hxxp://nods[.]gov[.]ag

Resubmissions

07/08/2023, 21:54

230807-1r8saahe98 1

07/08/2023, 21:51

230807-1qmhnaba51 1

Analysis

max time kernel
138s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
07/08/2023, 21:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://nods.gov.ag

Score

1^/10

Malware Config

Signatures

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133359186963943743"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2564	chrome.exe
2564	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2564 wrote to memory of 2812	2564	chrome.exe	81
PID 2564 wrote to memory of 2812	2564	chrome.exe	81
PID 2564 wrote to memory of 3532	2564	chrome.exe	83
PID 2564 wrote to memory of 3532	2564	chrome.exe	83
PID 2564 wrote to memory of 3532	2564	chrome.exe	83
PID 2564 wrote to memory of 3532	2564	chrome.exe	83
PID 2564 wrote to memory of 3532	2564	chrome.exe	83
PID 2564 wrote to memory of 3532	2564	chrome.exe	83
PID 2564 wrote to memory of 3532	2564	chrome.exe	83
PID 2564 wrote to memory of 3532	2564	chrome.exe	83
PID 2564 wrote to memory of 3532	2564	chrome.exe	83
PID 2564 wrote to memory of 3532	2564	chrome.exe	83
PID 2564 wrote to memory of 3532	2564	chrome.exe	83
PID 2564 wrote to memory of 3532	2564	chrome.exe	83
PID 2564 wrote to memory of 3532	2564	chrome.exe	83
PID 2564 wrote to memory of 3532	2564	chrome.exe	83
PID 2564 wrote to memory of 3532	2564	chrome.exe	83
PID 2564 wrote to memory of 3532	2564	chrome.exe	83
PID 2564 wrote to memory of 3532	2564	chrome.exe	83
PID 2564 wrote to memory of 3532	2564	chrome.exe	83
PID 2564 wrote to memory of 3532	2564	chrome.exe	83
PID 2564 wrote to memory of 3532	2564	chrome.exe	83
PID 2564 wrote to memory of 3532	2564	chrome.exe	83
PID 2564 wrote to memory of 3532	2564	chrome.exe	83
PID 2564 wrote to memory of 3532	2564	chrome.exe	83
PID 2564 wrote to memory of 3532	2564	chrome.exe	83
PID 2564 wrote to memory of 3532	2564	chrome.exe	83
PID 2564 wrote to memory of 3532	2564	chrome.exe	83
PID 2564 wrote to memory of 3532	2564	chrome.exe	83
PID 2564 wrote to memory of 3532	2564	chrome.exe	83
PID 2564 wrote to memory of 3532	2564	chrome.exe	83
PID 2564 wrote to memory of 3532	2564	chrome.exe	83
PID 2564 wrote to memory of 3532	2564	chrome.exe	83
PID 2564 wrote to memory of 3532	2564	chrome.exe	83
PID 2564 wrote to memory of 3532	2564	chrome.exe	83
PID 2564 wrote to memory of 3532	2564	chrome.exe	83
PID 2564 wrote to memory of 3532	2564	chrome.exe	83
PID 2564 wrote to memory of 3532	2564	chrome.exe	83
PID 2564 wrote to memory of 3532	2564	chrome.exe	83
PID 2564 wrote to memory of 3532	2564	chrome.exe	83
PID 2564 wrote to memory of 1832	2564	chrome.exe	84
PID 2564 wrote to memory of 1832	2564	chrome.exe	84
PID 2564 wrote to memory of 3012	2564	chrome.exe	85
PID 2564 wrote to memory of 3012	2564	chrome.exe	85
PID 2564 wrote to memory of 3012	2564	chrome.exe	85
PID 2564 wrote to memory of 3012	2564	chrome.exe	85
PID 2564 wrote to memory of 3012	2564	chrome.exe	85
PID 2564 wrote to memory of 3012	2564	chrome.exe	85
PID 2564 wrote to memory of 3012	2564	chrome.exe	85
PID 2564 wrote to memory of 3012	2564	chrome.exe	85
PID 2564 wrote to memory of 3012	2564	chrome.exe	85
PID 2564 wrote to memory of 3012	2564	chrome.exe	85
PID 2564 wrote to memory of 3012	2564	chrome.exe	85
PID 2564 wrote to memory of 3012	2564	chrome.exe	85
PID 2564 wrote to memory of 3012	2564	chrome.exe	85
PID 2564 wrote to memory of 3012	2564	chrome.exe	85
PID 2564 wrote to memory of 3012	2564	chrome.exe	85
PID 2564 wrote to memory of 3012	2564	chrome.exe	85
PID 2564 wrote to memory of 3012	2564	chrome.exe	85
PID 2564 wrote to memory of 3012	2564	chrome.exe	85
PID 2564 wrote to memory of 3012	2564	chrome.exe	85
PID 2564 wrote to memory of 3012	2564	chrome.exe	85
PID 2564 wrote to memory of 3012	2564	chrome.exe	85
PID 2564 wrote to memory of 3012	2564	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://nods.gov.ag
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff375d9758,0x7fff375d9768,0x7fff375d9778
  2⤵
  PID:2812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1760 --field-trial-handle=1888,i,6631494021231008835,1093211542688629892,131072 /prefetch:2
  2⤵
  PID:3532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 --field-trial-handle=1888,i,6631494021231008835,1093211542688629892,131072 /prefetch:8
  2⤵
  PID:1832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2192 --field-trial-handle=1888,i,6631494021231008835,1093211542688629892,131072 /prefetch:8
  2⤵
  PID:3012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2816 --field-trial-handle=1888,i,6631494021231008835,1093211542688629892,131072 /prefetch:1
  2⤵
  PID:4792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2808 --field-trial-handle=1888,i,6631494021231008835,1093211542688629892,131072 /prefetch:1
  2⤵
  PID:3180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4884 --field-trial-handle=1888,i,6631494021231008835,1093211542688629892,131072 /prefetch:1
  2⤵
  PID:4552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 --field-trial-handle=1888,i,6631494021231008835,1093211542688629892,131072 /prefetch:8
  2⤵
  PID:4540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5084 --field-trial-handle=1888,i,6631494021231008835,1093211542688629892,131072 /prefetch:8
  2⤵
  PID:4468

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1588

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
0cb176ca4f3e01d5dd9c99e733a47948

SHA1
5d3c003bb3bbd6d26381b71fba5030071317caa0

SHA256
4031376cabbef4fd3cbf701ca4a33a0a8721e9d51b58b57a865a433027c52a31

SHA512
a25ccb4617540f376741f85ebd4d994517accc0e162c33cc0dd280954c5041fc4960e3284e4f4854e1fc5ade633c5dc0ef5d7f58ad0ac3951d727edd8ad316b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
931cf063b68f7734e68a3093e62bdfad

SHA1
e100a498cbc3fa061d8dd01ae6d4331bc5607b21

SHA256
1245ab41b389d6536b3d2268a91d245eda683fed6306fc6b62ea80d44af5817b

SHA512
6037ef2b582e8a87437477c1c762aa7a19da66fcaf789200967545880a303744d68d56c28cb4adcac28ff45b80f01226f2cd347cc990fa676187cfbaea06921f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
873B

MD5
88ac30ea923f41de3d60464d9058f302

SHA1
f970f3d56ae1c29e854e0066332166d2c75cea58

SHA256
a086b3dd388dcec9d764fe9965adb848c3cde6bc3739cd10ca854c7d7f05cc3e

SHA512
b8cdc636a8bf37d0bbabbf87fd3677030053c0f784911fa1fb6f053dab7599bb388ebe3906c83f94eeda23d70b61b9e40cf2d3f342600c2e05f0c98d8cb962e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
efdcbdf4d78b3d301b92a36854e47d23

SHA1
a9f3b61cbf0693a570bb117313b1c261b12f53ee

SHA256
8b376d141c898a62915d324829e6bf06c13c3f1bf17ccf7ed5759935e09c67e6

SHA512
e11248df377c91a1a81006d5226f869b8fba6df0206c96f3be453d51133718c4518ecfa55c5fcffb71f8185346efbff7d80d9e093b2c32cc1d08fc1119df9f21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
9c13232e67a3a5ea8c23381f2c3cce46

SHA1
c4c98e01c1f38aa70d36158e9157ecb9d25bec7c

SHA256
5fc31876f6b79b22467309f8eeff2fe9661fe2c326681ad7ff9756872b662576

SHA512
872232d9701b8f0aeba0725d8321f52fdcdb57995aefed3834f8b09dcd11047c8b9a8a4b01635946a95eeacd34ad141215bd933d3b2ad7104481ae371f32af50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
1c5aebb8e6141850e29ec6cdba0c5a27

SHA1
8472dd711c2d398e59eaf5925e94e32c50ae11c2

SHA256
0188438af16c03027b7b04e8c9452083cf8a8898d370cecfbf0e8de253d1e66d

SHA512
5934e8e3bfe35612034c0c2a50746fb6c81d2c9e24810bb9989ebb26eb1248af23a82954456ce081671a28ec6644572a5b532e160d32b4c56f8cb0693c2c97db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
aa534263af532f48c2daf0273d307cad

SHA1
905f012c21a188ce7f695ddd4fd10fe833be14c6

SHA256
79bf5492db7adbc9611e1aacc0d6f21d385e0f07e43b0a2ea023f8b437076736

SHA512
d554cc39fc4ae03fa280aca87166d6825a996def098af127d75e6520e904565b6c3fcf4664c738b1853cafac238030a5a8f48efc94bade4dfff7b7f2f43a6198

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
07274811807a9dae598bafb1717c7b0b

SHA1
4269ced4ccc3a97ca5364eb08f8cab1147416701

SHA256
9363ff98c85ef55e2aa6bdd6048981f4f0b7b4ee2f5705ad650d25364ecd66bd

SHA512
f598d0db5d9e533e6f9fe7e70ec1270187fb17d906e6193c2d6fa6818ad2a4230dd66bb36c29138f851a1e38546ed5e8aeaea7260c222b57ed8262458bf79056

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit