hxxps://www[.]huawei[.]com/cn/events/huaweiconnect

Analysis

max time kernel
35s
max time network
37s
platform
windows10-2004_x64
resource
win10v2004-20230831-es
resource tags

arch:x64arch:x86image:win10v2004-20230831-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
04/09/2023, 16:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.huawei.com/cn/events/huaweiconnect

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1348	chrome.exe
1348	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1348	chrome.exe
1348	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: 33	3028	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3028	AUDIODG.EXE
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 348	1348	chrome.exe	73
PID 1348 wrote to memory of 348	1348	chrome.exe	73
PID 1348 wrote to memory of 2996	1348	chrome.exe	87
PID 1348 wrote to memory of 2996	1348	chrome.exe	87
PID 1348 wrote to memory of 2996	1348	chrome.exe	87
PID 1348 wrote to memory of 2996	1348	chrome.exe	87
PID 1348 wrote to memory of 2996	1348	chrome.exe	87
PID 1348 wrote to memory of 2996	1348	chrome.exe	87
PID 1348 wrote to memory of 2996	1348	chrome.exe	87
PID 1348 wrote to memory of 2996	1348	chrome.exe	87
PID 1348 wrote to memory of 2996	1348	chrome.exe	87
PID 1348 wrote to memory of 2996	1348	chrome.exe	87
PID 1348 wrote to memory of 2996	1348	chrome.exe	87
PID 1348 wrote to memory of 2996	1348	chrome.exe	87
PID 1348 wrote to memory of 2996	1348	chrome.exe	87
PID 1348 wrote to memory of 2996	1348	chrome.exe	87
PID 1348 wrote to memory of 2996	1348	chrome.exe	87
PID 1348 wrote to memory of 2996	1348	chrome.exe	87
PID 1348 wrote to memory of 2996	1348	chrome.exe	87
PID 1348 wrote to memory of 2996	1348	chrome.exe	87
PID 1348 wrote to memory of 2996	1348	chrome.exe	87
PID 1348 wrote to memory of 2996	1348	chrome.exe	87
PID 1348 wrote to memory of 2996	1348	chrome.exe	87
PID 1348 wrote to memory of 2996	1348	chrome.exe	87
PID 1348 wrote to memory of 2996	1348	chrome.exe	87
PID 1348 wrote to memory of 2996	1348	chrome.exe	87
PID 1348 wrote to memory of 2996	1348	chrome.exe	87
PID 1348 wrote to memory of 2996	1348	chrome.exe	87
PID 1348 wrote to memory of 2996	1348	chrome.exe	87
PID 1348 wrote to memory of 2996	1348	chrome.exe	87
PID 1348 wrote to memory of 2996	1348	chrome.exe	87
PID 1348 wrote to memory of 2996	1348	chrome.exe	87
PID 1348 wrote to memory of 2996	1348	chrome.exe	87
PID 1348 wrote to memory of 2996	1348	chrome.exe	87
PID 1348 wrote to memory of 2996	1348	chrome.exe	87
PID 1348 wrote to memory of 2996	1348	chrome.exe	87
PID 1348 wrote to memory of 2996	1348	chrome.exe	87
PID 1348 wrote to memory of 2996	1348	chrome.exe	87
PID 1348 wrote to memory of 2996	1348	chrome.exe	87
PID 1348 wrote to memory of 2996	1348	chrome.exe	87
PID 1348 wrote to memory of 2116	1348	chrome.exe	88
PID 1348 wrote to memory of 2116	1348	chrome.exe	88
PID 1348 wrote to memory of 3452	1348	chrome.exe	89
PID 1348 wrote to memory of 3452	1348	chrome.exe	89
PID 1348 wrote to memory of 3452	1348	chrome.exe	89
PID 1348 wrote to memory of 3452	1348	chrome.exe	89
PID 1348 wrote to memory of 3452	1348	chrome.exe	89
PID 1348 wrote to memory of 3452	1348	chrome.exe	89
PID 1348 wrote to memory of 3452	1348	chrome.exe	89
PID 1348 wrote to memory of 3452	1348	chrome.exe	89
PID 1348 wrote to memory of 3452	1348	chrome.exe	89
PID 1348 wrote to memory of 3452	1348	chrome.exe	89
PID 1348 wrote to memory of 3452	1348	chrome.exe	89
PID 1348 wrote to memory of 3452	1348	chrome.exe	89
PID 1348 wrote to memory of 3452	1348	chrome.exe	89
PID 1348 wrote to memory of 3452	1348	chrome.exe	89
PID 1348 wrote to memory of 3452	1348	chrome.exe	89
PID 1348 wrote to memory of 3452	1348	chrome.exe	89
PID 1348 wrote to memory of 3452	1348	chrome.exe	89
PID 1348 wrote to memory of 3452	1348	chrome.exe	89
PID 1348 wrote to memory of 3452	1348	chrome.exe	89
PID 1348 wrote to memory of 3452	1348	chrome.exe	89
PID 1348 wrote to memory of 3452	1348	chrome.exe	89
PID 1348 wrote to memory of 3452	1348	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.huawei.com/cn/events/huaweiconnect
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8a8d99758,0x7ff8a8d99768,0x7ff8a8d99778
  2⤵
  PID:348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1712 --field-trial-handle=1892,i,462639826823197032,8740636504166426518,131072 /prefetch:2
  2⤵
  PID:2996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 --field-trial-handle=1892,i,462639826823197032,8740636504166426518,131072 /prefetch:8
  2⤵
  PID:2116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1892,i,462639826823197032,8740636504166426518,131072 /prefetch:8
  2⤵
  PID:3452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2992 --field-trial-handle=1892,i,462639826823197032,8740636504166426518,131072 /prefetch:1
  2⤵
  PID:884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2980 --field-trial-handle=1892,i,462639826823197032,8740636504166426518,131072 /prefetch:1
  2⤵
  PID:3480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3560 --field-trial-handle=1892,i,462639826823197032,8740636504166426518,131072 /prefetch:8
  2⤵
  PID:4152

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4148

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4ac 0x4e0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000016

Filesize
1024KB

MD5
4fd8d3e91d4467aaf53d419101fd2f7e

SHA1
e4f1aa8a32c4c2f971f1af3aa0691565b8a87621

SHA256
e4ead914bebf30877cfebf8edb66e599ecca5b76e7bea9728e9dbfebd36894b1

SHA512
bfe9cfae45ef3e41caff17db843422c74f0271db275f42ac665b9193ecd35b37f1484c1669c1e049f6bcf5d33ae5f1fa57f5a0f336a86949f23ff1bb45abf10f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000017

Filesize
668KB

MD5
5d3b43defb6e07624ce2db480afe422e

SHA1
b8ae5a1bbc4930c7ed0eab6b82e820a68f01a1b9

SHA256
1980b85809470abc0b4e31b1a04189f1d0eb9cdce2baa2a19aa8facc837d7d58

SHA512
498bc636d3e25d813dfdde01e68c81b3485f74a23ce40de30107d03f0711d1108226e652b9d26e4fa2f123e841df2839bb5f13b023a3ccd5590340dc94adbd4b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001b

Filesize
961KB

MD5
e1260c72f748b489c5f8311a95e1b266

SHA1
a4faae587b47856096d358f66bc3b73152ad93db

SHA256
1a975d847ad1e71e1052f0ae5a24bb72273b8721ee22be540d363b23c87d2743

SHA512
a87106adad34d60e16cc1779d0f2d708987cfbe500e6f9149fe78293dd0063e27cbdfc7576e477d0e0203b89bef5086ec99658c5936d336969c4438a23d370c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
8a2a80fb94a6610ba538d5c216980b4d

SHA1
9de562cfbe2874d83aadc3ff42ed55207ff96fba

SHA256
0accd66e0c1e8365c027f1d67071d949a8f3db4cd1fc0005edf72f201d0a899f

SHA512
0047f18f7de5be8d1ae0ba1e27a96589f77b71f11836c6b020027ec90f59d1211e8c81b51ebf3eb6031f2db45cad74a3b0bbf1d2b124b91c1f108a7d802a00de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
e1cf788a5f831bfd842d345d41afa9b5

SHA1
a026484e738abcf52fc7d929578248a8d8420b5b

SHA256
080084d5ea6becf55d3c75db1e9797c9afb482e09386129dbd4a1f9adbc02ec8

SHA512
ce6fa83c856ab864d9ea5983cbe87d7e4c5d95cf79e0dc67e8bbb70ea5baf2b867383c9f32bd0c356d1de776cd18a57075d74925421036544bf2b84802e07549

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
329befc733022fd1d60240dceaa2766b

SHA1
8c94dae62dad734f0a583afa412050edaad5571c

SHA256
27cde246c2be1378f6f28c13e193d7613d64d36935ebade7bed25ad69f87cf93

SHA512
112204f023970518861eea3a0c6ac2568fdb743c1550942b908b5c193af97c184e228a41863dc15e515cdf5995aabc2d226b44fe9c132ac85d9f7f7bcce2542b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
97KB

MD5
37e9dd771aca008861161a1bb3bc0352

SHA1
164fda3d80a8ef94c8a452cac7e2b96cab7c3ae4

SHA256
612a59c6c95dbc078acb5a18eb20e9788c3d5e970d39a77fa02f0e98ce847a13

SHA512
a8a1fec64402b9aa6d8192d9582f16adea73e93eb48b22ae424502560bb0f70953e205b91847ee0fa5d2b2e2b96a9fa8a1c1b11cd169de165ae1e8e492f55a1c

Download Submit