5ba6fe5a6049bfaf55b53a1171d262cf186b032829e3cc0d63b91e835dcff330

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
02/09/2023, 12:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Whirlpool_AugustComboLists.html
Size

6KB
MD5

82a32a888186f9d0825ed52fd0b54e97
SHA1

8305f56df18dc9a8656d6bbc00d59551ce42df4e
SHA256

5ba6fe5a6049bfaf55b53a1171d262cf186b032829e3cc0d63b91e835dcff330
SHA512

5f02dbd8220c26ffadf6586c2b90d4787ed86739d90e559885b223542227639753c9067c8c0ee4cbcd7b7ea87957ef7ccd3b7aebca0b4061baa881e293c145dc
SSDEEP

192:JRCidj26jkhbycgMi9i1nv6X28Vi7YxFH2:Kidj26IdycgMic1nCXBMwx2

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133381329913351369"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3988	chrome.exe
3988	chrome.exe
2536	chrome.exe
2536	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3988	chrome.exe
3988	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3988 wrote to memory of 2608	3988	chrome.exe	39
PID 3988 wrote to memory of 2608	3988	chrome.exe	39
PID 3988 wrote to memory of 2848	3988	chrome.exe	87
PID 3988 wrote to memory of 2848	3988	chrome.exe	87
PID 3988 wrote to memory of 2848	3988	chrome.exe	87
PID 3988 wrote to memory of 2848	3988	chrome.exe	87
PID 3988 wrote to memory of 2848	3988	chrome.exe	87
PID 3988 wrote to memory of 2848	3988	chrome.exe	87
PID 3988 wrote to memory of 2848	3988	chrome.exe	87
PID 3988 wrote to memory of 2848	3988	chrome.exe	87
PID 3988 wrote to memory of 2848	3988	chrome.exe	87
PID 3988 wrote to memory of 2848	3988	chrome.exe	87
PID 3988 wrote to memory of 2848	3988	chrome.exe	87
PID 3988 wrote to memory of 2848	3988	chrome.exe	87
PID 3988 wrote to memory of 2848	3988	chrome.exe	87
PID 3988 wrote to memory of 2848	3988	chrome.exe	87
PID 3988 wrote to memory of 2848	3988	chrome.exe	87
PID 3988 wrote to memory of 2848	3988	chrome.exe	87
PID 3988 wrote to memory of 2848	3988	chrome.exe	87
PID 3988 wrote to memory of 2848	3988	chrome.exe	87
PID 3988 wrote to memory of 2848	3988	chrome.exe	87
PID 3988 wrote to memory of 2848	3988	chrome.exe	87
PID 3988 wrote to memory of 2848	3988	chrome.exe	87
PID 3988 wrote to memory of 2848	3988	chrome.exe	87
PID 3988 wrote to memory of 2848	3988	chrome.exe	87
PID 3988 wrote to memory of 2848	3988	chrome.exe	87
PID 3988 wrote to memory of 2848	3988	chrome.exe	87
PID 3988 wrote to memory of 2848	3988	chrome.exe	87
PID 3988 wrote to memory of 2848	3988	chrome.exe	87
PID 3988 wrote to memory of 2848	3988	chrome.exe	87
PID 3988 wrote to memory of 2848	3988	chrome.exe	87
PID 3988 wrote to memory of 2848	3988	chrome.exe	87
PID 3988 wrote to memory of 2848	3988	chrome.exe	87
PID 3988 wrote to memory of 2848	3988	chrome.exe	87
PID 3988 wrote to memory of 2848	3988	chrome.exe	87
PID 3988 wrote to memory of 2848	3988	chrome.exe	87
PID 3988 wrote to memory of 2848	3988	chrome.exe	87
PID 3988 wrote to memory of 2848	3988	chrome.exe	87
PID 3988 wrote to memory of 2848	3988	chrome.exe	87
PID 3988 wrote to memory of 2848	3988	chrome.exe	87
PID 3988 wrote to memory of 4840	3988	chrome.exe	89
PID 3988 wrote to memory of 4840	3988	chrome.exe	89
PID 3988 wrote to memory of 4864	3988	chrome.exe	88
PID 3988 wrote to memory of 4864	3988	chrome.exe	88
PID 3988 wrote to memory of 4864	3988	chrome.exe	88
PID 3988 wrote to memory of 4864	3988	chrome.exe	88
PID 3988 wrote to memory of 4864	3988	chrome.exe	88
PID 3988 wrote to memory of 4864	3988	chrome.exe	88
PID 3988 wrote to memory of 4864	3988	chrome.exe	88
PID 3988 wrote to memory of 4864	3988	chrome.exe	88
PID 3988 wrote to memory of 4864	3988	chrome.exe	88
PID 3988 wrote to memory of 4864	3988	chrome.exe	88
PID 3988 wrote to memory of 4864	3988	chrome.exe	88
PID 3988 wrote to memory of 4864	3988	chrome.exe	88
PID 3988 wrote to memory of 4864	3988	chrome.exe	88
PID 3988 wrote to memory of 4864	3988	chrome.exe	88
PID 3988 wrote to memory of 4864	3988	chrome.exe	88
PID 3988 wrote to memory of 4864	3988	chrome.exe	88
PID 3988 wrote to memory of 4864	3988	chrome.exe	88
PID 3988 wrote to memory of 4864	3988	chrome.exe	88
PID 3988 wrote to memory of 4864	3988	chrome.exe	88
PID 3988 wrote to memory of 4864	3988	chrome.exe	88
PID 3988 wrote to memory of 4864	3988	chrome.exe	88
PID 3988 wrote to memory of 4864	3988	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\Whirlpool_AugustComboLists.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9caef9758,0x7ff9caef9768,0x7ff9caef9778
  2⤵
  PID:2608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1648 --field-trial-handle=1944,i,11522984757006406768,2247873513574108554,131072 /prefetch:2
  2⤵
  PID:2848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2192 --field-trial-handle=1944,i,11522984757006406768,2247873513574108554,131072 /prefetch:8
  2⤵
  PID:4864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1944,i,11522984757006406768,2247873513574108554,131072 /prefetch:8
  2⤵
  PID:4840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3032 --field-trial-handle=1944,i,11522984757006406768,2247873513574108554,131072 /prefetch:1
  2⤵
  PID:2216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2972 --field-trial-handle=1944,i,11522984757006406768,2247873513574108554,131072 /prefetch:1
  2⤵
  PID:3760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5008 --field-trial-handle=1944,i,11522984757006406768,2247873513574108554,131072 /prefetch:8
  2⤵
  PID:1304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 --field-trial-handle=1944,i,11522984757006406768,2247873513574108554,131072 /prefetch:8
  2⤵
  PID:4048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4808 --field-trial-handle=1944,i,11522984757006406768,2247873513574108554,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2536

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\0f60067f-cced-41f2-9dcd-755c61ea1b60.tmp

Filesize
873B

MD5
212bf7a665accf6cb168fe5dcd4354b1

SHA1
c2d7f23c4f96b16c4f3d27e348573c463e43119a

SHA256
f173be9af8b025d6ca64bc1ec5534b2a3e694277c7cd02fe27969832ac9657e9

SHA512
985d34897671b9708d9cff333bd78c50810d378950f7f46a45d6bcbd2c6583a89a9d76712903bfc8a310f41a6123f7561fb5853b770d49a0f2f81730f0f11edd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
8368bb446d460aab26ea57a1037cbba9

SHA1
e52ca178224f2e8665eacc3e8586eff0058667af

SHA256
05449f45de84fc4d723cae0487f001c5008c586d8a0ecc4f48617791beee666c

SHA512
84c6989ae73a1caee2c6566e09b42f18201cd75e12110b72dba6a153d7d2cecc16a147c8b24a372e1332c9262a560db2db3782f52ecd894849997f3ceb9f45a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
6fc49e3125ed82cf2a36f680c8a0eafd

SHA1
4c36cdc070db76cde7e4e58a82660c4bca4b2f13

SHA256
44565c9219b3d4aad38dbc149259d45281027fcf993808a4795ee6ccdf4fffe2

SHA512
1a73bc0a643a2630cc5a933e45027e94847394e26d064d647a61085ce5d35e5af32329b6d930d940dfd269d4513cdc0a1330c185ba2f218ccb8eb7762bd082b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
759fd9a628738a25537f697744dbe215

SHA1
7f41bf4b6b8904bb1e411fb8b9f94aefb3066d49

SHA256
79af6098cef8a7710def764fcef70caa6d87276528f73c407396e71e1a67475a

SHA512
aa8947e610421087c23d7046da232c835ede1fbc300db77f40e962ce013f19d62161aacd9ab86394cd8243054321b133be0c90254f6937d888e54d38e996a9ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
30485ec4ad716dc591b43c53e26fe376

SHA1
4fea76f8c4771cdccc3b6b4ee8bf1e2c6f9acaa5

SHA256
ed9b85268f07b532a0d190b91a26155721e3f9aef96a02c4ae61092630fa493b

SHA512
a302bc65d41f7046461ac81e5422483e0f5c1c1837b7788c1ce02d2b7c8432e1ee1a4b1b093510d7f418b2165e32c3a4868479172fe4a835059d79d83cf96dc5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
97KB

MD5
0465d4ed6f461731da539e8f1a7016ff

SHA1
dedeb1b69b96d460215a9b9c76c5376986f86042

SHA256
92408efb15d0dd7cf0b3e2a10f885bafe1cb29de06fea027a983c75f5c2758e2

SHA512
5d501f5ef49acaaa83fd440eebeb7e9372ca487e726452431521b9711cdba921f8b6dbaf5787978a186f798c2fb74e5fc9f69c9bf9e32c4b0b364f055542efe8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit