b4c498afb6dbaae39e7a13fff2e7294a4f42cabe160821839974dcc174bddef7

Analysis

max time kernel
1800s
max time network
1689s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
23-07-2023 14:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

showcaptcha.html
Size

12KB
MD5

190f0633378eb7bdc62670ebe336a113
SHA1

adab1e1dc66bb6b5e7485ba9f4a38af4dab72f15
SHA256

b4c498afb6dbaae39e7a13fff2e7294a4f42cabe160821839974dcc174bddef7
SHA512

fb6fcf71c0d5bce105621121a7481b540862aec15bb62784338ef8393588bf9e0caffa01d94f08a8e98f88c4012d76d906abc4e83ddfd85b9f567e2f589adc14
SSDEEP

192:zDR5uUJb738igxKyCdewW0hoSTHW3fAmno2FNzLFAxHTriS693vRkNLd2Y4CMQzZ:fRsWrgErtBIo2FNz5ck3vRkNRQCMitr

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133345947832035370"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4048	chrome.exe
4048	chrome.exe
4420	chrome.exe
4420	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4048	chrome.exe
4048	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4048 wrote to memory of 4496	4048	chrome.exe	84
PID 4048 wrote to memory of 4496	4048	chrome.exe	84
PID 4048 wrote to memory of 2320	4048	chrome.exe	88
PID 4048 wrote to memory of 2320	4048	chrome.exe	88
PID 4048 wrote to memory of 2320	4048	chrome.exe	88
PID 4048 wrote to memory of 2320	4048	chrome.exe	88
PID 4048 wrote to memory of 2320	4048	chrome.exe	88
PID 4048 wrote to memory of 2320	4048	chrome.exe	88
PID 4048 wrote to memory of 2320	4048	chrome.exe	88
PID 4048 wrote to memory of 2320	4048	chrome.exe	88
PID 4048 wrote to memory of 2320	4048	chrome.exe	88
PID 4048 wrote to memory of 2320	4048	chrome.exe	88
PID 4048 wrote to memory of 2320	4048	chrome.exe	88
PID 4048 wrote to memory of 2320	4048	chrome.exe	88
PID 4048 wrote to memory of 2320	4048	chrome.exe	88
PID 4048 wrote to memory of 2320	4048	chrome.exe	88
PID 4048 wrote to memory of 2320	4048	chrome.exe	88
PID 4048 wrote to memory of 2320	4048	chrome.exe	88
PID 4048 wrote to memory of 2320	4048	chrome.exe	88
PID 4048 wrote to memory of 2320	4048	chrome.exe	88
PID 4048 wrote to memory of 2320	4048	chrome.exe	88
PID 4048 wrote to memory of 2320	4048	chrome.exe	88
PID 4048 wrote to memory of 2320	4048	chrome.exe	88
PID 4048 wrote to memory of 2320	4048	chrome.exe	88
PID 4048 wrote to memory of 2320	4048	chrome.exe	88
PID 4048 wrote to memory of 2320	4048	chrome.exe	88
PID 4048 wrote to memory of 2320	4048	chrome.exe	88
PID 4048 wrote to memory of 2320	4048	chrome.exe	88
PID 4048 wrote to memory of 2320	4048	chrome.exe	88
PID 4048 wrote to memory of 2320	4048	chrome.exe	88
PID 4048 wrote to memory of 2320	4048	chrome.exe	88
PID 4048 wrote to memory of 2320	4048	chrome.exe	88
PID 4048 wrote to memory of 2320	4048	chrome.exe	88
PID 4048 wrote to memory of 2320	4048	chrome.exe	88
PID 4048 wrote to memory of 2320	4048	chrome.exe	88
PID 4048 wrote to memory of 2320	4048	chrome.exe	88
PID 4048 wrote to memory of 2320	4048	chrome.exe	88
PID 4048 wrote to memory of 2320	4048	chrome.exe	88
PID 4048 wrote to memory of 2320	4048	chrome.exe	88
PID 4048 wrote to memory of 2320	4048	chrome.exe	88
PID 4048 wrote to memory of 4812	4048	chrome.exe	89
PID 4048 wrote to memory of 4812	4048	chrome.exe	89
PID 4048 wrote to memory of 4136	4048	chrome.exe	90
PID 4048 wrote to memory of 4136	4048	chrome.exe	90
PID 4048 wrote to memory of 4136	4048	chrome.exe	90
PID 4048 wrote to memory of 4136	4048	chrome.exe	90
PID 4048 wrote to memory of 4136	4048	chrome.exe	90
PID 4048 wrote to memory of 4136	4048	chrome.exe	90
PID 4048 wrote to memory of 4136	4048	chrome.exe	90
PID 4048 wrote to memory of 4136	4048	chrome.exe	90
PID 4048 wrote to memory of 4136	4048	chrome.exe	90
PID 4048 wrote to memory of 4136	4048	chrome.exe	90
PID 4048 wrote to memory of 4136	4048	chrome.exe	90
PID 4048 wrote to memory of 4136	4048	chrome.exe	90
PID 4048 wrote to memory of 4136	4048	chrome.exe	90
PID 4048 wrote to memory of 4136	4048	chrome.exe	90
PID 4048 wrote to memory of 4136	4048	chrome.exe	90
PID 4048 wrote to memory of 4136	4048	chrome.exe	90
PID 4048 wrote to memory of 4136	4048	chrome.exe	90
PID 4048 wrote to memory of 4136	4048	chrome.exe	90
PID 4048 wrote to memory of 4136	4048	chrome.exe	90
PID 4048 wrote to memory of 4136	4048	chrome.exe	90
PID 4048 wrote to memory of 4136	4048	chrome.exe	90
PID 4048 wrote to memory of 4136	4048	chrome.exe	90

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\showcaptcha.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa5da39758,0x7ffa5da39768,0x7ffa5da39778
  2⤵
  PID:4496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1648 --field-trial-handle=1880,i,14518147523623119528,16940901683285651749,131072 /prefetch:2
  2⤵
  PID:2320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1880,i,14518147523623119528,16940901683285651749,131072 /prefetch:8
  2⤵
  PID:4812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2244 --field-trial-handle=1880,i,14518147523623119528,16940901683285651749,131072 /prefetch:8
  2⤵
  PID:4136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3032 --field-trial-handle=1880,i,14518147523623119528,16940901683285651749,131072 /prefetch:1
  2⤵
  PID:2492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3000 --field-trial-handle=1880,i,14518147523623119528,16940901683285651749,131072 /prefetch:1
  2⤵
  PID:2512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3900 --field-trial-handle=1880,i,14518147523623119528,16940901683285651749,131072 /prefetch:8
  2⤵
  PID:3448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4916 --field-trial-handle=1880,i,14518147523623119528,16940901683285651749,131072 /prefetch:8
  2⤵
  PID:3132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2436 --field-trial-handle=1880,i,14518147523623119528,16940901683285651749,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4420

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\1fe0ec48-ffdf-440c-977e-4978eb495c84.tmp

Filesize
872B

MD5
95bcb351af8f3c01e56957c4230c0e71

SHA1
0be5399d9ea765ac26bc7b1382afd539dfdf9dde

SHA256
00f86690d82421ca88331127ff06360afc43feb413e88764d486eec8acdd3d98

SHA512
2a9cb9f4f563412596f8e6a4f01fddc82e63b9099f0f8a055369a9a6bf5b0163101db3572e23dafbc7b7c4ed3e681fb2a729fa0e9c846d3f98f9baaa51b49bd5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\9ce63aeb-c7cf-4597-bd59-c20c4c3af69f.tmp

Filesize
1KB

MD5
9917e84f47b5a5232b592e9328a3cca1

SHA1
66dceb8c7781724affa87bc631a24e647d04e7d3

SHA256
7d3284a7ce04833a5ca6d3a67993e164dd763773177dc065605df50edfe8224c

SHA512
edd68434d1bdd08bc7869f241b29b4190b38ab05627dc6e65e4223a01311b03255fa4483d00ad1c0f23996d4c6257d9edd2b6ab4cafd074885c3ca13e5f6cd8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
872B

MD5
626f441830cd0aa36158db8fdb837c50

SHA1
09845f762f3a904bd6421e58c6da6f66193a49e3

SHA256
dbe10064822bfdaa60d61e8e557ef2a1a7dc6f1471afcc6d8fc417dd9976b2bd

SHA512
e1b014f4ad8f5e3f21301b3aac51f5e0b89abc9d8cda3f0b3b397fc3e5a1466b50d3a7bfe124f75e99bc32716d2e0d1d9bba704a4cbcc490eb09489a3c2642c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
66966ab6058c27e85ea5e3165bb4f98b

SHA1
2ae03f8ec15f40bc1ffef310d4a92c3b05efa807

SHA256
b72c70a420651870278e73f450e8baf1b59a4cd17d7518f54bfdb2e6f0d0fa7b

SHA512
28a1e104faa396c8249e2bd6a4bf278b41b86ca88ab3d13e1e2f5f81d41a1a9c0212dba708674272b05c1612c7d73d53a8415e53f2e9d01b97a337e53f4976f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
dd5e8c39f1999555ae2ab3a3fd23650b

SHA1
55b09e7e91f629327011660068b2cd768b3fcc84

SHA256
951c95e0fa26f997841f080aa2104c50b188aca357aa8c75b8a00a54335266bd

SHA512
db598296397f30eb2dc4bfabe2ed90b6e7f250e55907cd80936c7a9a90d6373a5ffbe01792e598ceddf6566ecb2f7b2c0168e26172eaa57b7c5f8d294470bf73

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
75ccac6855b9ea59f470b48f3d7e43dc

SHA1
03737ea1888e564ecc488bc0c57ba1d7150a02dd

SHA256
04114ea9effcb41fc63e000a92f102d12523a39d978368726ac5cbe0e37a290f

SHA512
c656bc2a45c110ea792c852bdae6926919eef7fd7c35cac500b5a29ff733ca329ef3062c3dea49cb853bd9831dd21ce8c5c4dafe5eeb06a021d5a8023e99b64a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
51ffeaf5318651133a5c5b0434f4e767

SHA1
ee384aa9967674a5fc320a0b02b885bc01fb82f0

SHA256
74f4c3affd99fa06c6453ee0e01b1efcd39d1e82c9f66c2545ad6fe9cced7454

SHA512
62944a576c402022e131f782e5b98165ba89aa0429692b91bb549fbe30f93c930e9694c5a5d1f955ecdc2f608406ff3f5240a7d4061dbd2f402f1e15e4b8d653

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit