hxxps://wifi[.]ekahau[.]com/e/993862/request-a-demo-/41bmzg/368131021?h=TFrKgNtko8YNcx5PD2uds6k9yIJ1fJfPNxE7nD-fkDs

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
29/08/2023, 18:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://wifi.ekahau.com/e/993862/request-a-demo-/41bmzg/368131021?h=TFrKgNtko8YNcx5PD2uds6k9yIJ1fJfPNxE7nD-fkDs

Score

1^/10

Malware Config

Signatures

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133378073000674167"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5088	chrome.exe
5088	chrome.exe
1296	chrome.exe
1296	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5088 wrote to memory of 536	5088	chrome.exe	35
PID 5088 wrote to memory of 536	5088	chrome.exe	35
PID 5088 wrote to memory of 3436	5088	chrome.exe	87
PID 5088 wrote to memory of 3436	5088	chrome.exe	87
PID 5088 wrote to memory of 3436	5088	chrome.exe	87
PID 5088 wrote to memory of 3436	5088	chrome.exe	87
PID 5088 wrote to memory of 3436	5088	chrome.exe	87
PID 5088 wrote to memory of 3436	5088	chrome.exe	87
PID 5088 wrote to memory of 3436	5088	chrome.exe	87
PID 5088 wrote to memory of 3436	5088	chrome.exe	87
PID 5088 wrote to memory of 3436	5088	chrome.exe	87
PID 5088 wrote to memory of 3436	5088	chrome.exe	87
PID 5088 wrote to memory of 3436	5088	chrome.exe	87
PID 5088 wrote to memory of 3436	5088	chrome.exe	87
PID 5088 wrote to memory of 3436	5088	chrome.exe	87
PID 5088 wrote to memory of 3436	5088	chrome.exe	87
PID 5088 wrote to memory of 3436	5088	chrome.exe	87
PID 5088 wrote to memory of 3436	5088	chrome.exe	87
PID 5088 wrote to memory of 3436	5088	chrome.exe	87
PID 5088 wrote to memory of 3436	5088	chrome.exe	87
PID 5088 wrote to memory of 3436	5088	chrome.exe	87
PID 5088 wrote to memory of 3436	5088	chrome.exe	87
PID 5088 wrote to memory of 3436	5088	chrome.exe	87
PID 5088 wrote to memory of 3436	5088	chrome.exe	87
PID 5088 wrote to memory of 3436	5088	chrome.exe	87
PID 5088 wrote to memory of 3436	5088	chrome.exe	87
PID 5088 wrote to memory of 3436	5088	chrome.exe	87
PID 5088 wrote to memory of 3436	5088	chrome.exe	87
PID 5088 wrote to memory of 3436	5088	chrome.exe	87
PID 5088 wrote to memory of 3436	5088	chrome.exe	87
PID 5088 wrote to memory of 3436	5088	chrome.exe	87
PID 5088 wrote to memory of 3436	5088	chrome.exe	87
PID 5088 wrote to memory of 3436	5088	chrome.exe	87
PID 5088 wrote to memory of 3436	5088	chrome.exe	87
PID 5088 wrote to memory of 3436	5088	chrome.exe	87
PID 5088 wrote to memory of 3436	5088	chrome.exe	87
PID 5088 wrote to memory of 3436	5088	chrome.exe	87
PID 5088 wrote to memory of 3436	5088	chrome.exe	87
PID 5088 wrote to memory of 3436	5088	chrome.exe	87
PID 5088 wrote to memory of 3436	5088	chrome.exe	87
PID 5088 wrote to memory of 3304	5088	chrome.exe	85
PID 5088 wrote to memory of 3304	5088	chrome.exe	85
PID 5088 wrote to memory of 2884	5088	chrome.exe	86
PID 5088 wrote to memory of 2884	5088	chrome.exe	86
PID 5088 wrote to memory of 2884	5088	chrome.exe	86
PID 5088 wrote to memory of 2884	5088	chrome.exe	86
PID 5088 wrote to memory of 2884	5088	chrome.exe	86
PID 5088 wrote to memory of 2884	5088	chrome.exe	86
PID 5088 wrote to memory of 2884	5088	chrome.exe	86
PID 5088 wrote to memory of 2884	5088	chrome.exe	86
PID 5088 wrote to memory of 2884	5088	chrome.exe	86
PID 5088 wrote to memory of 2884	5088	chrome.exe	86
PID 5088 wrote to memory of 2884	5088	chrome.exe	86
PID 5088 wrote to memory of 2884	5088	chrome.exe	86
PID 5088 wrote to memory of 2884	5088	chrome.exe	86
PID 5088 wrote to memory of 2884	5088	chrome.exe	86
PID 5088 wrote to memory of 2884	5088	chrome.exe	86
PID 5088 wrote to memory of 2884	5088	chrome.exe	86
PID 5088 wrote to memory of 2884	5088	chrome.exe	86
PID 5088 wrote to memory of 2884	5088	chrome.exe	86
PID 5088 wrote to memory of 2884	5088	chrome.exe	86
PID 5088 wrote to memory of 2884	5088	chrome.exe	86
PID 5088 wrote to memory of 2884	5088	chrome.exe	86
PID 5088 wrote to memory of 2884	5088	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://wifi.ekahau.com/e/993862/request-a-demo-/41bmzg/368131021?h=TFrKgNtko8YNcx5PD2uds6k9yIJ1fJfPNxE7nD-fkDs
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff940699758,0x7ff940699768,0x7ff940699778
  2⤵
  PID:536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1876,i,4919667709203213392,14344952314794505495,131072 /prefetch:8
  2⤵
  PID:3304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2216 --field-trial-handle=1876,i,4919667709203213392,14344952314794505495,131072 /prefetch:8
  2⤵
  PID:2884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1876,i,4919667709203213392,14344952314794505495,131072 /prefetch:2
  2⤵
  PID:3436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2904 --field-trial-handle=1876,i,4919667709203213392,14344952314794505495,131072 /prefetch:1
  2⤵
  PID:1548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2912 --field-trial-handle=1876,i,4919667709203213392,14344952314794505495,131072 /prefetch:1
  2⤵
  PID:1688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=5024 --field-trial-handle=1876,i,4919667709203213392,14344952314794505495,131072 /prefetch:1
  2⤵
  PID:1408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=5336 --field-trial-handle=1876,i,4919667709203213392,14344952314794505495,131072 /prefetch:1
  2⤵
  PID:212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5704 --field-trial-handle=1876,i,4919667709203213392,14344952314794505495,131072 /prefetch:8
  2⤵
  PID:348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 --field-trial-handle=1876,i,4919667709203213392,14344952314794505495,131072 /prefetch:8
  2⤵
  PID:3356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4716 --field-trial-handle=1876,i,4919667709203213392,14344952314794505495,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1296

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3108

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
6e3210822600f872ba821ba15fb8c101

SHA1
cc10da06482741cc3c36d70a82656b50929825cb

SHA256
e640c756695f0393998932a81f5dccf98745aeb5d2055df1cfa0ce62e348713f

SHA512
c6f1c096aef69cf4c41f4d519faccd92de4099b7b25bb17348c39a52dde20a95ecf1b6267708f313e010b377b9c22f9a91f9bc71eaf56c932891f81fa7f8f7cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
7KB

MD5
758436ef42c4e7c12024731b7fd51f5a

SHA1
106d5c96eab38faf4fe1b979f8ee0e904102ee32

SHA256
03224f215726081c43d00aa0aa3508af6e914d752b58e4b834e42fa0696546e4

SHA512
ba31aee91c6f65ea8c2bda7bf172150a508b81c61e9e0db2896a9971d32a79d18f077d1723be536201a914cfd4429ec0c0c240cbc89315c2c1ca44f21715f6a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
2182a703944bdca16ec656432947b84a

SHA1
467b6ef33a06a38b2aac945e98a227ddcb5d7c34

SHA256
8ae7037851b048c2b0b973af82f93f78e3b6822f52b656cf2096bb014fd37eae

SHA512
8501c598c594163f3c780c94711cdc2b25a3929ac129241767ec6e2bf1fb1a28478d93cfaa59844afbb1b3e9458f85f273e95caf98d31ddab123aa8661259231

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
bc0112466478bb8d96449c83dcec968a

SHA1
8e192cb34b53395c774a2690fba1d17816db2c42

SHA256
3def73e05c23c92c28ec3ed689237cd1152ad79d3a3827da76eb19e0990a757e

SHA512
829ebe9a0f9505718aa7f55ecc890ccf0cfdcf2befab15c9a62eb779c028743db67894d5805e0b440b7dccec6a1a168a89118a135c0e41d227226291a1cf2fa6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
0da868fce3fdcd740901d1973f797d2b

SHA1
9c93f32b87599e782223891152a27438bc28c57b

SHA256
272647da772538589887de07ad265ed9e34360daadacb4c027b3f61f72828706

SHA512
1f5b436b08321841f368ae68ec03ac260f8c5b07a627d1cd11dfcfa3d9baa67f9c7dc3b09baced135f1423f060c2c49aacf8c2fc4c440bd2a76a1d0d7671c338

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit