hxxp://23[.]205[.]249[.]209

Analysis

max time kernel
150s
max time network
133s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
18-08-2023 13:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://23.205.249.209

Score

1^/10

Malware Config

Signatures

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133368382744929311"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4588	chrome.exe
4588	chrome.exe
4136	chrome.exe
4136	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4588	chrome.exe
4588	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4588 wrote to memory of 4040	4588	chrome.exe	70
PID 4588 wrote to memory of 4040	4588	chrome.exe	70
PID 4588 wrote to memory of 4516	4588	chrome.exe	73
PID 4588 wrote to memory of 4516	4588	chrome.exe	73
PID 4588 wrote to memory of 4516	4588	chrome.exe	73
PID 4588 wrote to memory of 4516	4588	chrome.exe	73
PID 4588 wrote to memory of 4516	4588	chrome.exe	73
PID 4588 wrote to memory of 4516	4588	chrome.exe	73
PID 4588 wrote to memory of 4516	4588	chrome.exe	73
PID 4588 wrote to memory of 4516	4588	chrome.exe	73
PID 4588 wrote to memory of 4516	4588	chrome.exe	73
PID 4588 wrote to memory of 4516	4588	chrome.exe	73
PID 4588 wrote to memory of 4516	4588	chrome.exe	73
PID 4588 wrote to memory of 4516	4588	chrome.exe	73
PID 4588 wrote to memory of 4516	4588	chrome.exe	73
PID 4588 wrote to memory of 4516	4588	chrome.exe	73
PID 4588 wrote to memory of 4516	4588	chrome.exe	73
PID 4588 wrote to memory of 4516	4588	chrome.exe	73
PID 4588 wrote to memory of 4516	4588	chrome.exe	73
PID 4588 wrote to memory of 4516	4588	chrome.exe	73
PID 4588 wrote to memory of 4516	4588	chrome.exe	73
PID 4588 wrote to memory of 4516	4588	chrome.exe	73
PID 4588 wrote to memory of 4516	4588	chrome.exe	73
PID 4588 wrote to memory of 4516	4588	chrome.exe	73
PID 4588 wrote to memory of 4516	4588	chrome.exe	73
PID 4588 wrote to memory of 4516	4588	chrome.exe	73
PID 4588 wrote to memory of 4516	4588	chrome.exe	73
PID 4588 wrote to memory of 4516	4588	chrome.exe	73
PID 4588 wrote to memory of 4516	4588	chrome.exe	73
PID 4588 wrote to memory of 4516	4588	chrome.exe	73
PID 4588 wrote to memory of 4516	4588	chrome.exe	73
PID 4588 wrote to memory of 4516	4588	chrome.exe	73
PID 4588 wrote to memory of 4516	4588	chrome.exe	73
PID 4588 wrote to memory of 4516	4588	chrome.exe	73
PID 4588 wrote to memory of 4516	4588	chrome.exe	73
PID 4588 wrote to memory of 4516	4588	chrome.exe	73
PID 4588 wrote to memory of 4516	4588	chrome.exe	73
PID 4588 wrote to memory of 4516	4588	chrome.exe	73
PID 4588 wrote to memory of 4516	4588	chrome.exe	73
PID 4588 wrote to memory of 4516	4588	chrome.exe	73
PID 4588 wrote to memory of 4024	4588	chrome.exe	72
PID 4588 wrote to memory of 4024	4588	chrome.exe	72
PID 4588 wrote to memory of 4536	4588	chrome.exe	74
PID 4588 wrote to memory of 4536	4588	chrome.exe	74
PID 4588 wrote to memory of 4536	4588	chrome.exe	74
PID 4588 wrote to memory of 4536	4588	chrome.exe	74
PID 4588 wrote to memory of 4536	4588	chrome.exe	74
PID 4588 wrote to memory of 4536	4588	chrome.exe	74
PID 4588 wrote to memory of 4536	4588	chrome.exe	74
PID 4588 wrote to memory of 4536	4588	chrome.exe	74
PID 4588 wrote to memory of 4536	4588	chrome.exe	74
PID 4588 wrote to memory of 4536	4588	chrome.exe	74
PID 4588 wrote to memory of 4536	4588	chrome.exe	74
PID 4588 wrote to memory of 4536	4588	chrome.exe	74
PID 4588 wrote to memory of 4536	4588	chrome.exe	74
PID 4588 wrote to memory of 4536	4588	chrome.exe	74
PID 4588 wrote to memory of 4536	4588	chrome.exe	74
PID 4588 wrote to memory of 4536	4588	chrome.exe	74
PID 4588 wrote to memory of 4536	4588	chrome.exe	74
PID 4588 wrote to memory of 4536	4588	chrome.exe	74
PID 4588 wrote to memory of 4536	4588	chrome.exe	74
PID 4588 wrote to memory of 4536	4588	chrome.exe	74
PID 4588 wrote to memory of 4536	4588	chrome.exe	74
PID 4588 wrote to memory of 4536	4588	chrome.exe	74

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://23.205.249.209
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffd79369758,0x7ffd79369768,0x7ffd79369778
  2⤵
  PID:4040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1900 --field-trial-handle=1760,i,4669647944171294271,7091970557475571549,131072 /prefetch:8
  2⤵
  PID:4024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1516 --field-trial-handle=1760,i,4669647944171294271,7091970557475571549,131072 /prefetch:2
  2⤵
  PID:4516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2032 --field-trial-handle=1760,i,4669647944171294271,7091970557475571549,131072 /prefetch:8
  2⤵
  PID:4536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2728 --field-trial-handle=1760,i,4669647944171294271,7091970557475571549,131072 /prefetch:1
  2⤵
  PID:4892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2604 --field-trial-handle=1760,i,4669647944171294271,7091970557475571549,131072 /prefetch:1
  2⤵
  PID:4576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4176 --field-trial-handle=1760,i,4669647944171294271,7091970557475571549,131072 /prefetch:8
  2⤵
  PID:2700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4332 --field-trial-handle=1760,i,4669647944171294271,7091970557475571549,131072 /prefetch:8
  2⤵
  PID:3740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1492 --field-trial-handle=1760,i,4669647944171294271,7091970557475571549,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4136

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4848

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
1a94013b5156b1c2ff5c29ed3a45bdf0

SHA1
62bc81f0051724ba0ecea3dec401b0c828231f35

SHA256
b7eaec9f31ef8bcb371ee718a50b2fc36a1577b3a4479fd72966fa8a2d18ce0c

SHA512
acd42de155d454c57041f0668a82316607f7b1e3776cba85cefef893a77c997855913c552b3fac52fd5928aab8510f4164d4fdb96b14d4ff8fbf4ff9c8ad532a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
44f4d0f21b42b628246fe57411fdf464

SHA1
310468a0ea47729a33f20446ec40ed1c47d6c5aa

SHA256
7fc269b1805356726c34fd87a28a9d32301a8ac97e0c6aaaec7de9062d2b7670

SHA512
c5af8e1af3ebef7c7f2db8ebf2c9677c8de65c6a9308ca0cf7e7e3a93d6d6ed6e8fee1a85a2afce28c4a8589f92d84294d268d35e7dc23bf01d3a5b47be3a519

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
1c724313fc0d4f3d0ddc96faba0048fe

SHA1
d3a1e8a9e27e37f501c53da2eef6fe63299bc11e

SHA256
06c76a6a0907814e710cb05150790cb578c6b3961278f381eacc04774cc788ed

SHA512
4bebc6c5f62fd91a215819b78aa0bb2243380c932249e6b3558e46653a3989765ce216d220f3f62e9cdf255018277202911305b5cf0057a75b9787400ac5cfae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f22ab6d333de783266218dce7d5e581c

SHA1
74ee5120f9489966a83737be1b45728384bd9c6f

SHA256
81456d3ffb9025bb4510d40ef4a1953a556c112ace5f26af1afca0f7ae056727

SHA512
15bfac37b4d7e0c93c3ac6e0adb23c96d9ea15628e616c5cf18b1e3f39231f204c36650edad03b9ac03df12692e7184c4a9c5e2d985f179dcb833a7e58a123fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
27012455bbeee059473479457490bf87

SHA1
7543895d1b8604e9b849cecaedb8ae6adc8087a6

SHA256
803f44ff6bf82ff283c2bd5c922b115384ef8014e33d8d367e90e114e56da957

SHA512
6a3925c28d3c11747e5ce1ddbad6bbfa0ad184c0a2ecb9e495d7567da38d71d2a152edede5a98e30490bc6faad3953075df26612589f59b16720d4f515319c19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit