hxxp://oxy[.]name/d/eKTf

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
06/08/2023, 11:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://oxy.name/d/eKTf

Score

1^/10

Malware Config

Signatures

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133357959416634824"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2416	chrome.exe
2416	chrome.exe
4200	chrome.exe
4200	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 4104	2416	chrome.exe	67
PID 2416 wrote to memory of 4104	2416	chrome.exe	67
PID 2416 wrote to memory of 4564	2416	chrome.exe	83
PID 2416 wrote to memory of 4564	2416	chrome.exe	83
PID 2416 wrote to memory of 4564	2416	chrome.exe	83
PID 2416 wrote to memory of 4564	2416	chrome.exe	83
PID 2416 wrote to memory of 4564	2416	chrome.exe	83
PID 2416 wrote to memory of 4564	2416	chrome.exe	83
PID 2416 wrote to memory of 4564	2416	chrome.exe	83
PID 2416 wrote to memory of 4564	2416	chrome.exe	83
PID 2416 wrote to memory of 4564	2416	chrome.exe	83
PID 2416 wrote to memory of 4564	2416	chrome.exe	83
PID 2416 wrote to memory of 4564	2416	chrome.exe	83
PID 2416 wrote to memory of 4564	2416	chrome.exe	83
PID 2416 wrote to memory of 4564	2416	chrome.exe	83
PID 2416 wrote to memory of 4564	2416	chrome.exe	83
PID 2416 wrote to memory of 4564	2416	chrome.exe	83
PID 2416 wrote to memory of 4564	2416	chrome.exe	83
PID 2416 wrote to memory of 4564	2416	chrome.exe	83
PID 2416 wrote to memory of 4564	2416	chrome.exe	83
PID 2416 wrote to memory of 4564	2416	chrome.exe	83
PID 2416 wrote to memory of 4564	2416	chrome.exe	83
PID 2416 wrote to memory of 4564	2416	chrome.exe	83
PID 2416 wrote to memory of 4564	2416	chrome.exe	83
PID 2416 wrote to memory of 4564	2416	chrome.exe	83
PID 2416 wrote to memory of 4564	2416	chrome.exe	83
PID 2416 wrote to memory of 4564	2416	chrome.exe	83
PID 2416 wrote to memory of 4564	2416	chrome.exe	83
PID 2416 wrote to memory of 4564	2416	chrome.exe	83
PID 2416 wrote to memory of 4564	2416	chrome.exe	83
PID 2416 wrote to memory of 4564	2416	chrome.exe	83
PID 2416 wrote to memory of 4564	2416	chrome.exe	83
PID 2416 wrote to memory of 4564	2416	chrome.exe	83
PID 2416 wrote to memory of 4564	2416	chrome.exe	83
PID 2416 wrote to memory of 4564	2416	chrome.exe	83
PID 2416 wrote to memory of 4564	2416	chrome.exe	83
PID 2416 wrote to memory of 4564	2416	chrome.exe	83
PID 2416 wrote to memory of 4564	2416	chrome.exe	83
PID 2416 wrote to memory of 4564	2416	chrome.exe	83
PID 2416 wrote to memory of 4564	2416	chrome.exe	83
PID 2416 wrote to memory of 3604	2416	chrome.exe	84
PID 2416 wrote to memory of 3604	2416	chrome.exe	84
PID 2416 wrote to memory of 1072	2416	chrome.exe	86
PID 2416 wrote to memory of 1072	2416	chrome.exe	86
PID 2416 wrote to memory of 1072	2416	chrome.exe	86
PID 2416 wrote to memory of 1072	2416	chrome.exe	86
PID 2416 wrote to memory of 1072	2416	chrome.exe	86
PID 2416 wrote to memory of 1072	2416	chrome.exe	86
PID 2416 wrote to memory of 1072	2416	chrome.exe	86
PID 2416 wrote to memory of 1072	2416	chrome.exe	86
PID 2416 wrote to memory of 1072	2416	chrome.exe	86
PID 2416 wrote to memory of 1072	2416	chrome.exe	86
PID 2416 wrote to memory of 1072	2416	chrome.exe	86
PID 2416 wrote to memory of 1072	2416	chrome.exe	86
PID 2416 wrote to memory of 1072	2416	chrome.exe	86
PID 2416 wrote to memory of 1072	2416	chrome.exe	86
PID 2416 wrote to memory of 1072	2416	chrome.exe	86
PID 2416 wrote to memory of 1072	2416	chrome.exe	86
PID 2416 wrote to memory of 1072	2416	chrome.exe	86
PID 2416 wrote to memory of 1072	2416	chrome.exe	86
PID 2416 wrote to memory of 1072	2416	chrome.exe	86
PID 2416 wrote to memory of 1072	2416	chrome.exe	86
PID 2416 wrote to memory of 1072	2416	chrome.exe	86
PID 2416 wrote to memory of 1072	2416	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://oxy.name/d/eKTf
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe51b69758,0x7ffe51b69768,0x7ffe51b69778
  2⤵
  PID:4104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1876,i,7203030656880627704,15677947652651718287,131072 /prefetch:2
  2⤵
  PID:4564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1876,i,7203030656880627704,15677947652651718287,131072 /prefetch:8
  2⤵
  PID:3604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2908 --field-trial-handle=1876,i,7203030656880627704,15677947652651718287,131072 /prefetch:1
  2⤵
  PID:4020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2100 --field-trial-handle=1876,i,7203030656880627704,15677947652651718287,131072 /prefetch:8
  2⤵
  PID:1072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2916 --field-trial-handle=1876,i,7203030656880627704,15677947652651718287,131072 /prefetch:1
  2⤵
  PID:2384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4680 --field-trial-handle=1876,i,7203030656880627704,15677947652651718287,131072 /prefetch:1
  2⤵
  PID:3692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=5052 --field-trial-handle=1876,i,7203030656880627704,15677947652651718287,131072 /prefetch:1
  2⤵
  PID:1768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4792 --field-trial-handle=1876,i,7203030656880627704,15677947652651718287,131072 /prefetch:1
  2⤵
  PID:3984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5416 --field-trial-handle=1876,i,7203030656880627704,15677947652651718287,131072 /prefetch:1
  2⤵
  PID:3644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5396 --field-trial-handle=1876,i,7203030656880627704,15677947652651718287,131072 /prefetch:1
  2⤵
  PID:1688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5892 --field-trial-handle=1876,i,7203030656880627704,15677947652651718287,131072 /prefetch:8
  2⤵
  PID:4200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5976 --field-trial-handle=1876,i,7203030656880627704,15677947652651718287,131072 /prefetch:8
  2⤵
  PID:1648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5612 --field-trial-handle=1876,i,7203030656880627704,15677947652651718287,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4200

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1644

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
576B

MD5
7180129707609f926f8d153c66f345fa

SHA1
a0cfba5a04508039727b5da65799173af0bdbfe2

SHA256
0f8ed39ec145a38a3ba124127f4764728377f7e9cad170348eefee0fede43bc3

SHA512
9abc210a35e083e59b92feab69b32e738b906b7198d0f327a10cede09969e5b66fe92287c5b3b90307a82b1fbb5eb14e6ff69b9e7c47946b3bce8815a808f7d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
c02436c7cfd5b431e62f46be40f7ca70

SHA1
14d99506684ad72269522928799c4fef7b2cf7df

SHA256
ed2ce76ca2fdd04f27d37d8be5da60ac419e1100b12b5daf400f6a8dce9e866e

SHA512
e3d8076ae8864838c14ac79d317ce26c75b961cc74b1501a165a762bcc6deb37f2d5ffec4b1a3b65574487b9445dfebd0964f1334537dc86c911db6568c5b8e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
f53a6174d2d22b7913beea48ef58da96

SHA1
d78d70f2362265a7b5e3a9eccabc8bb5875be750

SHA256
0f921de8b51754b5535e64bdc4cb172e678d18d997205f0bf07e33e714a4ecf9

SHA512
f393abf7a6281770eb728d92ce18d3d846a5371f4ece5054b4a22b9b8bbef78d4d458251b4535139d6542d0093ad5033e842de84e9d0c1af54e98831405a8f3f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
5e8f2b94a6e79a5afb727b4766220a94

SHA1
8598f2f255020ece3220b0e4d56080ad0c91ede8

SHA256
54e877c59523a1a7e510b3871b1a954f5ba20b6a5060c17b67da30d272901e01

SHA512
ff2ad2040183fa073adf858fa1044fcb0bac0237d806bc55230a9851f0d8912705fff6217d99f7cb681dba20c1e66fbdbbd5f5d9f8f72446639d89c2c3b8f50c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
4b4532038656b4bddcd9fd523e241290

SHA1
340ffc537002cd6363162f5e0240f68dfc76a17e

SHA256
742315283c9ba99881bc4bb334a6476ab60c63c65b2c91e7efad34390065b5b0

SHA512
26ab743cbecc6457d5725a8eea3eda5df38aec81a27a31e606e0cde1fe3cb97446aa7707d00cf498df8355e0fa72ce34e55dc476aa7809d5e7a3d8f87ffdfa57

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit