hxxps://tvsnext[.]tellwise[.]com/rest/v1/open/kNBbWXk7BAA

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2023, 06:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://tvsnext.tellwise.com/rest/v1/open/kNBbWXk7BAA

Score

1^/10

Malware Config

Signatures

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133367272468008977"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1472	chrome.exe
1472	chrome.exe
3484	chrome.exe
3484	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1472	chrome.exe
1472	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1472 wrote to memory of 4512	1472	chrome.exe	70
PID 1472 wrote to memory of 4512	1472	chrome.exe	70
PID 1472 wrote to memory of 4288	1472	chrome.exe	82
PID 1472 wrote to memory of 4288	1472	chrome.exe	82
PID 1472 wrote to memory of 4288	1472	chrome.exe	82
PID 1472 wrote to memory of 4288	1472	chrome.exe	82
PID 1472 wrote to memory of 4288	1472	chrome.exe	82
PID 1472 wrote to memory of 4288	1472	chrome.exe	82
PID 1472 wrote to memory of 4288	1472	chrome.exe	82
PID 1472 wrote to memory of 4288	1472	chrome.exe	82
PID 1472 wrote to memory of 4288	1472	chrome.exe	82
PID 1472 wrote to memory of 4288	1472	chrome.exe	82
PID 1472 wrote to memory of 4288	1472	chrome.exe	82
PID 1472 wrote to memory of 4288	1472	chrome.exe	82
PID 1472 wrote to memory of 4288	1472	chrome.exe	82
PID 1472 wrote to memory of 4288	1472	chrome.exe	82
PID 1472 wrote to memory of 4288	1472	chrome.exe	82
PID 1472 wrote to memory of 4288	1472	chrome.exe	82
PID 1472 wrote to memory of 4288	1472	chrome.exe	82
PID 1472 wrote to memory of 4288	1472	chrome.exe	82
PID 1472 wrote to memory of 4288	1472	chrome.exe	82
PID 1472 wrote to memory of 4288	1472	chrome.exe	82
PID 1472 wrote to memory of 4288	1472	chrome.exe	82
PID 1472 wrote to memory of 4288	1472	chrome.exe	82
PID 1472 wrote to memory of 4288	1472	chrome.exe	82
PID 1472 wrote to memory of 4288	1472	chrome.exe	82
PID 1472 wrote to memory of 4288	1472	chrome.exe	82
PID 1472 wrote to memory of 4288	1472	chrome.exe	82
PID 1472 wrote to memory of 4288	1472	chrome.exe	82
PID 1472 wrote to memory of 4288	1472	chrome.exe	82
PID 1472 wrote to memory of 4288	1472	chrome.exe	82
PID 1472 wrote to memory of 4288	1472	chrome.exe	82
PID 1472 wrote to memory of 4288	1472	chrome.exe	82
PID 1472 wrote to memory of 4288	1472	chrome.exe	82
PID 1472 wrote to memory of 4288	1472	chrome.exe	82
PID 1472 wrote to memory of 4288	1472	chrome.exe	82
PID 1472 wrote to memory of 4288	1472	chrome.exe	82
PID 1472 wrote to memory of 4288	1472	chrome.exe	82
PID 1472 wrote to memory of 4288	1472	chrome.exe	82
PID 1472 wrote to memory of 4288	1472	chrome.exe	82
PID 1472 wrote to memory of 4148	1472	chrome.exe	84
PID 1472 wrote to memory of 4148	1472	chrome.exe	84
PID 1472 wrote to memory of 4136	1472	chrome.exe	83
PID 1472 wrote to memory of 4136	1472	chrome.exe	83
PID 1472 wrote to memory of 4136	1472	chrome.exe	83
PID 1472 wrote to memory of 4136	1472	chrome.exe	83
PID 1472 wrote to memory of 4136	1472	chrome.exe	83
PID 1472 wrote to memory of 4136	1472	chrome.exe	83
PID 1472 wrote to memory of 4136	1472	chrome.exe	83
PID 1472 wrote to memory of 4136	1472	chrome.exe	83
PID 1472 wrote to memory of 4136	1472	chrome.exe	83
PID 1472 wrote to memory of 4136	1472	chrome.exe	83
PID 1472 wrote to memory of 4136	1472	chrome.exe	83
PID 1472 wrote to memory of 4136	1472	chrome.exe	83
PID 1472 wrote to memory of 4136	1472	chrome.exe	83
PID 1472 wrote to memory of 4136	1472	chrome.exe	83
PID 1472 wrote to memory of 4136	1472	chrome.exe	83
PID 1472 wrote to memory of 4136	1472	chrome.exe	83
PID 1472 wrote to memory of 4136	1472	chrome.exe	83
PID 1472 wrote to memory of 4136	1472	chrome.exe	83
PID 1472 wrote to memory of 4136	1472	chrome.exe	83
PID 1472 wrote to memory of 4136	1472	chrome.exe	83
PID 1472 wrote to memory of 4136	1472	chrome.exe	83
PID 1472 wrote to memory of 4136	1472	chrome.exe	83

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://tvsnext.tellwise.com/rest/v1/open/kNBbWXk7BAA
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff991499758,0x7ff991499768,0x7ff991499778
  2⤵
  PID:4512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1868,i,15595573123214224096,17225165934826962585,131072 /prefetch:2
  2⤵
  PID:4288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2208 --field-trial-handle=1868,i,15595573123214224096,17225165934826962585,131072 /prefetch:8
  2⤵
  PID:4136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1868,i,15595573123214224096,17225165934826962585,131072 /prefetch:8
  2⤵
  PID:4148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3004 --field-trial-handle=1868,i,15595573123214224096,17225165934826962585,131072 /prefetch:1
  2⤵
  PID:4772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3024 --field-trial-handle=1868,i,15595573123214224096,17225165934826962585,131072 /prefetch:1
  2⤵
  PID:1976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4820 --field-trial-handle=1868,i,15595573123214224096,17225165934826962585,131072 /prefetch:8
  2⤵
  PID:2004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4912 --field-trial-handle=1868,i,15595573123214224096,17225165934826962585,131072 /prefetch:8
  2⤵
  PID:3764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2492 --field-trial-handle=1868,i,15595573123214224096,17225165934826962585,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3484

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3916

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
898B

MD5
54591a269591eaf0c90e36f96358f314

SHA1
ae8a0c368798d5d0455ce18cdb8d8d4677ca19ce

SHA256
6c52c2917b708f3d808859237804450222e2de5be91ca4357680df87ae0728ce

SHA512
ed213dcac2b1cff86d9bce4b533d55f3bfd267dc07f81707842d38032072d943a914ccda08ec159df5d9cdb9463eb87eb680ef0e493de54a2a86f8e8e8609903

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
706B

MD5
51c06bdc8e5dc6518372b3b40c2951b2

SHA1
e49382070e60017f9f6a6968e133755893addaf4

SHA256
1ae0eadc887076bdae60f978588c92f018b9a5072a7c558337f86959666b24ce

SHA512
4d44bc5b26e6526df56c4bd0c2c2f1fcd4ab8db0d15d26021509b746329d5717b90bf042bd9520d86782d496aa0bec8d10c3676d4cf884a0d7f6c5aa5c70c230

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
761cd6c589a3c0e2c682308fc03c21ed

SHA1
4991032dbf4941da74cc95f76520096cb6139310

SHA256
6cd7782e2f3c991ae130dba0b8e0cb7548794b90e99a2385103f0f575f66d1d2

SHA512
675919a6ea8f2573fb3c4c228e98766bcabe7837b020d3df0400fb1634c60c7da1b3e3dfbcf661a4e23c10ac465fc8b93850183417d3bddd1569c846d5cc7d64

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
7af11522b66401a0759b77333502d917

SHA1
8c8f36da82f6250e92f08359cad60fed3840b73d

SHA256
cf388c1baf226f0af8490c1f6bf7f1cc6feabde84fad7ea5aad0821eb94e508e

SHA512
015a02f13f386b34de09ce1c589d99ca20176eaf33914d6acc7bb7a1e897d1a8ac4fab8f8a868f7860dd49f2ff7fcc3cb7332e9f74168af23da806b3bc3e5b56

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b393b3d45467b7bdb41cbd19e83ca268

SHA1
b94b771c7a7200554c32fffa073b31c33e98c868

SHA256
59cec1abe0bd2d210ee1ae1445528fee1641db8836421452c21ae3c0fb4d786e

SHA512
546a8ed4c894840ae26228c8ca5901c5ed5e5481ebe2b00adcdef3d65a2e06cbc7d4f4d3c22dfbcce23aecb4f9a47f30056b5c6e531dccc4473df58870027d1b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
1e5a23ffc0c5ddfabd17e61c880269bc

SHA1
29791ff5e3d837d2bdedd0bb7ca9e78902df9732

SHA256
9b1b0173ee910704b7698c7756494c5051d478c0db13e03f205e50a1e000ec8a

SHA512
dd41154c8eb0980812e473ce1f21e98497b822f7b8d9cd8c1681e505a108cbab04a0251198d5f41e864f6d55e5788bf2f764dab785d72b8c47cbc1f8a2835b2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit