hxxps://impecunious-emolument-ed9810bce0fe[.]herokuapp[.]com/+?y=49ii4eh26oq6adb16gr34p1icdijedpg61gj6d9l6limcdp2

Analysis

max time kernel
158s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2023, 07:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://impecunious-emolument-ed9810bce0fe.herokuapp.com/+?y=49ii4eh26oq6adb16gr34p1icdijedpg61gj6d9l6limcdp2

Score

1^/10

Malware Config

Signatures

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133372507463741330"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
4468	chrome.exe
4468	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3260	chrome.exe
Token: SeCreatePagefilePrivilege	3260	chrome.exe
Token: SeShutdownPrivilege	3260	chrome.exe
Token: SeCreatePagefilePrivilege	3260	chrome.exe
Token: SeShutdownPrivilege	3260	chrome.exe
Token: SeCreatePagefilePrivilege	3260	chrome.exe
Token: SeShutdownPrivilege	3260	chrome.exe
Token: SeCreatePagefilePrivilege	3260	chrome.exe
Token: SeShutdownPrivilege	3260	chrome.exe
Token: SeCreatePagefilePrivilege	3260	chrome.exe
Token: SeShutdownPrivilege	3260	chrome.exe
Token: SeCreatePagefilePrivilege	3260	chrome.exe
Token: SeShutdownPrivilege	3260	chrome.exe
Token: SeCreatePagefilePrivilege	3260	chrome.exe
Token: SeShutdownPrivilege	3260	chrome.exe
Token: SeCreatePagefilePrivilege	3260	chrome.exe
Token: SeShutdownPrivilege	3260	chrome.exe
Token: SeCreatePagefilePrivilege	3260	chrome.exe
Token: SeShutdownPrivilege	3260	chrome.exe
Token: SeCreatePagefilePrivilege	3260	chrome.exe
Token: SeShutdownPrivilege	3260	chrome.exe
Token: SeCreatePagefilePrivilege	3260	chrome.exe
Token: SeShutdownPrivilege	3260	chrome.exe
Token: SeCreatePagefilePrivilege	3260	chrome.exe
Token: SeShutdownPrivilege	3260	chrome.exe
Token: SeCreatePagefilePrivilege	3260	chrome.exe
Token: SeShutdownPrivilege	3260	chrome.exe
Token: SeCreatePagefilePrivilege	3260	chrome.exe
Token: SeShutdownPrivilege	3260	chrome.exe
Token: SeCreatePagefilePrivilege	3260	chrome.exe
Token: SeShutdownPrivilege	3260	chrome.exe
Token: SeCreatePagefilePrivilege	3260	chrome.exe
Token: SeShutdownPrivilege	3260	chrome.exe
Token: SeCreatePagefilePrivilege	3260	chrome.exe
Token: SeShutdownPrivilege	3260	chrome.exe
Token: SeCreatePagefilePrivilege	3260	chrome.exe
Token: SeShutdownPrivilege	3260	chrome.exe
Token: SeCreatePagefilePrivilege	3260	chrome.exe
Token: SeShutdownPrivilege	3260	chrome.exe
Token: SeCreatePagefilePrivilege	3260	chrome.exe
Token: SeShutdownPrivilege	3260	chrome.exe
Token: SeCreatePagefilePrivilege	3260	chrome.exe
Token: SeShutdownPrivilege	3260	chrome.exe
Token: SeCreatePagefilePrivilege	3260	chrome.exe
Token: SeShutdownPrivilege	3260	chrome.exe
Token: SeCreatePagefilePrivilege	3260	chrome.exe
Token: SeShutdownPrivilege	3260	chrome.exe
Token: SeCreatePagefilePrivilege	3260	chrome.exe
Token: SeShutdownPrivilege	3260	chrome.exe
Token: SeCreatePagefilePrivilege	3260	chrome.exe
Token: SeShutdownPrivilege	3260	chrome.exe
Token: SeCreatePagefilePrivilege	3260	chrome.exe
Token: SeShutdownPrivilege	3260	chrome.exe
Token: SeCreatePagefilePrivilege	3260	chrome.exe
Token: SeShutdownPrivilege	3260	chrome.exe
Token: SeCreatePagefilePrivilege	3260	chrome.exe
Token: SeShutdownPrivilege	3260	chrome.exe
Token: SeCreatePagefilePrivilege	3260	chrome.exe
Token: SeShutdownPrivilege	3260	chrome.exe
Token: SeCreatePagefilePrivilege	3260	chrome.exe
Token: SeShutdownPrivilege	3260	chrome.exe
Token: SeCreatePagefilePrivilege	3260	chrome.exe
Token: SeShutdownPrivilege	3260	chrome.exe
Token: SeCreatePagefilePrivilege	3260	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3260 wrote to memory of 3768	3260	chrome.exe	81
PID 3260 wrote to memory of 3768	3260	chrome.exe	81
PID 3260 wrote to memory of 924	3260	chrome.exe	84
PID 3260 wrote to memory of 924	3260	chrome.exe	84
PID 3260 wrote to memory of 924	3260	chrome.exe	84
PID 3260 wrote to memory of 924	3260	chrome.exe	84
PID 3260 wrote to memory of 924	3260	chrome.exe	84
PID 3260 wrote to memory of 924	3260	chrome.exe	84
PID 3260 wrote to memory of 924	3260	chrome.exe	84
PID 3260 wrote to memory of 924	3260	chrome.exe	84
PID 3260 wrote to memory of 924	3260	chrome.exe	84
PID 3260 wrote to memory of 924	3260	chrome.exe	84
PID 3260 wrote to memory of 924	3260	chrome.exe	84
PID 3260 wrote to memory of 924	3260	chrome.exe	84
PID 3260 wrote to memory of 924	3260	chrome.exe	84
PID 3260 wrote to memory of 924	3260	chrome.exe	84
PID 3260 wrote to memory of 924	3260	chrome.exe	84
PID 3260 wrote to memory of 924	3260	chrome.exe	84
PID 3260 wrote to memory of 924	3260	chrome.exe	84
PID 3260 wrote to memory of 924	3260	chrome.exe	84
PID 3260 wrote to memory of 924	3260	chrome.exe	84
PID 3260 wrote to memory of 924	3260	chrome.exe	84
PID 3260 wrote to memory of 924	3260	chrome.exe	84
PID 3260 wrote to memory of 924	3260	chrome.exe	84
PID 3260 wrote to memory of 924	3260	chrome.exe	84
PID 3260 wrote to memory of 924	3260	chrome.exe	84
PID 3260 wrote to memory of 924	3260	chrome.exe	84
PID 3260 wrote to memory of 924	3260	chrome.exe	84
PID 3260 wrote to memory of 924	3260	chrome.exe	84
PID 3260 wrote to memory of 924	3260	chrome.exe	84
PID 3260 wrote to memory of 924	3260	chrome.exe	84
PID 3260 wrote to memory of 924	3260	chrome.exe	84
PID 3260 wrote to memory of 924	3260	chrome.exe	84
PID 3260 wrote to memory of 924	3260	chrome.exe	84
PID 3260 wrote to memory of 924	3260	chrome.exe	84
PID 3260 wrote to memory of 924	3260	chrome.exe	84
PID 3260 wrote to memory of 924	3260	chrome.exe	84
PID 3260 wrote to memory of 924	3260	chrome.exe	84
PID 3260 wrote to memory of 924	3260	chrome.exe	84
PID 3260 wrote to memory of 924	3260	chrome.exe	84
PID 3260 wrote to memory of 3744	3260	chrome.exe	85
PID 3260 wrote to memory of 3744	3260	chrome.exe	85
PID 3260 wrote to memory of 220	3260	chrome.exe	86
PID 3260 wrote to memory of 220	3260	chrome.exe	86
PID 3260 wrote to memory of 220	3260	chrome.exe	86
PID 3260 wrote to memory of 220	3260	chrome.exe	86
PID 3260 wrote to memory of 220	3260	chrome.exe	86
PID 3260 wrote to memory of 220	3260	chrome.exe	86
PID 3260 wrote to memory of 220	3260	chrome.exe	86
PID 3260 wrote to memory of 220	3260	chrome.exe	86
PID 3260 wrote to memory of 220	3260	chrome.exe	86
PID 3260 wrote to memory of 220	3260	chrome.exe	86
PID 3260 wrote to memory of 220	3260	chrome.exe	86
PID 3260 wrote to memory of 220	3260	chrome.exe	86
PID 3260 wrote to memory of 220	3260	chrome.exe	86
PID 3260 wrote to memory of 220	3260	chrome.exe	86
PID 3260 wrote to memory of 220	3260	chrome.exe	86
PID 3260 wrote to memory of 220	3260	chrome.exe	86
PID 3260 wrote to memory of 220	3260	chrome.exe	86
PID 3260 wrote to memory of 220	3260	chrome.exe	86
PID 3260 wrote to memory of 220	3260	chrome.exe	86
PID 3260 wrote to memory of 220	3260	chrome.exe	86
PID 3260 wrote to memory of 220	3260	chrome.exe	86
PID 3260 wrote to memory of 220	3260	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://impecunious-emolument-ed9810bce0fe.herokuapp.com/+?y=49ii4eh26oq6adb16gr34p1icdijedpg61gj6d9l6limcdp2
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc14cd9758,0x7ffc14cd9768,0x7ffc14cd9778
  2⤵
  PID:3768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1732 --field-trial-handle=1832,i,4577105040395926575,2948127834407655419,131072 /prefetch:2
  2⤵
  PID:924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1832,i,4577105040395926575,2948127834407655419,131072 /prefetch:8
  2⤵
  PID:3744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2216 --field-trial-handle=1832,i,4577105040395926575,2948127834407655419,131072 /prefetch:8
  2⤵
  PID:220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2940 --field-trial-handle=1832,i,4577105040395926575,2948127834407655419,131072 /prefetch:1
  2⤵
  PID:2660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2932 --field-trial-handle=1832,i,4577105040395926575,2948127834407655419,131072 /prefetch:1
  2⤵
  PID:4364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3892 --field-trial-handle=1832,i,4577105040395926575,2948127834407655419,131072 /prefetch:1
  2⤵
  PID:1656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4712 --field-trial-handle=1832,i,4577105040395926575,2948127834407655419,131072 /prefetch:8
  2⤵
  PID:3356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 --field-trial-handle=1832,i,4577105040395926575,2948127834407655419,131072 /prefetch:8
  2⤵
  PID:2320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 --field-trial-handle=1832,i,4577105040395926575,2948127834407655419,131072 /prefetch:8
  2⤵
  PID:4796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 --field-trial-handle=1832,i,4577105040395926575,2948127834407655419,131072 /prefetch:8
  2⤵
  PID:2188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4796 --field-trial-handle=1832,i,4577105040395926575,2948127834407655419,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4468

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3208

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1019B

MD5
157e3ece7e4f39eacd4d7c947db1fec9

SHA1
5efb17c047dc9e53d2fde15e4ae4b55bf09b2580

SHA256
23cf8f3623021ea4a3b55bd25fea8df2c0700180603bf326da5fa944293b2379

SHA512
e46b5f1aa417ab7662eb00038162ed134c8762214842946d4f932a7186005c265150a7638807c05df26d3c12477566fe1d236508ae25101ee4d43b65a2e9d7f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
5be28b3cd993450aa3894df2f94f8768

SHA1
10e639eb0be09836192a9a6e8070f53b3d18583c

SHA256
4fb918cc50d148904de017bb1ea1f976b560324f27c8032c7218d6ebaa3cb008

SHA512
029199d76500d3d8dd2e55f8573ad32d61794d2cef3d8e50b4979b0e924184ed49003f0f71d139b46d631f15af5f8124f6fbf75fc578f2c392202c373829bdd8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
fb5741762a88df747a839d92be99a888

SHA1
dbe8b746a499026338c482cc8f4278b03f72aa30

SHA256
63c9766811686be7126f90a34af0ec69ecbb441e3ddd4bfb3992d162c4ef6e02

SHA512
df3c0a2569f22fdec5f9680c1122565ffc915b461790cda5fafcf099df143d81739a0b161e187d023be7997afdc42335ee55be759aecafd3a28156c8b673683b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
37050c112fff810aa04324d8a52cc8d3

SHA1
6c357e6249602c32a5a4e7de0a54e57be2f06be8

SHA256
abadccae19c2f378f97778aecac8b335ef05a6bca84edb5f758a05a8c16ff76a

SHA512
b068e5660352bd4dcc302717d82f6be5b65bb3928cce2fe2dfac191dad9dc3e275c7b9de87d9618bb01643b351ac73fe24dd2705b0535736661bb6d582338f8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
89KB

MD5
961e87ed9b3ed0a8e418b5949bab99da

SHA1
2dbe1a1c7edcbf42d938481a54b3e4bbfd60e60a

SHA256
9bb6f3bd11fe1f55d1c153a212adff80155203a8cbf6a09acc204656e8c827bb

SHA512
70571e4e12869817be6e7cc3804e8a9283bc4b830e2fe88bc2f101eec7e1b9216ce9ef3c5a2f99a5cbb99ad60ab56feb9050f19a4a52b7c8cb63a19be87a0269

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
89KB

MD5
d29e561d50aef164260926482c876a66

SHA1
6959aa3cebcb2516f8935a610a0cc04365117732

SHA256
322d91817b202d9a55c0f211d3f8226b25e8a74cac04ae2144b03403d18fe5b2

SHA512
e1f8f28c416491027d106590c41d354fcf306741c5215c2859acc0c9365f9ace36d873a992695112f0c00adb14165e2fd8efeaeea62164f67980d59cad5fb028

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
89KB

MD5
cdc1fce9973da44dc893338276284f43

SHA1
0abe93db803fdcce3de63d914cb03623a55c26cb

SHA256
a54b70f6215e362d668abd231b7279d1a900f0188e5bb158af27ac14e0b5bd9e

SHA512
a4c7f76ded2d620d6889a6976eb86dce4234a1d69eb3a5cc3c0d7361fffb962283354fce7db76152127216559a7f4db123263a0cb9f87bdb5279207360f16c86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit