hxxp://review-ato-office-australia[.]com

Analysis

max time kernel
299s
max time network
274s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
01-08-2023 23:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://review-ato-office-australia.com

Score

1^/10

Malware Config

Signatures

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133354047830935554"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3992	chrome.exe
3992	chrome.exe
2776	chrome.exe
2776	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3992	chrome.exe
3992	chrome.exe
3992	chrome.exe
3992	chrome.exe
3992	chrome.exe
3992	chrome.exe
3992	chrome.exe
3992	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3992	chrome.exe
Token: SeCreatePagefilePrivilege	3992	chrome.exe
Token: SeShutdownPrivilege	3992	chrome.exe
Token: SeCreatePagefilePrivilege	3992	chrome.exe
Token: SeShutdownPrivilege	3992	chrome.exe
Token: SeCreatePagefilePrivilege	3992	chrome.exe
Token: SeShutdownPrivilege	3992	chrome.exe
Token: SeCreatePagefilePrivilege	3992	chrome.exe
Token: SeShutdownPrivilege	3992	chrome.exe
Token: SeCreatePagefilePrivilege	3992	chrome.exe
Token: SeShutdownPrivilege	3992	chrome.exe
Token: SeCreatePagefilePrivilege	3992	chrome.exe
Token: SeShutdownPrivilege	3992	chrome.exe
Token: SeCreatePagefilePrivilege	3992	chrome.exe
Token: SeShutdownPrivilege	3992	chrome.exe
Token: SeCreatePagefilePrivilege	3992	chrome.exe
Token: SeShutdownPrivilege	3992	chrome.exe
Token: SeCreatePagefilePrivilege	3992	chrome.exe
Token: SeShutdownPrivilege	3992	chrome.exe
Token: SeCreatePagefilePrivilege	3992	chrome.exe
Token: SeShutdownPrivilege	3992	chrome.exe
Token: SeCreatePagefilePrivilege	3992	chrome.exe
Token: SeShutdownPrivilege	3992	chrome.exe
Token: SeCreatePagefilePrivilege	3992	chrome.exe
Token: SeShutdownPrivilege	3992	chrome.exe
Token: SeCreatePagefilePrivilege	3992	chrome.exe
Token: SeShutdownPrivilege	3992	chrome.exe
Token: SeCreatePagefilePrivilege	3992	chrome.exe
Token: SeShutdownPrivilege	3992	chrome.exe
Token: SeCreatePagefilePrivilege	3992	chrome.exe
Token: SeShutdownPrivilege	3992	chrome.exe
Token: SeCreatePagefilePrivilege	3992	chrome.exe
Token: SeShutdownPrivilege	3992	chrome.exe
Token: SeCreatePagefilePrivilege	3992	chrome.exe
Token: SeShutdownPrivilege	3992	chrome.exe
Token: SeCreatePagefilePrivilege	3992	chrome.exe
Token: SeShutdownPrivilege	3992	chrome.exe
Token: SeCreatePagefilePrivilege	3992	chrome.exe
Token: SeShutdownPrivilege	3992	chrome.exe
Token: SeCreatePagefilePrivilege	3992	chrome.exe
Token: SeShutdownPrivilege	3992	chrome.exe
Token: SeCreatePagefilePrivilege	3992	chrome.exe
Token: SeShutdownPrivilege	3992	chrome.exe
Token: SeCreatePagefilePrivilege	3992	chrome.exe
Token: SeShutdownPrivilege	3992	chrome.exe
Token: SeCreatePagefilePrivilege	3992	chrome.exe
Token: SeShutdownPrivilege	3992	chrome.exe
Token: SeCreatePagefilePrivilege	3992	chrome.exe
Token: SeShutdownPrivilege	3992	chrome.exe
Token: SeCreatePagefilePrivilege	3992	chrome.exe
Token: SeShutdownPrivilege	3992	chrome.exe
Token: SeCreatePagefilePrivilege	3992	chrome.exe
Token: SeShutdownPrivilege	3992	chrome.exe
Token: SeCreatePagefilePrivilege	3992	chrome.exe
Token: SeShutdownPrivilege	3992	chrome.exe
Token: SeCreatePagefilePrivilege	3992	chrome.exe
Token: SeShutdownPrivilege	3992	chrome.exe
Token: SeCreatePagefilePrivilege	3992	chrome.exe
Token: SeShutdownPrivilege	3992	chrome.exe
Token: SeCreatePagefilePrivilege	3992	chrome.exe
Token: SeShutdownPrivilege	3992	chrome.exe
Token: SeCreatePagefilePrivilege	3992	chrome.exe
Token: SeShutdownPrivilege	3992	chrome.exe
Token: SeCreatePagefilePrivilege	3992	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3992	chrome.exe
3992	chrome.exe
3992	chrome.exe
3992	chrome.exe
3992	chrome.exe
3992	chrome.exe
3992	chrome.exe
3992	chrome.exe
3992	chrome.exe
3992	chrome.exe
3992	chrome.exe
3992	chrome.exe
3992	chrome.exe
3992	chrome.exe
3992	chrome.exe
3992	chrome.exe
3992	chrome.exe
3992	chrome.exe
3992	chrome.exe
3992	chrome.exe
3992	chrome.exe
3992	chrome.exe
3992	chrome.exe
3992	chrome.exe
3992	chrome.exe
3992	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3992	chrome.exe
3992	chrome.exe
3992	chrome.exe
3992	chrome.exe
3992	chrome.exe
3992	chrome.exe
3992	chrome.exe
3992	chrome.exe
3992	chrome.exe
3992	chrome.exe
3992	chrome.exe
3992	chrome.exe
3992	chrome.exe
3992	chrome.exe
3992	chrome.exe
3992	chrome.exe
3992	chrome.exe
3992	chrome.exe
3992	chrome.exe
3992	chrome.exe
3992	chrome.exe
3992	chrome.exe
3992	chrome.exe
3992	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3992 wrote to memory of 216	3992	chrome.exe	85
PID 3992 wrote to memory of 216	3992	chrome.exe	85
PID 3992 wrote to memory of 5036	3992	chrome.exe	88
PID 3992 wrote to memory of 5036	3992	chrome.exe	88
PID 3992 wrote to memory of 5036	3992	chrome.exe	88
PID 3992 wrote to memory of 5036	3992	chrome.exe	88
PID 3992 wrote to memory of 5036	3992	chrome.exe	88
PID 3992 wrote to memory of 5036	3992	chrome.exe	88
PID 3992 wrote to memory of 5036	3992	chrome.exe	88
PID 3992 wrote to memory of 5036	3992	chrome.exe	88
PID 3992 wrote to memory of 5036	3992	chrome.exe	88
PID 3992 wrote to memory of 5036	3992	chrome.exe	88
PID 3992 wrote to memory of 5036	3992	chrome.exe	88
PID 3992 wrote to memory of 5036	3992	chrome.exe	88
PID 3992 wrote to memory of 5036	3992	chrome.exe	88
PID 3992 wrote to memory of 5036	3992	chrome.exe	88
PID 3992 wrote to memory of 5036	3992	chrome.exe	88
PID 3992 wrote to memory of 5036	3992	chrome.exe	88
PID 3992 wrote to memory of 5036	3992	chrome.exe	88
PID 3992 wrote to memory of 5036	3992	chrome.exe	88
PID 3992 wrote to memory of 5036	3992	chrome.exe	88
PID 3992 wrote to memory of 5036	3992	chrome.exe	88
PID 3992 wrote to memory of 5036	3992	chrome.exe	88
PID 3992 wrote to memory of 5036	3992	chrome.exe	88
PID 3992 wrote to memory of 5036	3992	chrome.exe	88
PID 3992 wrote to memory of 5036	3992	chrome.exe	88
PID 3992 wrote to memory of 5036	3992	chrome.exe	88
PID 3992 wrote to memory of 5036	3992	chrome.exe	88
PID 3992 wrote to memory of 5036	3992	chrome.exe	88
PID 3992 wrote to memory of 5036	3992	chrome.exe	88
PID 3992 wrote to memory of 5036	3992	chrome.exe	88
PID 3992 wrote to memory of 5036	3992	chrome.exe	88
PID 3992 wrote to memory of 5036	3992	chrome.exe	88
PID 3992 wrote to memory of 5036	3992	chrome.exe	88
PID 3992 wrote to memory of 5036	3992	chrome.exe	88
PID 3992 wrote to memory of 5036	3992	chrome.exe	88
PID 3992 wrote to memory of 5036	3992	chrome.exe	88
PID 3992 wrote to memory of 5036	3992	chrome.exe	88
PID 3992 wrote to memory of 5036	3992	chrome.exe	88
PID 3992 wrote to memory of 5036	3992	chrome.exe	88
PID 3992 wrote to memory of 5096	3992	chrome.exe	87
PID 3992 wrote to memory of 5096	3992	chrome.exe	87
PID 3992 wrote to memory of 932	3992	chrome.exe	89
PID 3992 wrote to memory of 932	3992	chrome.exe	89
PID 3992 wrote to memory of 932	3992	chrome.exe	89
PID 3992 wrote to memory of 932	3992	chrome.exe	89
PID 3992 wrote to memory of 932	3992	chrome.exe	89
PID 3992 wrote to memory of 932	3992	chrome.exe	89
PID 3992 wrote to memory of 932	3992	chrome.exe	89
PID 3992 wrote to memory of 932	3992	chrome.exe	89
PID 3992 wrote to memory of 932	3992	chrome.exe	89
PID 3992 wrote to memory of 932	3992	chrome.exe	89
PID 3992 wrote to memory of 932	3992	chrome.exe	89
PID 3992 wrote to memory of 932	3992	chrome.exe	89
PID 3992 wrote to memory of 932	3992	chrome.exe	89
PID 3992 wrote to memory of 932	3992	chrome.exe	89
PID 3992 wrote to memory of 932	3992	chrome.exe	89
PID 3992 wrote to memory of 932	3992	chrome.exe	89
PID 3992 wrote to memory of 932	3992	chrome.exe	89
PID 3992 wrote to memory of 932	3992	chrome.exe	89
PID 3992 wrote to memory of 932	3992	chrome.exe	89
PID 3992 wrote to memory of 932	3992	chrome.exe	89
PID 3992 wrote to memory of 932	3992	chrome.exe	89
PID 3992 wrote to memory of 932	3992	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://review-ato-office-australia.com
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8d5ad9758,0x7ff8d5ad9768,0x7ff8d5ad9778
  2⤵
  PID:216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1892,i,8843226799836140553,5046661724043193481,131072 /prefetch:8
  2⤵
  PID:5096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1760 --field-trial-handle=1892,i,8843226799836140553,5046661724043193481,131072 /prefetch:2
  2⤵
  PID:5036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2236 --field-trial-handle=1892,i,8843226799836140553,5046661724043193481,131072 /prefetch:8
  2⤵
  PID:932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2896 --field-trial-handle=1892,i,8843226799836140553,5046661724043193481,131072 /prefetch:1
  2⤵
  PID:4580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2904 --field-trial-handle=1892,i,8843226799836140553,5046661724043193481,131072 /prefetch:1
  2⤵
  PID:4868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4564 --field-trial-handle=1892,i,8843226799836140553,5046661724043193481,131072 /prefetch:1
  2⤵
  PID:3616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3436 --field-trial-handle=1892,i,8843226799836140553,5046661724043193481,131072 /prefetch:1
  2⤵
  PID:3224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5004 --field-trial-handle=1892,i,8843226799836140553,5046661724043193481,131072 /prefetch:8
  2⤵
  PID:1736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4688 --field-trial-handle=1892,i,8843226799836140553,5046661724043193481,131072 /prefetch:8
  2⤵
  PID:3680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3964 --field-trial-handle=1892,i,8843226799836140553,5046661724043193481,131072 /prefetch:1
  2⤵
  PID:4728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3864 --field-trial-handle=1892,i,8843226799836140553,5046661724043193481,131072 /prefetch:1
  2⤵
  PID:2324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=1836 --field-trial-handle=1892,i,8843226799836140553,5046661724043193481,131072 /prefetch:1
  2⤵
  PID:4996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=212 --field-trial-handle=1892,i,8843226799836140553,5046661724043193481,131072 /prefetch:1
  2⤵
  PID:4124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3316 --field-trial-handle=1892,i,8843226799836140553,5046661724043193481,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2776

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3240

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
8aee596b71b297a073d2e0adb32628e6

SHA1
841fb55bb479a673d06d50598546aaa638cd1c74

SHA256
a33c7ed1bfa828a588d4c31dcfa018ff7ef53ad1e93bb27d86fb27f8ec5da2d4

SHA512
e626c46cfde4e645a358d04bda84f2d0a46d31fc7bfb059ec5b2ba8506178187bc2dc0bb122a9e8ba4080c9f5ef905bd7f23e7227ac44656e0e51f85ea0f8014

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
8ed866267214a4b1981875aa959096ee

SHA1
7441a47ca68c99d33628b6b74ee62b18d504f56f

SHA256
bbd21e0ec7789966ee4a5d36b480a7aaec8c1659e0d819809b4c3f77181f9988

SHA512
6c8a6431307b7bb6ee1b3fa9a29aec4abd241ac8413e66076e4e72b329d5c3c2b216631d7f015f1bcb19b8306ea0da694d5320d05c1b00423d5c045059e0cdfd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
c82d9cf0c4256f5db4e641ea33f6f1d9

SHA1
cc1e2d4767a205d076030f8f7c57263a949234d9

SHA256
10c162e059cc3501da3c96e0a204469f87724e8beb3278548b305a9b5d55b153

SHA512
d4bd53e01ec5c7cc8c368e439203588f2f49f66af587333445acc1bf3bce0d095b51ccd571dd4b12fe10ab079c2d6da137c7c454d758ae680eb7608e54e725a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
800ffe07a3a51a9da3e53ec03b893a17

SHA1
a174021de84597f9200734fc3250a33883806384

SHA256
7005d95e10b9be41a8a18bcd2b48b4c90e153e073b768362415050787657d13c

SHA512
d490ac84641bb05220d1b6a668a971a53cb6186aaf9bc1e7476626579924be8da8426ecca91bd0e6fb514401f3276814f39cd3e1befa87c339340cb984645718

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit