hxxp://203[.]48[.]81[.]166

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
28-08-2023 20:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://203.48.81.166

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3240	4328	WerFault.exe	59

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133377284760505210"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4400	chrome.exe
4400	chrome.exe
3940	chrome.exe
3940	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4400 wrote to memory of 3732	4400	chrome.exe	83
PID 4400 wrote to memory of 3732	4400	chrome.exe	83
PID 4400 wrote to memory of 4848	4400	chrome.exe	85
PID 4400 wrote to memory of 4848	4400	chrome.exe	85
PID 4400 wrote to memory of 4848	4400	chrome.exe	85
PID 4400 wrote to memory of 4848	4400	chrome.exe	85
PID 4400 wrote to memory of 4848	4400	chrome.exe	85
PID 4400 wrote to memory of 4848	4400	chrome.exe	85
PID 4400 wrote to memory of 4848	4400	chrome.exe	85
PID 4400 wrote to memory of 4848	4400	chrome.exe	85
PID 4400 wrote to memory of 4848	4400	chrome.exe	85
PID 4400 wrote to memory of 4848	4400	chrome.exe	85
PID 4400 wrote to memory of 4848	4400	chrome.exe	85
PID 4400 wrote to memory of 4848	4400	chrome.exe	85
PID 4400 wrote to memory of 4848	4400	chrome.exe	85
PID 4400 wrote to memory of 4848	4400	chrome.exe	85
PID 4400 wrote to memory of 4848	4400	chrome.exe	85
PID 4400 wrote to memory of 4848	4400	chrome.exe	85
PID 4400 wrote to memory of 4848	4400	chrome.exe	85
PID 4400 wrote to memory of 4848	4400	chrome.exe	85
PID 4400 wrote to memory of 4848	4400	chrome.exe	85
PID 4400 wrote to memory of 4848	4400	chrome.exe	85
PID 4400 wrote to memory of 4848	4400	chrome.exe	85
PID 4400 wrote to memory of 4848	4400	chrome.exe	85
PID 4400 wrote to memory of 4848	4400	chrome.exe	85
PID 4400 wrote to memory of 4848	4400	chrome.exe	85
PID 4400 wrote to memory of 4848	4400	chrome.exe	85
PID 4400 wrote to memory of 4848	4400	chrome.exe	85
PID 4400 wrote to memory of 4848	4400	chrome.exe	85
PID 4400 wrote to memory of 4848	4400	chrome.exe	85
PID 4400 wrote to memory of 4848	4400	chrome.exe	85
PID 4400 wrote to memory of 4848	4400	chrome.exe	85
PID 4400 wrote to memory of 4848	4400	chrome.exe	85
PID 4400 wrote to memory of 4848	4400	chrome.exe	85
PID 4400 wrote to memory of 4848	4400	chrome.exe	85
PID 4400 wrote to memory of 4848	4400	chrome.exe	85
PID 4400 wrote to memory of 4848	4400	chrome.exe	85
PID 4400 wrote to memory of 4848	4400	chrome.exe	85
PID 4400 wrote to memory of 4848	4400	chrome.exe	85
PID 4400 wrote to memory of 4848	4400	chrome.exe	85
PID 4400 wrote to memory of 4440	4400	chrome.exe	87
PID 4400 wrote to memory of 4440	4400	chrome.exe	87
PID 4400 wrote to memory of 4924	4400	chrome.exe	86
PID 4400 wrote to memory of 4924	4400	chrome.exe	86
PID 4400 wrote to memory of 4924	4400	chrome.exe	86
PID 4400 wrote to memory of 4924	4400	chrome.exe	86
PID 4400 wrote to memory of 4924	4400	chrome.exe	86
PID 4400 wrote to memory of 4924	4400	chrome.exe	86
PID 4400 wrote to memory of 4924	4400	chrome.exe	86
PID 4400 wrote to memory of 4924	4400	chrome.exe	86
PID 4400 wrote to memory of 4924	4400	chrome.exe	86
PID 4400 wrote to memory of 4924	4400	chrome.exe	86
PID 4400 wrote to memory of 4924	4400	chrome.exe	86
PID 4400 wrote to memory of 4924	4400	chrome.exe	86
PID 4400 wrote to memory of 4924	4400	chrome.exe	86
PID 4400 wrote to memory of 4924	4400	chrome.exe	86
PID 4400 wrote to memory of 4924	4400	chrome.exe	86
PID 4400 wrote to memory of 4924	4400	chrome.exe	86
PID 4400 wrote to memory of 4924	4400	chrome.exe	86
PID 4400 wrote to memory of 4924	4400	chrome.exe	86
PID 4400 wrote to memory of 4924	4400	chrome.exe	86
PID 4400 wrote to memory of 4924	4400	chrome.exe	86
PID 4400 wrote to memory of 4924	4400	chrome.exe	86
PID 4400 wrote to memory of 4924	4400	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://203.48.81.166
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff0b2b9758,0x7fff0b2b9768,0x7fff0b2b9778
  2⤵
  PID:3732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1628 --field-trial-handle=1840,i,2879467136495651699,8647191907865517164,131072 /prefetch:2
  2⤵
  PID:4848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2208 --field-trial-handle=1840,i,2879467136495651699,8647191907865517164,131072 /prefetch:8
  2⤵
  PID:4924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1840,i,2879467136495651699,8647191907865517164,131072 /prefetch:8
  2⤵
  PID:4440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2780 --field-trial-handle=1840,i,2879467136495651699,8647191907865517164,131072 /prefetch:1
  2⤵
  PID:4564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2756 --field-trial-handle=1840,i,2879467136495651699,8647191907865517164,131072 /prefetch:1
  2⤵
  PID:1528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4616 --field-trial-handle=1840,i,2879467136495651699,8647191907865517164,131072 /prefetch:8
  2⤵
  PID:540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4908 --field-trial-handle=1840,i,2879467136495651699,8647191907865517164,131072 /prefetch:8
  2⤵
  PID:1580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4924 --field-trial-handle=1840,i,2879467136495651699,8647191907865517164,131072 /prefetch:1
  2⤵
  PID:4188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3244 --field-trial-handle=1840,i,2879467136495651699,8647191907865517164,131072 /prefetch:1
  2⤵
  PID:4612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3896 --field-trial-handle=1840,i,2879467136495651699,8647191907865517164,131072 /prefetch:1
  2⤵
  PID:1324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3412 --field-trial-handle=1840,i,2879467136495651699,8647191907865517164,131072 /prefetch:1
  2⤵
  PID:4640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2768 --field-trial-handle=1840,i,2879467136495651699,8647191907865517164,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3940

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3704

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 448 -p 4328 -ip 4328
1⤵
PID:4244

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4328 -s 2424
1⤵
- Program crash
PID:3240

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
824B

MD5
e5b31d80d0ccaaea153609cb84e503ea

SHA1
f5503359bf521b76f7ee10a6699067b557c969f2

SHA256
1fe9455961040eed87a514313e38c15a35dc93a5136cd4c4893832d9659d4a54

SHA512
f2ad7af07c77ead7143161d5b571deb535b4588f93cdc743cda96570b4e59b9dc54d0a497ae557c2731aa8342f86ae3b6c129116a3dabc99aad42f1b35331a8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
83b7ef3489c42a3310f8e27fdfe0f181

SHA1
88cf176badc4f1f866dfb312cc4dec191469fb1c

SHA256
0160e6991099444bfcdc61d9a19b5fd7127265e4aa83ee3bcb7d4226ef5fe3c5

SHA512
33bb46b7c3e49329461c13801405fb54ac3338e4bee5125564a0942146aa329f347a7195645769ac98d851984dd35812491d4c65a516ef733516af7cfc25a5b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
ad5e1b2c14c60a7f55e87349f52ab5fc

SHA1
b92e53966b8aabb015d1768fe4a6c608a1518dfd

SHA256
0d8a95192efff9c3e0caa3dc4b14765f3755b8cf3a043c1f431d6c76ee53e904

SHA512
f06c906fa57cca0c86dfd8002e887b644a803f9ecf6d7df1a1846206a9e3f8d94b15d94aafbd4890d09efba56d0c48951a131e496db2a4a95c67aadfb4c234a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
b731c063c9405dee840df86ea9069664

SHA1
1f1951e1544f9f54f58393cc41d7e8d38fe595f3

SHA256
c9c3e87dc7d61cded35c932a368924b92a9284ecea7a575cd6efc9416d353c75

SHA512
d1ab811b614599c41ae5f4c3e77432f259d42a1ff3d0e90650c87ffae12d0eba6fd996f236198a08ec2cbec0cc7fa3df96cedf1e41f4ac0073462530c376e735

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit