	3296	chrome.exe
Token: SeCreatePagefilePrivilege	3296	chrome.exe
Token: SeShutdownPrivilege	3296	chrome.exe
Token: SeCreatePagefilePrivilege	3296	chrome.exe
Token: SeShutdownPrivilege	3296	chrome.exe
Token: SeCreatePagefilePrivilege	3296	chrome.exe
Token: SeShutdownPrivilege	3296	chrome.exe
Token: SeCreatePagefilePrivilege	3296	chrome.exe
Token: SeShutdownPrivilege	3296	chrome.exe
Token: SeCreatePagefilePrivilege	3296	chrome.exe
Token: SeShutdownPrivilege	3296	chrome.exe
Token: SeCreatePagefilePrivilege	3296	chrome.exe
Token: SeShutdownPrivilege	3296	chrome.exe
Token: SeCreatePagefilePrivilege	3296	chrome.exe
Token: SeShutdownPrivilege	3296	chrome.exe
Token: SeCreatePagefilePrivilege	3296	chrome.exe
Token: SeShutdownPrivilege	3296	chrome.exe
Token: SeCreatePagefilePrivilege	3296	chrome.exe
Token: SeShutdownPrivilege	3296	chrome.exe
Token: SeCreatePagefilePrivilege	3296	chrome.exe
Token: SeShutdownPrivilege	3296	chrome.exe
Token: SeCreatePagefilePrivilege	3296	chrome.exe
Token: SeShutdownPrivilege	3296	chrome.exe
Token: SeCreatePagefilePrivilege	3296	chrome.exe
Token: SeShutdownPrivilege	3296	chrome.exe
Token: SeCreatePagefilePrivilege	3296	chrome.exe
Token: SeShutdownPrivilege	3296	chrome.exe
Token: SeCreatePagefilePrivilege	3296	chrome.exe
Token: SeShutdownPrivilege	3296	chrome.exe
Token: SeCreatePagefilePrivilege	3296	chrome.exe
Token: SeShutdownPrivilege	3296	chrome.exe
Token: SeCreatePagefilePrivilege	3296	chrome.exe
Token: SeShutdownPrivilege	3296	chrome.exe
Token: SeCreatePagefilePrivilege	3296	chrome.exe
Token: SeShutdownPrivilege	3296	chrome.exe
Token: SeCreatePagefilePrivilege	3296	chrome.exe
Token: SeShutdownPrivilege	3296	chrome.exe
Token: SeCreatePagefilePrivilege	3296	chrome.exe
Token: SeShutdownPrivilege	3296	chrome.exe
Token: SeCreatePagefilePrivilege	3296	chrome.exe
Token: SeShutdownPrivilege	3296	chrome.exe
Token: SeCreatePagefilePrivilege	3296	chrome.exe
Token: SeShutdownPrivilege	3296	chrome.exe
Token: SeCreatePagefilePrivilege	3296	chrome.exe
Token: SeShutdownPrivilege	3296	chrome.exe
Token: SeCreatePagefilePrivilege	3296	chrome.exe
Token: SeShutdownPrivilege	3296	chrome.exe
Token: SeCreatePagefilePrivilege	3296	chrome.exe
Token: SeShutdownPrivilege	3296	chrome.exe
Token: SeCreatePagefilePrivilege	3296	chrome.exe
Token: SeShutdownPrivilege	3296	chrome.exe
Token: SeCreatePagefilePrivilege	3296	chrome.exe
Token: SeShutdownPrivilege	3296	chrome.exe
Token: SeCreatePagefilePrivilege	3296	chrome.exe
Token: SeShutdownPrivilege	3296	chrome.exe
Token: SeCreatePagefilePrivilege	3296	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3296	chrome.exe
3296	chrome.exe
3296	chrome.exe
3296	chrome.exe
3296	chrome.exe
3296	chrome.exe
3296	chrome.exe
3296	chrome.exe
3296	chrome.exe
3296	chrome.exe
3296	chrome.exe
3296	chrome.exe
3296	chrome.exe
3296	chrome.exe
3296	chrome.exe
3296	chrome.exe
3296	chrome.exe
3296	chrome.exe
3296	chrome.exe
3296	chrome.exe
3296	chrome.exe
3296	chrome.exe
3296	chrome.exe
3296	chrome.exe
3296	chrome.exe
3296	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3296	chrome.exe
3296	chrome.exe
3296	chrome.exe
3296	chrome.exe
3296	chrome.exe
3296	chrome.exe
3296	chrome.exe
3296	chrome.exe
3296	chrome.exe
3296	chrome.exe
3296	chrome.exe
3296	chrome.exe
3296	chrome.exe
3296	chrome.exe
3296	chrome.exe
3296	chrome.exe
3296	chrome.exe
3296	chrome.exe
3296	chrome.exe
3296	chrome.exe
3296	chrome.exe
3296	chrome.exe
3296	chrome.exe
3296	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3296 wrote to memory of 4720	3296	chrome.exe	51
PID 3296 wrote to memory of 4720	3296	chrome.exe	51
PID 3296 wrote to memory of 1936	3296	chrome.exe	87
PID 3296 wrote to memory of 1936	3296	chrome.exe	87
PID 3296 wrote to memory of 1936	3296	chrome.exe	87
PID 3296 wrote to memory of 1936	3296	chrome.exe	87
PID 3296 wrote to memory of 1936	3296	chrome.exe	87
PID 3296 wrote to memory of 1936	3296	chrome.exe	87
PID 3296 wrote to memory of 1936	3296	chrome.exe	87
PID 3296 wrote to memory of 1936	3296	chrome.exe	87
PID 3296 wrote to memory of 1936	3296	chrome.exe	87
PID 3296 wrote to memory of 1936	3296	chrome.exe	87
PID 3296 wrote to memory of 1936	3296	chrome.exe	87
PID 3296 wrote to memory of 1936	3296	chrome.exe	87
PID 3296 wrote to memory of 1936	3296	chrome.exe	87
PID 3296 wrote to memory of 1936	3296	chrome.exe	87
PID 3296 wrote to memory of 1936	3296	chrome.exe	87
PID 3296 wrote to memory of 1936	3296	chrome.exe	87
PID 3296 wrote to memory of 1936	3296	chrome.exe	87
PID 3296 wrote to memory of 1936	3296	chrome.exe	87
PID 3296 wrote to memory of 1936	3296	chrome.exe	87
PID 3296 wrote to memory of 1936	3296	chrome.exe	87
PID 3296 wrote to memory of 1936	3296	chrome.exe	87
PID 3296 wrote to memory of 1936	3296	chrome.exe	87
PID 3296 wrote to memory of 1936	3296	chrome.exe	87
PID 3296 wrote to memory of 1936	3296	chrome.exe	87
PID 3296 wrote to memory of 1936	3296	chrome.exe	87
PID 3296 wrote to memory of 1936	3296	chrome.exe	87
PID 3296 wrote to memory of 1936	3296	chrome.exe	87
PID 3296 wrote to memory of 1936	3296	chrome.exe	87
PID 3296 wrote to memory of 1936	3296	chrome.exe	87
PID 3296 wrote to memory of 1936	3296	chrome.exe	87
PID 3296 wrote to memory of 1936	3296	chrome.exe	87
PID 3296 wrote to memory of 1936	3296	chrome.exe	87
PID 3296 wrote to memory of 1936	3296	chrome.exe	87
PID 3296 wrote to memory of 1936	3296	chrome.exe	87
PID 3296 wrote to memory of 1936	3296	chrome.exe	87
PID 3296 wrote to memory of 1936	3296	chrome.exe	87
PID 3296 wrote to memory of 1936	3296	chrome.exe	87
PID 3296 wrote to memory of 1936	3296	chrome.exe	87
PID 3296 wrote to memory of 1668	3296	chrome.exe	85
PID 3296 wrote to memory of 1668	3296	chrome.exe	85
PID 3296 wrote to memory of 8	3296	chrome.exe	86
PID 3296 wrote to memory of 8	3296	chrome.exe	86
PID 3296 wrote to memory of 8	3296	chrome.exe	86
PID 3296 wrote to memory of 8	3296	chrome.exe	86
PID 3296 wrote to memory of 8	3296	chrome.exe	86
PID 3296 wrote to memory of 8	3296	chrome.exe	86
PID 3296 wrote to memory of 8	3296	chrome.exe	86
PID 3296 wrote to memory of 8	3296	chrome.exe	86
PID 3296 wrote to memory of 8	3296	chrome.exe	86
PID 3296 wrote to memory of 8	3296	chrome.exe	86
PID 3296 wrote to memory of 8	3296	chrome.exe	86
PID 3296 wrote to memory of 8	3296	chrome.exe	86
PID 3296 wrote to memory of 8	3296	chrome.exe	86
PID 3296 wrote to memory of 8	3296	chrome.exe	86
PID 3296 wrote to memory of 8	3296	chrome.exe	86
PID 3296 wrote to memory of 8	3296	chrome.exe	86
PID 3296 wrote to memory of 8	3296	chrome.exe	86
PID 3296 wrote to memory of 8	3296	chrome.exe	86
PID 3296 wrote to memory of 8	3296	chrome.exe	86
PID 3296 wrote to memory of 8	3296	chrome.exe	86
PID 3296 wrote to memory of 8	3296	chrome.exe	86
PID 3296 wrote to memory of 8	3296	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://sp-cloud.kp.org/sites/services-myTechGuru/Standards/Pages/TSKB.aspx#OSP
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd1d429758,0x7ffd1d429768,0x7ffd1d429778
  2⤵
  PID:4720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1916 --field-trial-handle=1864,i,13757912793483395033,12754812803593221605,131072 /prefetch:8
  2⤵
  PID:1668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2188 --field-trial-handle=1864,i,13757912793483395033,12754812803593221605,131072 /prefetch:8
  2⤵
  PID:8
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1724 --field-trial-handle=1864,i,13757912793483395033,12754812803593221605,131072 /prefetch:2
  2⤵
  PID:1936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3056 --field-trial-handle=1864,i,13757912793483395033,12754812803593221605,131072 /prefetch:1
  2⤵
  PID:488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3036 --field-trial-handle=1864,i,13757912793483395033,12754812803593221605,131072 /prefetch:1
  2⤵
  PID:404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4720 --field-trial-handle=1864,i,13757912793483395033,12754812803593221605,131072 /prefetch:1
  2⤵
  PID:4236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 --field-trial-handle=1864,i,13757912793483395033,12754812803593221605,131072 /prefetch:8
  2⤵
  PID:4312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5332 --field-trial-handle=1864,i,13757912793483395033,12754812803593221605,131072 /prefetch:8
  2⤵
  PID:1136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5008 --field-trial-handle=1864,i,13757912793483395033,12754812803593221605,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=1512 --field-trial-handle=1864,i,13757912793483395033,12754812803593221605,131072 /prefetch:1
  2⤵
  PID:2200

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
6fdfe2f1f63bf420814ecd941f3d07bb

SHA1
242ad5ac31747ad890a650910250770f7b5de44a

SHA256
a081478bfc9c0bf0ead9131e38cf8f743027d48227c0be7e8ac0977d275565ac

SHA512
3e0c50be2898258a8f76942329a7f0a4e5079b0b99ac674f9a2d909391c74c9c110d7972b7f8136ea9343f64e308ad7c60160a0704d1088bf51e21cfcbd37c33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
286ef2e9925d40f158f37345b3b5d2aa

SHA1
4ae0828dea6a7e1b834eb34d30e667d7adf6cbb5

SHA256
f446ff7760cbb493806f417134f1e04ddaada6e8210d1d7cd590f46155ee1cf2

SHA512
9b8c62262d866680a6b47c2ffc7d38688126347e2364773829caf4e44e3dff5d1ed58ee487e6988c9d02d44969369a912e3e4f11ef8b85b8279de7c8107453e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
874B

MD5
94b5c5c98e509339279b2dd2e83dc653

SHA1
eaa74769a85e1f7f16afc56866e4ef4d1085deb1

SHA256
07a8e254d0d06fcaea722a07d93638b575e7006f94dbf87629b7122bb7477648

SHA512
9f23e225d16226a4e2612ef43f2bcd9d301d16701f1c0429f623de11937a2cd21a2b59745c47316650676859986962a32ce072eae3573023c52b9e7562430906

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
874B

MD5
ac27819ee724d4a2f8753ce6e2500fd4

SHA1
2c9f9557ab020d90b40b889b6c4fb62994bd86f8

SHA256
731175cf0c40ae22d5b1a141af7e7f8de7567a91fec0d1e8f055a1d771d3f814

SHA512
b118aef13fe3e882ad21c83ea2098425ee36b52f5dbb33c69f7822cbd38458dfdee7901de8803c334ca8faffd62707e87161b1fa249659f4907b6845bad589c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
9bf66b3c0b08a3ae20e8b844d3338fed

SHA1
310b2b824f6317dc8020fc8a64d96c45856e27b4

SHA256
112fe3604c9f48b28e6446427cc247db04b75bd002c54e1df2d66e701f45c1f7

SHA512
47aac8b41402867aec83d5daf533c7924fcf474b22125ce474033e031b6fe9d6d499949d6126fe8ad131a95d8a7c79b3cc952e34cbca3cc209794fff7f8d0ed7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
9f98ae4da115747e8613133efdfa80c1

SHA1
2aa450648828e4c7883bcb4b39d09ee4d180d5b6

SHA256
fd5710d352998eb3ab981f45170636c8debee61a3cfc9fba1b9c3236df21fa5d

SHA512
0a52a932855b5c9cfdb5234e4e583270950d1fda58caff8c27f47e82c1a0f3d126684263d20482b9eda8e5a8c306061bd02c04ca24047d8e6c67bf04dfd5b5af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
6a47f03a70356d509c6c5d1140428724

SHA1
471e10594217a0da6242701cbe794855defd3efa

SHA256
3124d30f69c7c0d188e9a2a9e43bb7cf107eb9815bb71c56d87d809215a8930b

SHA512
66eb2ac6a0f874221443674ed7d431b1508378bed1e839c42f3ac973364e4a571d5f447bac26ef3fb191b69d9cb316db037288b531936262d384152dd0c9814e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit