hxxps://www[.]sarlus[.]com

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
03/08/2023, 15:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.sarlus.com

Score

1^/10

Malware Config

Signatures

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133355512880817528"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4512	chrome.exe
4512	chrome.exe
3420	chrome.exe
3420	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4512	chrome.exe
4512	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4512 wrote to memory of 4052	4512	chrome.exe	84
PID 4512 wrote to memory of 4052	4512	chrome.exe	84
PID 4512 wrote to memory of 2520	4512	chrome.exe	87
PID 4512 wrote to memory of 2520	4512	chrome.exe	87
PID 4512 wrote to memory of 2520	4512	chrome.exe	87
PID 4512 wrote to memory of 2520	4512	chrome.exe	87
PID 4512 wrote to memory of 2520	4512	chrome.exe	87
PID 4512 wrote to memory of 2520	4512	chrome.exe	87
PID 4512 wrote to memory of 2520	4512	chrome.exe	87
PID 4512 wrote to memory of 2520	4512	chrome.exe	87
PID 4512 wrote to memory of 2520	4512	chrome.exe	87
PID 4512 wrote to memory of 2520	4512	chrome.exe	87
PID 4512 wrote to memory of 2520	4512	chrome.exe	87
PID 4512 wrote to memory of 2520	4512	chrome.exe	87
PID 4512 wrote to memory of 2520	4512	chrome.exe	87
PID 4512 wrote to memory of 2520	4512	chrome.exe	87
PID 4512 wrote to memory of 2520	4512	chrome.exe	87
PID 4512 wrote to memory of 2520	4512	chrome.exe	87
PID 4512 wrote to memory of 2520	4512	chrome.exe	87
PID 4512 wrote to memory of 2520	4512	chrome.exe	87
PID 4512 wrote to memory of 2520	4512	chrome.exe	87
PID 4512 wrote to memory of 2520	4512	chrome.exe	87
PID 4512 wrote to memory of 2520	4512	chrome.exe	87
PID 4512 wrote to memory of 2520	4512	chrome.exe	87
PID 4512 wrote to memory of 2520	4512	chrome.exe	87
PID 4512 wrote to memory of 2520	4512	chrome.exe	87
PID 4512 wrote to memory of 2520	4512	chrome.exe	87
PID 4512 wrote to memory of 2520	4512	chrome.exe	87
PID 4512 wrote to memory of 2520	4512	chrome.exe	87
PID 4512 wrote to memory of 2520	4512	chrome.exe	87
PID 4512 wrote to memory of 2520	4512	chrome.exe	87
PID 4512 wrote to memory of 2520	4512	chrome.exe	87
PID 4512 wrote to memory of 2520	4512	chrome.exe	87
PID 4512 wrote to memory of 2520	4512	chrome.exe	87
PID 4512 wrote to memory of 2520	4512	chrome.exe	87
PID 4512 wrote to memory of 2520	4512	chrome.exe	87
PID 4512 wrote to memory of 2520	4512	chrome.exe	87
PID 4512 wrote to memory of 2520	4512	chrome.exe	87
PID 4512 wrote to memory of 2520	4512	chrome.exe	87
PID 4512 wrote to memory of 2520	4512	chrome.exe	87
PID 4512 wrote to memory of 2500	4512	chrome.exe	88
PID 4512 wrote to memory of 2500	4512	chrome.exe	88
PID 4512 wrote to memory of 3740	4512	chrome.exe	89
PID 4512 wrote to memory of 3740	4512	chrome.exe	89
PID 4512 wrote to memory of 3740	4512	chrome.exe	89
PID 4512 wrote to memory of 3740	4512	chrome.exe	89
PID 4512 wrote to memory of 3740	4512	chrome.exe	89
PID 4512 wrote to memory of 3740	4512	chrome.exe	89
PID 4512 wrote to memory of 3740	4512	chrome.exe	89
PID 4512 wrote to memory of 3740	4512	chrome.exe	89
PID 4512 wrote to memory of 3740	4512	chrome.exe	89
PID 4512 wrote to memory of 3740	4512	chrome.exe	89
PID 4512 wrote to memory of 3740	4512	chrome.exe	89
PID 4512 wrote to memory of 3740	4512	chrome.exe	89
PID 4512 wrote to memory of 3740	4512	chrome.exe	89
PID 4512 wrote to memory of 3740	4512	chrome.exe	89
PID 4512 wrote to memory of 3740	4512	chrome.exe	89
PID 4512 wrote to memory of 3740	4512	chrome.exe	89
PID 4512 wrote to memory of 3740	4512	chrome.exe	89
PID 4512 wrote to memory of 3740	4512	chrome.exe	89
PID 4512 wrote to memory of 3740	4512	chrome.exe	89
PID 4512 wrote to memory of 3740	4512	chrome.exe	89
PID 4512 wrote to memory of 3740	4512	chrome.exe	89
PID 4512 wrote to memory of 3740	4512	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.sarlus.com
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa05659758,0x7ffa05659768,0x7ffa05659778
  2⤵
  PID:4052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1736 --field-trial-handle=1900,i,8923284891924920746,3663397955123722818,131072 /prefetch:2
  2⤵
  PID:2520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1900,i,8923284891924920746,3663397955123722818,131072 /prefetch:8
  2⤵
  PID:2500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2220 --field-trial-handle=1900,i,8923284891924920746,3663397955123722818,131072 /prefetch:8
  2⤵
  PID:3740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2944 --field-trial-handle=1900,i,8923284891924920746,3663397955123722818,131072 /prefetch:1
  2⤵
  PID:4872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2936 --field-trial-handle=1900,i,8923284891924920746,3663397955123722818,131072 /prefetch:1
  2⤵
  PID:436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4620 --field-trial-handle=1900,i,8923284891924920746,3663397955123722818,131072 /prefetch:8
  2⤵
  PID:3284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 --field-trial-handle=1900,i,8923284891924920746,3663397955123722818,131072 /prefetch:8
  2⤵
  PID:4732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4632 --field-trial-handle=1900,i,8923284891924920746,3663397955123722818,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3420

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1692

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
696B

MD5
2b420b26d96c491660dfd23a168173ee

SHA1
296e7c1c60cc6e1d14a6cacb28257b674453af5d

SHA256
3e29628e347b7b993edef5095d84491fecc7ee05778fe479c4425fcdd71b4fdd

SHA512
05108387212b73f11a21557d4f65d7365c114ea931d24e4babee14379981eadabe1e641562e84c7cc7b61afb0cf672adeb4e1f2a1c64904a60f4dd0992617f1b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
59f2d65a569cc17dd23923190afcd903

SHA1
24df88c058278d6dec409d54a9a45e11784a40cc

SHA256
dc5be50fdae569f7064d29bd513f069d7e10eda92223789b35d2dd57500799a1

SHA512
fb0fcfbd9604199ba071dae08716f26b1e73c8b5ae54842d46d8dcddc7e0949b01217df25e924024c1e4d1d73f61812865f74ab4e054c44ab0f552d9d4dade46

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
706B

MD5
bbe1251dfe8b563684be7aad1358ce38

SHA1
d02c516623fde2769b0f9e426e43758975044183

SHA256
a43a799ce3c03f9a5ce57cdcf485174e86794000a7163745a685cf07affe84e3

SHA512
282315a210759a8b79aedc831dce0e70b4213d5d7e687c22519772bccf2b31f9519a134d0961890820899aece1ad5176833ba251ff1c3d108c759343660d2bdb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
912948dd918bcbdfa66d78783f449d58

SHA1
aec44a7df54a6fe40251c113a55af17cd3088148

SHA256
9208cb643218f4637221aa57ce8a6724ebaba8dfcc676055a4b26f5aa4a3961c

SHA512
de04494b3273f40f7a2b0fccc7e4a0fecc12529637f4de4d8021535b0ee27c1936ec252debbdbb70f331af4955c0c39924d771f2b9dde21bcef9e1c44915f4df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
902f14453f211b81a8b3d7b7d9d13573

SHA1
b2fb1471532d8fcc3f0241143ab2a3c483121558

SHA256
f6994ea1b6d6d6ef3ad30f655be657bd0b4758a146b75831165f67a1b22867e7

SHA512
2bbda6a2ca2422639da3fb1ec53978f2a8b1c15f56256e0268f66e825e715a91ce26ce7f1fc7b7f11b46cd393e1f8ce4f45182138cdbc9cea3a252fb969cb8c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit