hxxp://ato-gov-aus[.]cyou

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
07/08/2023, 05:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://ato-gov-aus.cyou

Score

1^/10

Malware Config

Signatures

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133358593018478490"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4264	chrome.exe
4264	chrome.exe
4244	chrome.exe
4244	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4264	chrome.exe
Token: SeCreatePagefilePrivilege	4264	chrome.exe
Token: SeShutdownPrivilege	4264	chrome.exe
Token: SeCreatePagefilePrivilege	4264	chrome.exe
Token: SeShutdownPrivilege	4264	chrome.exe
Token: SeCreatePagefilePrivilege	4264	chrome.exe
Token: SeShutdownPrivilege	4264	chrome.exe
Token: SeCreatePagefilePrivilege	4264	chrome.exe
Token: SeShutdownPrivilege	4264	chrome.exe
Token: SeCreatePagefilePrivilege	4264	chrome.exe
Token: SeShutdownPrivilege	4264	chrome.exe
Token: SeCreatePagefilePrivilege	4264	chrome.exe
Token: SeShutdownPrivilege	4264	chrome.exe
Token: SeCreatePagefilePrivilege	4264	chrome.exe
Token: SeShutdownPrivilege	4264	chrome.exe
Token: SeCreatePagefilePrivilege	4264	chrome.exe
Token: SeShutdownPrivilege	4264	chrome.exe
Token: SeCreatePagefilePrivilege	4264	chrome.exe
Token: SeShutdownPrivilege	4264	chrome.exe
Token: SeCreatePagefilePrivilege	4264	chrome.exe
Token: SeShutdownPrivilege	4264	chrome.exe
Token: SeCreatePagefilePrivilege	4264	chrome.exe
Token: SeShutdownPrivilege	4264	chrome.exe
Token: SeCreatePagefilePrivilege	4264	chrome.exe
Token: SeShutdownPrivilege	4264	chrome.exe
Token: SeCreatePagefilePrivilege	4264	chrome.exe
Token: SeShutdownPrivilege	4264	chrome.exe
Token: SeCreatePagefilePrivilege	4264	chrome.exe
Token: SeShutdownPrivilege	4264	chrome.exe
Token: SeCreatePagefilePrivilege	4264	chrome.exe
Token: SeShutdownPrivilege	4264	chrome.exe
Token: SeCreatePagefilePrivilege	4264	chrome.exe
Token: SeShutdownPrivilege	4264	chrome.exe
Token: SeCreatePagefilePrivilege	4264	chrome.exe
Token: SeShutdownPrivilege	4264	chrome.exe
Token: SeCreatePagefilePrivilege	4264	chrome.exe
Token: SeShutdownPrivilege	4264	chrome.exe
Token: SeCreatePagefilePrivilege	4264	chrome.exe
Token: SeShutdownPrivilege	4264	chrome.exe
Token: SeCreatePagefilePrivilege	4264	chrome.exe
Token: SeShutdownPrivilege	4264	chrome.exe
Token: SeCreatePagefilePrivilege	4264	chrome.exe
Token: SeShutdownPrivilege	4264	chrome.exe
Token: SeCreatePagefilePrivilege	4264	chrome.exe
Token: SeShutdownPrivilege	4264	chrome.exe
Token: SeCreatePagefilePrivilege	4264	chrome.exe
Token: SeShutdownPrivilege	4264	chrome.exe
Token: SeCreatePagefilePrivilege	4264	chrome.exe
Token: SeShutdownPrivilege	4264	chrome.exe
Token: SeCreatePagefilePrivilege	4264	chrome.exe
Token: SeShutdownPrivilege	4264	chrome.exe
Token: SeCreatePagefilePrivilege	4264	chrome.exe
Token: SeShutdownPrivilege	4264	chrome.exe
Token: SeCreatePagefilePrivilege	4264	chrome.exe
Token: SeShutdownPrivilege	4264	chrome.exe
Token: SeCreatePagefilePrivilege	4264	chrome.exe
Token: SeShutdownPrivilege	4264	chrome.exe
Token: SeCreatePagefilePrivilege	4264	chrome.exe
Token: SeShutdownPrivilege	4264	chrome.exe
Token: SeCreatePagefilePrivilege	4264	chrome.exe
Token: SeShutdownPrivilege	4264	chrome.exe
Token: SeCreatePagefilePrivilege	4264	chrome.exe
Token: SeShutdownPrivilege	4264	chrome.exe
Token: SeCreatePagefilePrivilege	4264	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4264 wrote to memory of 2668	4264	chrome.exe	72
PID 4264 wrote to memory of 2668	4264	chrome.exe	72
PID 4264 wrote to memory of 2288	4264	chrome.exe	85
PID 4264 wrote to memory of 2288	4264	chrome.exe	85
PID 4264 wrote to memory of 2288	4264	chrome.exe	85
PID 4264 wrote to memory of 2288	4264	chrome.exe	85
PID 4264 wrote to memory of 2288	4264	chrome.exe	85
PID 4264 wrote to memory of 2288	4264	chrome.exe	85
PID 4264 wrote to memory of 2288	4264	chrome.exe	85
PID 4264 wrote to memory of 2288	4264	chrome.exe	85
PID 4264 wrote to memory of 2288	4264	chrome.exe	85
PID 4264 wrote to memory of 2288	4264	chrome.exe	85
PID 4264 wrote to memory of 2288	4264	chrome.exe	85
PID 4264 wrote to memory of 2288	4264	chrome.exe	85
PID 4264 wrote to memory of 2288	4264	chrome.exe	85
PID 4264 wrote to memory of 2288	4264	chrome.exe	85
PID 4264 wrote to memory of 2288	4264	chrome.exe	85
PID 4264 wrote to memory of 2288	4264	chrome.exe	85
PID 4264 wrote to memory of 2288	4264	chrome.exe	85
PID 4264 wrote to memory of 2288	4264	chrome.exe	85
PID 4264 wrote to memory of 2288	4264	chrome.exe	85
PID 4264 wrote to memory of 2288	4264	chrome.exe	85
PID 4264 wrote to memory of 2288	4264	chrome.exe	85
PID 4264 wrote to memory of 2288	4264	chrome.exe	85
PID 4264 wrote to memory of 2288	4264	chrome.exe	85
PID 4264 wrote to memory of 2288	4264	chrome.exe	85
PID 4264 wrote to memory of 2288	4264	chrome.exe	85
PID 4264 wrote to memory of 2288	4264	chrome.exe	85
PID 4264 wrote to memory of 2288	4264	chrome.exe	85
PID 4264 wrote to memory of 2288	4264	chrome.exe	85
PID 4264 wrote to memory of 2288	4264	chrome.exe	85
PID 4264 wrote to memory of 2288	4264	chrome.exe	85
PID 4264 wrote to memory of 2288	4264	chrome.exe	85
PID 4264 wrote to memory of 2288	4264	chrome.exe	85
PID 4264 wrote to memory of 2288	4264	chrome.exe	85
PID 4264 wrote to memory of 2288	4264	chrome.exe	85
PID 4264 wrote to memory of 2288	4264	chrome.exe	85
PID 4264 wrote to memory of 2288	4264	chrome.exe	85
PID 4264 wrote to memory of 2288	4264	chrome.exe	85
PID 4264 wrote to memory of 2288	4264	chrome.exe	85
PID 4264 wrote to memory of 1480	4264	chrome.exe	89
PID 4264 wrote to memory of 1480	4264	chrome.exe	89
PID 4264 wrote to memory of 1712	4264	chrome.exe	86
PID 4264 wrote to memory of 1712	4264	chrome.exe	86
PID 4264 wrote to memory of 1712	4264	chrome.exe	86
PID 4264 wrote to memory of 1712	4264	chrome.exe	86
PID 4264 wrote to memory of 1712	4264	chrome.exe	86
PID 4264 wrote to memory of 1712	4264	chrome.exe	86
PID 4264 wrote to memory of 1712	4264	chrome.exe	86
PID 4264 wrote to memory of 1712	4264	chrome.exe	86
PID 4264 wrote to memory of 1712	4264	chrome.exe	86
PID 4264 wrote to memory of 1712	4264	chrome.exe	86
PID 4264 wrote to memory of 1712	4264	chrome.exe	86
PID 4264 wrote to memory of 1712	4264	chrome.exe	86
PID 4264 wrote to memory of 1712	4264	chrome.exe	86
PID 4264 wrote to memory of 1712	4264	chrome.exe	86
PID 4264 wrote to memory of 1712	4264	chrome.exe	86
PID 4264 wrote to memory of 1712	4264	chrome.exe	86
PID 4264 wrote to memory of 1712	4264	chrome.exe	86
PID 4264 wrote to memory of 1712	4264	chrome.exe	86
PID 4264 wrote to memory of 1712	4264	chrome.exe	86
PID 4264 wrote to memory of 1712	4264	chrome.exe	86
PID 4264 wrote to memory of 1712	4264	chrome.exe	86
PID 4264 wrote to memory of 1712	4264	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://ato-gov-aus.cyou
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8f5049758,0x7ff8f5049768,0x7ff8f5049778
  2⤵
  PID:2668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1636 --field-trial-handle=1876,i,15509433580514420614,12956797035222732194,131072 /prefetch:2
  2⤵
  PID:2288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2176 --field-trial-handle=1876,i,15509433580514420614,12956797035222732194,131072 /prefetch:8
  2⤵
  PID:1712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2800 --field-trial-handle=1876,i,15509433580514420614,12956797035222732194,131072 /prefetch:1
  2⤵
  PID:2644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2792 --field-trial-handle=1876,i,15509433580514420614,12956797035222732194,131072 /prefetch:1
  2⤵
  PID:2648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1876,i,15509433580514420614,12956797035222732194,131072 /prefetch:8
  2⤵
  PID:1480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4808 --field-trial-handle=1876,i,15509433580514420614,12956797035222732194,131072 /prefetch:8
  2⤵
  PID:212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3844 --field-trial-handle=1876,i,15509433580514420614,12956797035222732194,131072 /prefetch:8
  2⤵
  PID:2672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3900 --field-trial-handle=1876,i,15509433580514420614,12956797035222732194,131072 /prefetch:1
  2⤵
  PID:4660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3132 --field-trial-handle=1876,i,15509433580514420614,12956797035222732194,131072 /prefetch:1
  2⤵
  PID:2392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3984 --field-trial-handle=1876,i,15509433580514420614,12956797035222732194,131072 /prefetch:1
  2⤵
  PID:4556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3780 --field-trial-handle=1876,i,15509433580514420614,12956797035222732194,131072 /prefetch:1
  2⤵
  PID:1204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3124 --field-trial-handle=1876,i,15509433580514420614,12956797035222732194,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4244

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3464

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
824B

MD5
f1e76d313f1de43f6a00388cd73cc642

SHA1
5affe35ca90dd5d0fe6d1b2485b3b9d6f8a790dd

SHA256
4fb3565d324ee650ae53b8bf21db26e31342adece2bc0161b9f337db8dc8417c

SHA512
d8dbd7c39a6c8b7103e8199dfe901586430d74400dba5992bc7ad152404f9674edd754cba7bb02fbdd5eb2c7d0f29701db7cd166c6c386957b92e98bc54ecef6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
c43cf4d496306ca1f5a2843e6e7d23fa

SHA1
a2f80b7af3bceba57d2ff4fd50ca6364e7c3e12f

SHA256
c0057f0514db712c1ebe32df88ea32d0388d9e548e6a27ffa587a5eeebf234e8

SHA512
9eab96e2096d8eab83a7046ff163e6e2cd95fe03a4c4942d21ec99690ec508febba293de552c7b659514afa2863180a244421d004edeb16523812446dfbe3cbd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
8226f0013f4f60c7a8a4f668985efc40

SHA1
ec82841c99852585d5c4ca83809131c81a7ef498

SHA256
96bf0317289e6ccdc6973a4c78d0bc8e059998e7db9c867c2c435bc21adbb45d

SHA512
2e35e27bc636eb8e34211b48bae5aa301f1e88a03eb6849a96eda5d2b7d58d77467e4e869826d5d7d13ce3e796d5080d17b8fefbe8f96a05a44ce26f66c5b64a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
ac5251cc9f0d04711ecfa4411d892e28

SHA1
57dfa4cb160c11ce65c9a9ac92b5b182ff588315

SHA256
901e476f3fcf3192dabc8c1ffdec5c14d0004580f761ef94092114195edfe456

SHA512
18c2e5b03a8575693232016643d05cefcdd7adea8b28e36b1875f09fcfd5d72f8af128cd3c1b5b6a9c89df6ef32988a366db13aca2b787c2fddedd78ba5feb16

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit