hxxps://saudileaks[.]org/

Analysis

max time kernel
599s
max time network
489s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
30/08/2023, 10:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://saudileaks.org/

Score

1^/10

Malware Config

Signatures

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133378662873295120"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5084	chrome.exe
5084	chrome.exe
4932	chrome.exe
4932	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
5084	chrome.exe
5084	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5084 wrote to memory of 1716	5084	chrome.exe	69
PID 5084 wrote to memory of 1716	5084	chrome.exe	69
PID 5084 wrote to memory of 2852	5084	chrome.exe	73
PID 5084 wrote to memory of 2852	5084	chrome.exe	73
PID 5084 wrote to memory of 2852	5084	chrome.exe	73
PID 5084 wrote to memory of 2852	5084	chrome.exe	73
PID 5084 wrote to memory of 2852	5084	chrome.exe	73
PID 5084 wrote to memory of 2852	5084	chrome.exe	73
PID 5084 wrote to memory of 2852	5084	chrome.exe	73
PID 5084 wrote to memory of 2852	5084	chrome.exe	73
PID 5084 wrote to memory of 2852	5084	chrome.exe	73
PID 5084 wrote to memory of 2852	5084	chrome.exe	73
PID 5084 wrote to memory of 2852	5084	chrome.exe	73
PID 5084 wrote to memory of 2852	5084	chrome.exe	73
PID 5084 wrote to memory of 2852	5084	chrome.exe	73
PID 5084 wrote to memory of 2852	5084	chrome.exe	73
PID 5084 wrote to memory of 2852	5084	chrome.exe	73
PID 5084 wrote to memory of 2852	5084	chrome.exe	73
PID 5084 wrote to memory of 2852	5084	chrome.exe	73
PID 5084 wrote to memory of 2852	5084	chrome.exe	73
PID 5084 wrote to memory of 2852	5084	chrome.exe	73
PID 5084 wrote to memory of 2852	5084	chrome.exe	73
PID 5084 wrote to memory of 2852	5084	chrome.exe	73
PID 5084 wrote to memory of 2852	5084	chrome.exe	73
PID 5084 wrote to memory of 2852	5084	chrome.exe	73
PID 5084 wrote to memory of 2852	5084	chrome.exe	73
PID 5084 wrote to memory of 2852	5084	chrome.exe	73
PID 5084 wrote to memory of 2852	5084	chrome.exe	73
PID 5084 wrote to memory of 2852	5084	chrome.exe	73
PID 5084 wrote to memory of 2852	5084	chrome.exe	73
PID 5084 wrote to memory of 2852	5084	chrome.exe	73
PID 5084 wrote to memory of 2852	5084	chrome.exe	73
PID 5084 wrote to memory of 2852	5084	chrome.exe	73
PID 5084 wrote to memory of 2852	5084	chrome.exe	73
PID 5084 wrote to memory of 2852	5084	chrome.exe	73
PID 5084 wrote to memory of 2852	5084	chrome.exe	73
PID 5084 wrote to memory of 2852	5084	chrome.exe	73
PID 5084 wrote to memory of 2852	5084	chrome.exe	73
PID 5084 wrote to memory of 2852	5084	chrome.exe	73
PID 5084 wrote to memory of 2852	5084	chrome.exe	73
PID 5084 wrote to memory of 4044	5084	chrome.exe	71
PID 5084 wrote to memory of 4044	5084	chrome.exe	71
PID 5084 wrote to memory of 4032	5084	chrome.exe	72
PID 5084 wrote to memory of 4032	5084	chrome.exe	72
PID 5084 wrote to memory of 4032	5084	chrome.exe	72
PID 5084 wrote to memory of 4032	5084	chrome.exe	72
PID 5084 wrote to memory of 4032	5084	chrome.exe	72
PID 5084 wrote to memory of 4032	5084	chrome.exe	72
PID 5084 wrote to memory of 4032	5084	chrome.exe	72
PID 5084 wrote to memory of 4032	5084	chrome.exe	72
PID 5084 wrote to memory of 4032	5084	chrome.exe	72
PID 5084 wrote to memory of 4032	5084	chrome.exe	72
PID 5084 wrote to memory of 4032	5084	chrome.exe	72
PID 5084 wrote to memory of 4032	5084	chrome.exe	72
PID 5084 wrote to memory of 4032	5084	chrome.exe	72
PID 5084 wrote to memory of 4032	5084	chrome.exe	72
PID 5084 wrote to memory of 4032	5084	chrome.exe	72
PID 5084 wrote to memory of 4032	5084	chrome.exe	72
PID 5084 wrote to memory of 4032	5084	chrome.exe	72
PID 5084 wrote to memory of 4032	5084	chrome.exe	72
PID 5084 wrote to memory of 4032	5084	chrome.exe	72
PID 5084 wrote to memory of 4032	5084	chrome.exe	72
PID 5084 wrote to memory of 4032	5084	chrome.exe	72
PID 5084 wrote to memory of 4032	5084	chrome.exe	72

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://saudileaks.org/
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffc71bb9758,0x7ffc71bb9768,0x7ffc71bb9778
  2⤵
  PID:1716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1712 --field-trial-handle=1848,i,1168824037090735689,11463667321393719542,131072 /prefetch:8
  2⤵
  PID:4044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2092 --field-trial-handle=1848,i,1168824037090735689,11463667321393719542,131072 /prefetch:8
  2⤵
  PID:4032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1512 --field-trial-handle=1848,i,1168824037090735689,11463667321393719542,131072 /prefetch:2
  2⤵
  PID:2852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2868 --field-trial-handle=1848,i,1168824037090735689,11463667321393719542,131072 /prefetch:1
  2⤵
  PID:3008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2860 --field-trial-handle=1848,i,1168824037090735689,11463667321393719542,131072 /prefetch:1
  2⤵
  PID:3828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4356 --field-trial-handle=1848,i,1168824037090735689,11463667321393719542,131072 /prefetch:8
  2⤵
  PID:2744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 --field-trial-handle=1848,i,1168824037090735689,11463667321393719542,131072 /prefetch:8
  2⤵
  PID:1032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4468 --field-trial-handle=1848,i,1168824037090735689,11463667321393719542,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4932

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:244

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
4b5cd711792b4a5ed05ccd09f4a90beb

SHA1
9b277e81407670c3473721a3317125928bf7f27a

SHA256
207c2babb83c8c1cc4f25758cd2556178a9c1d40feb129d702802992d7096986

SHA512
a84936a99af9ffa5265e0f355046bb75fbeb83f90534baf2cd767283c39df8ed5f8e80956806d665002960b2c6567469b14d5cb7f6dfbf46948eb9a68889bfd2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
6b71a712a4b320f3cdd9761eaf808345

SHA1
35327bd5f20db1f91e9ed4e35cdfde223e9c9a27

SHA256
8dff93f949e25ac47cbf39f6a3308c5e6c5ccbfbcb8ea24f29d4f46f275f2831

SHA512
a025458975a770ecc3d05f5addf54c3a9c8429bafdcb2c95f709acac06b5308d96f069a7dba604ac88f676d4e6735cb5a2f7c1bf97bdba23c2e8334889ed5f0f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
994492c9787bcb15728c17c65cf15ac7

SHA1
89c203ebc47c3289e282f4e3b028b5be28c8f63f

SHA256
4d3241f1c2a4676cbc51043b1d730ef42b5f89a7509e65d893406508f6d99ebd

SHA512
242f9e13af496985e78f879ff94b874cea7611476269da0e210b74b65b261e1c3c161b2af2dce5ed147cc8c839191ad1eba3d036ea140e0eb9535b262dfea254

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
cddeb4b9b0b9de735929809ce7abc4a3

SHA1
3ca925353be9669561699eecf48c10bc4d9ec7ed

SHA256
56e5738c90ae50e5863f86ab1d9f677c1694a0bae7fa5b1f42ce22ba555b66b9

SHA512
d54f270909aabe6ae4409ad8658bc0a0037423d23d14547a871d66cdf6348429bc8888540eca31a3bdc379ee064768411489fc4171ed5fa3f39d9f22806cfcb9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
cb730463e06466d0bd780fd0affe95e7

SHA1
682ef529d79ce37d767c2fa83a045aecc91499e2

SHA256
a40609add9c3bb089168368b1127334af1eeec44f07ddadf23506388636129ed

SHA512
9edca6a849f36357695ec546d97e75f3c6f3756e430f07a8b0f49d8add0b9bb0b7f75c961c794c22d3b3547f01cc29505eeea7c321a7f46231584e0112654eee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f63af88de55a463bf2c237b705db083c

SHA1
3fca40ef2e470a88164364d729ce81824abf8eab

SHA256
cf92424d355187ec2db515fdcbce58125c321324d9b1a283d77f867ff350c3cc

SHA512
6545923ccc32faf2c7e71148c657fb69ea9599199824c8625c63af7fbae06047b0fd9f7840ade4ebda4faf9e5d78fa473d3aea8a830abeeb99a4affbeb132e8e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
ef6a9af952bca4e2905192ed3d976087

SHA1
0854daa82868a48796eaf45d7968a3a8caac73e4

SHA256
849cd4a1fc59a98bcfb25ae026e4af6bc3b36b6742024e813d7c653789a5ee63

SHA512
c223d71a1305cf9fd59b3871d2682ffa6b4ea422282f78cdb2b0e2c24848d3bd9bb950e57ef398ed315cd03a6b56127c356af4a57105b841c0be83358a2440c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
245019de80fbc86274cedf7180222ecf

SHA1
b33a88102403bb2fecb791f9d6310334ab393807

SHA256
f8f5eaa36bd68de37d6cc13bd15ad27c1bc43c0eda425de640967ca3e4acc422

SHA512
ba0a2b4bf1527f4a3a9fdef3ca783516455933cf2e7736afb396abac858ff4af4f402be69032c46dba296d6b372e59ab8407fe635db616ecba3a53ae833fc878

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit