hxxps://marketplace[.]upgrade[.]st/&utm_source=email/%23tickets

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
28/08/2023, 08:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://marketplace.upgrade.st/&utm_source=email/%23tickets

Score

1^/10

Malware Config

Signatures

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133376836583681497"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
792	chrome.exe
792	chrome.exe
1876	chrome.exe
1876	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
792	chrome.exe
792	chrome.exe
792	chrome.exe
792	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	792	chrome.exe
Token: SeCreatePagefilePrivilege	792	chrome.exe
Token: SeShutdownPrivilege	792	chrome.exe
Token: SeCreatePagefilePrivilege	792	chrome.exe
Token: SeShutdownPrivilege	792	chrome.exe
Token: SeCreatePagefilePrivilege	792	chrome.exe
Token: SeShutdownPrivilege	792	chrome.exe
Token: SeCreatePagefilePrivilege	792	chrome.exe
Token: SeShutdownPrivilege	792	chrome.exe
Token: SeCreatePagefilePrivilege	792	chrome.exe
Token: SeShutdownPrivilege	792	chrome.exe
Token: SeCreatePagefilePrivilege	792	chrome.exe
Token: SeShutdownPrivilege	792	chrome.exe
Token: SeCreatePagefilePrivilege	792	chrome.exe
Token: SeShutdownPrivilege	792	chrome.exe
Token: SeCreatePagefilePrivilege	792	chrome.exe
Token: SeShutdownPrivilege	792	chrome.exe
Token: SeCreatePagefilePrivilege	792	chrome.exe
Token: SeShutdownPrivilege	792	chrome.exe
Token: SeCreatePagefilePrivilege	792	chrome.exe
Token: SeShutdownPrivilege	792	chrome.exe
Token: SeCreatePagefilePrivilege	792	chrome.exe
Token: SeShutdownPrivilege	792	chrome.exe
Token: SeCreatePagefilePrivilege	792	chrome.exe
Token: SeShutdownPrivilege	792	chrome.exe
Token: SeCreatePagefilePrivilege	792	chrome.exe
Token: SeShutdownPrivilege	792	chrome.exe
Token: SeCreatePagefilePrivilege	792	chrome.exe
Token: SeShutdownPrivilege	792	chrome.exe
Token: SeCreatePagefilePrivilege	792	chrome.exe
Token: SeShutdownPrivilege	792	chrome.exe
Token: SeCreatePagefilePrivilege	792	chrome.exe
Token: SeShutdownPrivilege	792	chrome.exe
Token: SeCreatePagefilePrivilege	792	chrome.exe
Token: SeShutdownPrivilege	792	chrome.exe
Token: SeCreatePagefilePrivilege	792	chrome.exe
Token: SeShutdownPrivilege	792	chrome.exe
Token: SeCreatePagefilePrivilege	792	chrome.exe
Token: SeShutdownPrivilege	792	chrome.exe
Token: SeCreatePagefilePrivilege	792	chrome.exe
Token: SeShutdownPrivilege	792	chrome.exe
Token: SeCreatePagefilePrivilege	792	chrome.exe
Token: SeShutdownPrivilege	792	chrome.exe
Token: SeCreatePagefilePrivilege	792	chrome.exe
Token: SeShutdownPrivilege	792	chrome.exe
Token: SeCreatePagefilePrivilege	792	chrome.exe
Token: SeShutdownPrivilege	792	chrome.exe
Token: SeCreatePagefilePrivilege	792	chrome.exe
Token: SeShutdownPrivilege	792	chrome.exe
Token: SeCreatePagefilePrivilege	792	chrome.exe
Token: SeShutdownPrivilege	792	chrome.exe
Token: SeCreatePagefilePrivilege	792	chrome.exe
Token: SeShutdownPrivilege	792	chrome.exe
Token: SeCreatePagefilePrivilege	792	chrome.exe
Token: SeShutdownPrivilege	792	chrome.exe
Token: SeCreatePagefilePrivilege	792	chrome.exe
Token: SeShutdownPrivilege	792	chrome.exe
Token: SeCreatePagefilePrivilege	792	chrome.exe
Token: SeShutdownPrivilege	792	chrome.exe
Token: SeCreatePagefilePrivilege	792	chrome.exe
Token: SeShutdownPrivilege	792	chrome.exe
Token: SeCreatePagefilePrivilege	792	chrome.exe
Token: SeShutdownPrivilege	792	chrome.exe
Token: SeCreatePagefilePrivilege	792	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
792	chrome.exe
792	chrome.exe
792	chrome.exe
792	chrome.exe
792	chrome.exe
792	chrome.exe
792	chrome.exe
792	chrome.exe
792	chrome.exe
792	chrome.exe
792	chrome.exe
792	chrome.exe
792	chrome.exe
792	chrome.exe
792	chrome.exe
792	chrome.exe
792	chrome.exe
792	chrome.exe
792	chrome.exe
792	chrome.exe
792	chrome.exe
792	chrome.exe
792	chrome.exe
792	chrome.exe
792	chrome.exe
792	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
792	chrome.exe
792	chrome.exe
792	chrome.exe
792	chrome.exe
792	chrome.exe
792	chrome.exe
792	chrome.exe
792	chrome.exe
792	chrome.exe
792	chrome.exe
792	chrome.exe
792	chrome.exe
792	chrome.exe
792	chrome.exe
792	chrome.exe
792	chrome.exe
792	chrome.exe
792	chrome.exe
792	chrome.exe
792	chrome.exe
792	chrome.exe
792	chrome.exe
792	chrome.exe
792	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 792 wrote to memory of 3472	792	chrome.exe	81
PID 792 wrote to memory of 3472	792	chrome.exe	81
PID 792 wrote to memory of 1820	792	chrome.exe	83
PID 792 wrote to memory of 1820	792	chrome.exe	83
PID 792 wrote to memory of 1820	792	chrome.exe	83
PID 792 wrote to memory of 1820	792	chrome.exe	83
PID 792 wrote to memory of 1820	792	chrome.exe	83
PID 792 wrote to memory of 1820	792	chrome.exe	83
PID 792 wrote to memory of 1820	792	chrome.exe	83
PID 792 wrote to memory of 1820	792	chrome.exe	83
PID 792 wrote to memory of 1820	792	chrome.exe	83
PID 792 wrote to memory of 1820	792	chrome.exe	83
PID 792 wrote to memory of 1820	792	chrome.exe	83
PID 792 wrote to memory of 1820	792	chrome.exe	83
PID 792 wrote to memory of 1820	792	chrome.exe	83
PID 792 wrote to memory of 1820	792	chrome.exe	83
PID 792 wrote to memory of 1820	792	chrome.exe	83
PID 792 wrote to memory of 1820	792	chrome.exe	83
PID 792 wrote to memory of 1820	792	chrome.exe	83
PID 792 wrote to memory of 1820	792	chrome.exe	83
PID 792 wrote to memory of 1820	792	chrome.exe	83
PID 792 wrote to memory of 1820	792	chrome.exe	83
PID 792 wrote to memory of 1820	792	chrome.exe	83
PID 792 wrote to memory of 1820	792	chrome.exe	83
PID 792 wrote to memory of 1820	792	chrome.exe	83
PID 792 wrote to memory of 1820	792	chrome.exe	83
PID 792 wrote to memory of 1820	792	chrome.exe	83
PID 792 wrote to memory of 1820	792	chrome.exe	83
PID 792 wrote to memory of 1820	792	chrome.exe	83
PID 792 wrote to memory of 1820	792	chrome.exe	83
PID 792 wrote to memory of 1820	792	chrome.exe	83
PID 792 wrote to memory of 1820	792	chrome.exe	83
PID 792 wrote to memory of 1820	792	chrome.exe	83
PID 792 wrote to memory of 1820	792	chrome.exe	83
PID 792 wrote to memory of 1820	792	chrome.exe	83
PID 792 wrote to memory of 1820	792	chrome.exe	83
PID 792 wrote to memory of 1820	792	chrome.exe	83
PID 792 wrote to memory of 1820	792	chrome.exe	83
PID 792 wrote to memory of 1820	792	chrome.exe	83
PID 792 wrote to memory of 1820	792	chrome.exe	83
PID 792 wrote to memory of 1252	792	chrome.exe	85
PID 792 wrote to memory of 1252	792	chrome.exe	85
PID 792 wrote to memory of 412	792	chrome.exe	84
PID 792 wrote to memory of 412	792	chrome.exe	84
PID 792 wrote to memory of 412	792	chrome.exe	84
PID 792 wrote to memory of 412	792	chrome.exe	84
PID 792 wrote to memory of 412	792	chrome.exe	84
PID 792 wrote to memory of 412	792	chrome.exe	84
PID 792 wrote to memory of 412	792	chrome.exe	84
PID 792 wrote to memory of 412	792	chrome.exe	84
PID 792 wrote to memory of 412	792	chrome.exe	84
PID 792 wrote to memory of 412	792	chrome.exe	84
PID 792 wrote to memory of 412	792	chrome.exe	84
PID 792 wrote to memory of 412	792	chrome.exe	84
PID 792 wrote to memory of 412	792	chrome.exe	84
PID 792 wrote to memory of 412	792	chrome.exe	84
PID 792 wrote to memory of 412	792	chrome.exe	84
PID 792 wrote to memory of 412	792	chrome.exe	84
PID 792 wrote to memory of 412	792	chrome.exe	84
PID 792 wrote to memory of 412	792	chrome.exe	84
PID 792 wrote to memory of 412	792	chrome.exe	84
PID 792 wrote to memory of 412	792	chrome.exe	84
PID 792 wrote to memory of 412	792	chrome.exe	84
PID 792 wrote to memory of 412	792	chrome.exe	84

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://marketplace.upgrade.st/&utm_source=email/%23tickets
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd919b9758,0x7ffd919b9768,0x7ffd919b9778
  2⤵
  PID:3472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1648 --field-trial-handle=1876,i,7769451625667478311,5716961543955618652,131072 /prefetch:2
  2⤵
  PID:1820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2176 --field-trial-handle=1876,i,7769451625667478311,5716961543955618652,131072 /prefetch:8
  2⤵
  PID:412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1876,i,7769451625667478311,5716961543955618652,131072 /prefetch:8
  2⤵
  PID:1252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2948 --field-trial-handle=1876,i,7769451625667478311,5716961543955618652,131072 /prefetch:1
  2⤵
  PID:4308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2944 --field-trial-handle=1876,i,7769451625667478311,5716961543955618652,131072 /prefetch:1
  2⤵
  PID:2104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5036 --field-trial-handle=1876,i,7769451625667478311,5716961543955618652,131072 /prefetch:8
  2⤵
  PID:1652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 --field-trial-handle=1876,i,7769451625667478311,5716961543955618652,131072 /prefetch:8
  2⤵
  PID:2432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=5220 --field-trial-handle=1876,i,7769451625667478311,5716961543955618652,131072 /prefetch:1
  2⤵
  PID:1836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3172 --field-trial-handle=1876,i,7769451625667478311,5716961543955618652,131072 /prefetch:1
  2⤵
  PID:4676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 --field-trial-handle=1876,i,7769451625667478311,5716961543955618652,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1876

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3440

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
528B

MD5
8b82bd63bd55a5bcb654159423e98f01

SHA1
e7ae6d573da657c0320cde98ae9a318997390478

SHA256
9227bda181067b24b50886f4b98ddb32434ff3723ee4c0d0ab4287cd84a492bc

SHA512
c4f8d94250d66927cc23f50770677bead483b7d2697d6033116db99faa438b938004f537cc85a1da8f3cf7da9e8fd7ecc56e86cecea36a2fdb761f179bd922cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
18d5d0169e4dfd26c6a33722b31217cf

SHA1
a5ea62a0a3f79909761ba2737efb6ec765ba74fa

SHA256
20631d3be9c86635e038113e36284420225646086802f86a7c8da1bb9ff3628b

SHA512
88fe56b4e0dcc7accdfd324161043f83363771a79d0adb4ec412b97d5f8a1f2422d5bcf76773a63b24dd19d3da58bdf07e82fc80d199e9a28bf6aa67f81db310

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
873B

MD5
9cd9826dd7d8e4172e01db1ac5903095

SHA1
f9bcd7e8fd9cbfa267b3496404b17a0ca72dc228

SHA256
13379198975d4e91c232f26489b1eec42625845c62bd1c8d4caea33138d1273e

SHA512
8220d532a20d31db19c6d010ccb8515b1b4ce4deb4c6804c8f0a75bfba8cb25b74a56bd26782fc7af4a6e5d60e7b49b09b6dc8ee6cb549c272e3379fd57e9dbb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
6d1116d29cb3ef22cc5d60c8aae8f32c

SHA1
3b4f03e3a64965b92ca40a9c9c2fade321c4dd90

SHA256
b27fbac4bfa7cf64840c3d527a5e2a2ae033e35a7e30523f5a6697d45cbf4dac

SHA512
134ee22aaa7eec5451af08595aaa9162fc4f202d40ccc20477bb58eded99f8d8c072b3f5dc0e0cbe8100a652dd7f3a3eb9bf540388198279e41d55951bbc8442

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
0a0daccc94c4348e0dd6fee897e24e6e

SHA1
8d8e13133dc08ad030c5ac6267f545765ce8a480

SHA256
6a7057061a6d6e8bc8033cad1a6ce2c51172c6a58450ab98b186388e0aa028ed

SHA512
fe5367a5a679ee19aadb21dbe385ee13edbf4c2e6a0e279c75b86161dac024a52f886f5ac92d156126716fa494ce23fce15ee55841a75aa1a9a0d915b38e4f97

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit