hxxps://www[.]castaniergallery[.]com/exhibition/

Analysis

max time kernel
114s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2023, 19:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.castaniergallery.com/exhibition/

Score

1^/10

Malware Config

Signatures

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133373774221926729"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3668	chrome.exe
3668	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3668	chrome.exe
Token: SeCreatePagefilePrivilege	3668	chrome.exe
Token: SeShutdownPrivilege	3668	chrome.exe
Token: SeCreatePagefilePrivilege	3668	chrome.exe
Token: SeShutdownPrivilege	3668	chrome.exe
Token: SeCreatePagefilePrivilege	3668	chrome.exe
Token: SeShutdownPrivilege	3668	chrome.exe
Token: SeCreatePagefilePrivilege	3668	chrome.exe
Token: SeShutdownPrivilege	3668	chrome.exe
Token: SeCreatePagefilePrivilege	3668	chrome.exe
Token: SeShutdownPrivilege	3668	chrome.exe
Token: SeCreatePagefilePrivilege	3668	chrome.exe
Token: SeShutdownPrivilege	3668	chrome.exe
Token: SeCreatePagefilePrivilege	3668	chrome.exe
Token: SeShutdownPrivilege	3668	chrome.exe
Token: SeCreatePagefilePrivilege	3668	chrome.exe
Token: SeShutdownPrivilege	3668	chrome.exe
Token: SeCreatePagefilePrivilege	3668	chrome.exe
Token: SeShutdownPrivilege	3668	chrome.exe
Token: SeCreatePagefilePrivilege	3668	chrome.exe
Token: SeShutdownPrivilege	3668	chrome.exe
Token: SeCreatePagefilePrivilege	3668	chrome.exe
Token: SeShutdownPrivilege	3668	chrome.exe
Token: SeCreatePagefilePrivilege	3668	chrome.exe
Token: SeShutdownPrivilege	3668	chrome.exe
Token: SeCreatePagefilePrivilege	3668	chrome.exe
Token: SeShutdownPrivilege	3668	chrome.exe
Token: SeCreatePagefilePrivilege	3668	chrome.exe
Token: SeShutdownPrivilege	3668	chrome.exe
Token: SeCreatePagefilePrivilege	3668	chrome.exe
Token: SeShutdownPrivilege	3668	chrome.exe
Token: SeCreatePagefilePrivilege	3668	chrome.exe
Token: SeShutdownPrivilege	3668	chrome.exe
Token: SeCreatePagefilePrivilege	3668	chrome.exe
Token: SeShutdownPrivilege	3668	chrome.exe
Token: SeCreatePagefilePrivilege	3668	chrome.exe
Token: SeShutdownPrivilege	3668	chrome.exe
Token: SeCreatePagefilePrivilege	3668	chrome.exe
Token: SeShutdownPrivilege	3668	chrome.exe
Token: SeCreatePagefilePrivilege	3668	chrome.exe
Token: SeShutdownPrivilege	3668	chrome.exe
Token: SeCreatePagefilePrivilege	3668	chrome.exe
Token: SeShutdownPrivilege	3668	chrome.exe
Token: SeCreatePagefilePrivilege	3668	chrome.exe
Token: SeShutdownPrivilege	3668	chrome.exe
Token: SeCreatePagefilePrivilege	3668	chrome.exe
Token: SeShutdownPrivilege	3668	chrome.exe
Token: SeCreatePagefilePrivilege	3668	chrome.exe
Token: SeShutdownPrivilege	3668	chrome.exe
Token: SeCreatePagefilePrivilege	3668	chrome.exe
Token: SeShutdownPrivilege	3668	chrome.exe
Token: SeCreatePagefilePrivilege	3668	chrome.exe
Token: SeShutdownPrivilege	3668	chrome.exe
Token: SeCreatePagefilePrivilege	3668	chrome.exe
Token: SeShutdownPrivilege	3668	chrome.exe
Token: SeCreatePagefilePrivilege	3668	chrome.exe
Token: SeShutdownPrivilege	3668	chrome.exe
Token: SeCreatePagefilePrivilege	3668	chrome.exe
Token: SeShutdownPrivilege	3668	chrome.exe
Token: SeCreatePagefilePrivilege	3668	chrome.exe
Token: SeShutdownPrivilege	3668	chrome.exe
Token: SeCreatePagefilePrivilege	3668	chrome.exe
Token: SeShutdownPrivilege	3668	chrome.exe
Token: SeCreatePagefilePrivilege	3668	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3668 wrote to memory of 4140	3668	chrome.exe	70
PID 3668 wrote to memory of 4140	3668	chrome.exe	70
PID 3668 wrote to memory of 2536	3668	chrome.exe	87
PID 3668 wrote to memory of 2536	3668	chrome.exe	87
PID 3668 wrote to memory of 2536	3668	chrome.exe	87
PID 3668 wrote to memory of 2536	3668	chrome.exe	87
PID 3668 wrote to memory of 2536	3668	chrome.exe	87
PID 3668 wrote to memory of 2536	3668	chrome.exe	87
PID 3668 wrote to memory of 2536	3668	chrome.exe	87
PID 3668 wrote to memory of 2536	3668	chrome.exe	87
PID 3668 wrote to memory of 2536	3668	chrome.exe	87
PID 3668 wrote to memory of 2536	3668	chrome.exe	87
PID 3668 wrote to memory of 2536	3668	chrome.exe	87
PID 3668 wrote to memory of 2536	3668	chrome.exe	87
PID 3668 wrote to memory of 2536	3668	chrome.exe	87
PID 3668 wrote to memory of 2536	3668	chrome.exe	87
PID 3668 wrote to memory of 2536	3668	chrome.exe	87
PID 3668 wrote to memory of 2536	3668	chrome.exe	87
PID 3668 wrote to memory of 2536	3668	chrome.exe	87
PID 3668 wrote to memory of 2536	3668	chrome.exe	87
PID 3668 wrote to memory of 2536	3668	chrome.exe	87
PID 3668 wrote to memory of 2536	3668	chrome.exe	87
PID 3668 wrote to memory of 2536	3668	chrome.exe	87
PID 3668 wrote to memory of 2536	3668	chrome.exe	87
PID 3668 wrote to memory of 2536	3668	chrome.exe	87
PID 3668 wrote to memory of 2536	3668	chrome.exe	87
PID 3668 wrote to memory of 2536	3668	chrome.exe	87
PID 3668 wrote to memory of 2536	3668	chrome.exe	87
PID 3668 wrote to memory of 2536	3668	chrome.exe	87
PID 3668 wrote to memory of 2536	3668	chrome.exe	87
PID 3668 wrote to memory of 2536	3668	chrome.exe	87
PID 3668 wrote to memory of 2536	3668	chrome.exe	87
PID 3668 wrote to memory of 2536	3668	chrome.exe	87
PID 3668 wrote to memory of 2536	3668	chrome.exe	87
PID 3668 wrote to memory of 2536	3668	chrome.exe	87
PID 3668 wrote to memory of 2536	3668	chrome.exe	87
PID 3668 wrote to memory of 2536	3668	chrome.exe	87
PID 3668 wrote to memory of 2536	3668	chrome.exe	87
PID 3668 wrote to memory of 2536	3668	chrome.exe	87
PID 3668 wrote to memory of 2536	3668	chrome.exe	87
PID 3668 wrote to memory of 2000	3668	chrome.exe	86
PID 3668 wrote to memory of 2000	3668	chrome.exe	86
PID 3668 wrote to memory of 396	3668	chrome.exe	83
PID 3668 wrote to memory of 396	3668	chrome.exe	83
PID 3668 wrote to memory of 396	3668	chrome.exe	83
PID 3668 wrote to memory of 396	3668	chrome.exe	83
PID 3668 wrote to memory of 396	3668	chrome.exe	83
PID 3668 wrote to memory of 396	3668	chrome.exe	83
PID 3668 wrote to memory of 396	3668	chrome.exe	83
PID 3668 wrote to memory of 396	3668	chrome.exe	83
PID 3668 wrote to memory of 396	3668	chrome.exe	83
PID 3668 wrote to memory of 396	3668	chrome.exe	83
PID 3668 wrote to memory of 396	3668	chrome.exe	83
PID 3668 wrote to memory of 396	3668	chrome.exe	83
PID 3668 wrote to memory of 396	3668	chrome.exe	83
PID 3668 wrote to memory of 396	3668	chrome.exe	83
PID 3668 wrote to memory of 396	3668	chrome.exe	83
PID 3668 wrote to memory of 396	3668	chrome.exe	83
PID 3668 wrote to memory of 396	3668	chrome.exe	83
PID 3668 wrote to memory of 396	3668	chrome.exe	83
PID 3668 wrote to memory of 396	3668	chrome.exe	83
PID 3668 wrote to memory of 396	3668	chrome.exe	83
PID 3668 wrote to memory of 396	3668	chrome.exe	83
PID 3668 wrote to memory of 396	3668	chrome.exe	83

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.castaniergallery.com/exhibition/
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd30489758,0x7ffd30489768,0x7ffd30489778
  2⤵
  PID:4140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2164 --field-trial-handle=1876,i,17584228952838313592,8752759122681196190,131072 /prefetch:8
  2⤵
  PID:396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3080 --field-trial-handle=1876,i,17584228952838313592,8752759122681196190,131072 /prefetch:1
  2⤵
  PID:3928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2952 --field-trial-handle=1876,i,17584228952838313592,8752759122681196190,131072 /prefetch:1
  2⤵
  PID:3828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1876,i,17584228952838313592,8752759122681196190,131072 /prefetch:8
  2⤵
  PID:2000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 --field-trial-handle=1876,i,17584228952838313592,8752759122681196190,131072 /prefetch:2
  2⤵
  PID:2536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5336 --field-trial-handle=1876,i,17584228952838313592,8752759122681196190,131072 /prefetch:8
  2⤵
  PID:3184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5408 --field-trial-handle=1876,i,17584228952838313592,8752759122681196190,131072 /prefetch:8
  2⤵
  PID:4944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3276 --field-trial-handle=1876,i,17584228952838313592,8752759122681196190,131072 /prefetch:1
  2⤵
  PID:4880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=5368 --field-trial-handle=1876,i,17584228952838313592,8752759122681196190,131072 /prefetch:1
  2⤵
  PID:4456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3048 --field-trial-handle=1876,i,17584228952838313592,8752759122681196190,131072 /prefetch:1
  2⤵
  PID:3952

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3520

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
528B

MD5
55de5ff062934c62e855ec1f5b6b084d

SHA1
b731a809de8b9fda229f88a47122665bc85056fb

SHA256
6b1774dec6e38bd3246abfa3fb1ebc899a445c65d6900efc9fc3e372a499f45d

SHA512
09c3f62b586a8876f3858e79e4e7e71fedf5d4acb23b623d2e357553b6730a867309bbc892d6876a68e58ed11c84853b0b8954370c3a16c9f0db660b1373dc63

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
df96a6da2c7fbcdf44bf3b7e4e7e8bc0

SHA1
a1d1fa5017251cc593737da96d8dd7b49199fe20

SHA256
239a58c7d2c44c2cfdfb6dd969ad8bc3cf4622a67d5fb8f9dc5664562a0134e6

SHA512
f11f8c72db5f51891d0761d5cc5b6c1dd541fa8d309b60eae3fc8267a7f9362c1f5e8b5cc3f26ecbe79bbd07d943059abd29a4ef2f4ce8be5ba80a9e2b7488c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
c39adc4144e467c7c5c51b3a007a54cc

SHA1
87edfc6fc681b5b0c9d4bb6bb14236caa33bc4d7

SHA256
a8eddf6a8ce5a292dde1040b12bec714a035bc2271b52e332ebab6f4f68fe738

SHA512
dadcf9b00fda06927708fc6cac78deb66626d8a78680c832469743d7b7bf552c802777d00b1fa69c39317430cf49f8eb36bf05f0021255bdf4f092d51dd954ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
871B

MD5
2ec1881aa3d4ff63cac24ee88b5d9b43

SHA1
e188545466c0a710452ab763cafbd43364ebc7d9

SHA256
b0e5daf59e1bf8f7423255b566af7412677306d2ec2c22349644a85cc4542bda

SHA512
288a75ffb52547aaa114baabad266cf2b7f4634c24639caa1185e1ad45ab9d0627157509d39d2a20ed02309167854bb1191afbe0c925476c1032c700f26731d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
cbddaeb14c54893a9a1e73640f0b2d62

SHA1
5f27f50f9c91c6d7213f8f896e8ba6ae0b186906

SHA256
548886fe21b9ffeee94b0b341fb4b920936d5dc28d62af02a374e6655e95d75a

SHA512
aa3bcb96d68d2a93b97bf9c2b12573aefeadac26db8ea2a2e8cf7111e7caa41a5324c8aa57091cfd67bc2695e185763c6f25d1e0ba62fe8c89d65f4fc5f40b34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
1fbf171aba5cba69c172694f6d727ed0

SHA1
7ed0c85632db33107c08f54e7abf1c58b1d39907

SHA256
2ec611b063790a6e0709ec8e0aa7c5998a190c4ac8362f0e8124929812359e53

SHA512
d04df23efb7ee8df88896095cbd1041a76dbe2279a2866319ddd8a1db168e44c5ed54a3472341361ed6e2ec5a871baf244ffd81c1f60a6e06d7f7c7cdc261f7c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
964260a129b11e6d4a3d4ff3961706af

SHA1
d31b7ebcd51ec270e482204e70a687bce0e83657

SHA256
a2ac829f7b09cf7992a523eb5840d50c6b7d1d4d78d1e0177537187cafe3e603

SHA512
f53d7c5feeacf2218c5ffce1d1cd93c277103f9acf842dc6e2474d23014c529b7e2f9885d1e300a66a4d03d317700666cecb71413cc375b62433b4a71924a1f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
efc96dfc3a814de8351dd2a8043c4cd7

SHA1
a2a8bf04d58b6228131a8b9ae2fe09de4a2ef327

SHA256
b832efdfc8da7f350417a0b6a2b902e9ef24568ea54b390d603e113a08386896

SHA512
f6b877125283e7a5323ae145a6fec313f58bc4a49b90d7d8b9d005d3e25be74ebc75e9ae188f44ce3b97be18b966d8061806a2e2c2e378e60bf79f0c00cab703

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
14c0456291a03bc72b461735e8a65558

SHA1
ef903a71516c8ff82ea7db61472ac1a0a1db631e

SHA256
988269d38a9c79d9cf947d4ee95ba792d034ff0c0205d3f2999f9769e2313225

SHA512
662e8dc95d2be1560586ac076c0361d168e09a857a2ff8262b7caf3da9cb4bf106c71e09e8600fa328dd03d549eeeb72fdaa048733e8549edf95d4b6e23ff7e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit