hxxps://vk[.]com/away[.]php?to=hxxps://www[.]weingaertner-holzbau[.]de/wp-content/plugins/envato-market/HASS8

Analysis

max time kernel
150s
max time network
143s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
18/09/2023, 09:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://vk.com/away.php?to=https://www.weingaertner-holzbau.de/wp-content/plugins/envato-market/HASS8

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133395039105935929"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3776	chrome.exe
3776	chrome.exe
2648	chrome.exe
2648	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3776 wrote to memory of 3756	3776	chrome.exe	44
PID 3776 wrote to memory of 3756	3776	chrome.exe	44
PID 3776 wrote to memory of 1368	3776	chrome.exe	73
PID 3776 wrote to memory of 1368	3776	chrome.exe	73
PID 3776 wrote to memory of 1368	3776	chrome.exe	73
PID 3776 wrote to memory of 1368	3776	chrome.exe	73
PID 3776 wrote to memory of 1368	3776	chrome.exe	73
PID 3776 wrote to memory of 1368	3776	chrome.exe	73
PID 3776 wrote to memory of 1368	3776	chrome.exe	73
PID 3776 wrote to memory of 1368	3776	chrome.exe	73
PID 3776 wrote to memory of 1368	3776	chrome.exe	73
PID 3776 wrote to memory of 1368	3776	chrome.exe	73
PID 3776 wrote to memory of 1368	3776	chrome.exe	73
PID 3776 wrote to memory of 1368	3776	chrome.exe	73
PID 3776 wrote to memory of 1368	3776	chrome.exe	73
PID 3776 wrote to memory of 1368	3776	chrome.exe	73
PID 3776 wrote to memory of 1368	3776	chrome.exe	73
PID 3776 wrote to memory of 1368	3776	chrome.exe	73
PID 3776 wrote to memory of 1368	3776	chrome.exe	73
PID 3776 wrote to memory of 1368	3776	chrome.exe	73
PID 3776 wrote to memory of 1368	3776	chrome.exe	73
PID 3776 wrote to memory of 1368	3776	chrome.exe	73
PID 3776 wrote to memory of 1368	3776	chrome.exe	73
PID 3776 wrote to memory of 1368	3776	chrome.exe	73
PID 3776 wrote to memory of 1368	3776	chrome.exe	73
PID 3776 wrote to memory of 1368	3776	chrome.exe	73
PID 3776 wrote to memory of 1368	3776	chrome.exe	73
PID 3776 wrote to memory of 1368	3776	chrome.exe	73
PID 3776 wrote to memory of 1368	3776	chrome.exe	73
PID 3776 wrote to memory of 1368	3776	chrome.exe	73
PID 3776 wrote to memory of 1368	3776	chrome.exe	73
PID 3776 wrote to memory of 1368	3776	chrome.exe	73
PID 3776 wrote to memory of 1368	3776	chrome.exe	73
PID 3776 wrote to memory of 1368	3776	chrome.exe	73
PID 3776 wrote to memory of 1368	3776	chrome.exe	73
PID 3776 wrote to memory of 1368	3776	chrome.exe	73
PID 3776 wrote to memory of 1368	3776	chrome.exe	73
PID 3776 wrote to memory of 1368	3776	chrome.exe	73
PID 3776 wrote to memory of 1368	3776	chrome.exe	73
PID 3776 wrote to memory of 1368	3776	chrome.exe	73
PID 3776 wrote to memory of 4436	3776	chrome.exe	72
PID 3776 wrote to memory of 4436	3776	chrome.exe	72
PID 3776 wrote to memory of 3884	3776	chrome.exe	74
PID 3776 wrote to memory of 3884	3776	chrome.exe	74
PID 3776 wrote to memory of 3884	3776	chrome.exe	74
PID 3776 wrote to memory of 3884	3776	chrome.exe	74
PID 3776 wrote to memory of 3884	3776	chrome.exe	74
PID 3776 wrote to memory of 3884	3776	chrome.exe	74
PID 3776 wrote to memory of 3884	3776	chrome.exe	74
PID 3776 wrote to memory of 3884	3776	chrome.exe	74
PID 3776 wrote to memory of 3884	3776	chrome.exe	74
PID 3776 wrote to memory of 3884	3776	chrome.exe	74
PID 3776 wrote to memory of 3884	3776	chrome.exe	74
PID 3776 wrote to memory of 3884	3776	chrome.exe	74
PID 3776 wrote to memory of 3884	3776	chrome.exe	74
PID 3776 wrote to memory of 3884	3776	chrome.exe	74
PID 3776 wrote to memory of 3884	3776	chrome.exe	74
PID 3776 wrote to memory of 3884	3776	chrome.exe	74
PID 3776 wrote to memory of 3884	3776	chrome.exe	74
PID 3776 wrote to memory of 3884	3776	chrome.exe	74
PID 3776 wrote to memory of 3884	3776	chrome.exe	74
PID 3776 wrote to memory of 3884	3776	chrome.exe	74
PID 3776 wrote to memory of 3884	3776	chrome.exe	74
PID 3776 wrote to memory of 3884	3776	chrome.exe	74

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://vk.com/away.php?to=https://www.weingaertner-holzbau.de/wp-content/plugins/envato-market/HASS8
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffdc8149758,0x7ffdc8149768,0x7ffdc8149778
  2⤵
  PID:3756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1948 --field-trial-handle=1768,i,4607769202284555279,4257562451153243463,131072 /prefetch:8
  2⤵
  PID:4436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1564 --field-trial-handle=1768,i,4607769202284555279,4257562451153243463,131072 /prefetch:2
  2⤵
  PID:1368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2096 --field-trial-handle=1768,i,4607769202284555279,4257562451153243463,131072 /prefetch:8
  2⤵
  PID:3884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3056 --field-trial-handle=1768,i,4607769202284555279,4257562451153243463,131072 /prefetch:1
  2⤵
  PID:3440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2916 --field-trial-handle=1768,i,4607769202284555279,4257562451153243463,131072 /prefetch:1
  2⤵
  PID:1080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4408 --field-trial-handle=1768,i,4607769202284555279,4257562451153243463,131072 /prefetch:1
  2⤵
  PID:2296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3128 --field-trial-handle=1768,i,4607769202284555279,4257562451153243463,131072 /prefetch:8
  2⤵
  PID:5036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3040 --field-trial-handle=1768,i,4607769202284555279,4257562451153243463,131072 /prefetch:8
  2⤵
  PID:4968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2664 --field-trial-handle=1768,i,4607769202284555279,4257562451153243463,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2648

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
25e3ab5edbcb097992d559b6a7330c4e

SHA1
693bc71bc5f8e380cf84e6ecb268911e27d43ba3

SHA256
d23a1a218e4e4f8f46fe52df6091e5cbc9f5e05173f6d6d865c38792a5bd2e14

SHA512
2ad53c4685c4f6043776556226072dd8e38ea589faeb455800216614458d331ad421282539b4493532825bd469620a119651f6ccba62b437248ff800159086ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
90dfb094d615dc4f773987aeb9920d6b

SHA1
f6b74fce7200e54d00815cc0b4b98f133998942b

SHA256
d446d743ae53d59e090c58e876e3b8f3142d30e85088c45205f42566b9bdab3f

SHA512
f4abc0a1c42a648d65baf0e195548c80ef52b72b23896a4c7ca350bf01e7ce7d5d606b5f514bc7c67f75836181a94c2bd9b992a1fa2f5c50355449c2e83958dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
1c3fadbe58211b23c62ccef586683906

SHA1
ae20d30870dc54262acefb1f91859f065d492c5a

SHA256
ec7c7dc3214b12eb1ed1862a9fd4cb212b64f927443fe6a32f8e27ee9b1ffb16

SHA512
2b8fb20b63cc59b4084e843026392b68e00619fd8bb2c713f3059be9e1d5c735e89ba1efd619c5b134fc25a5e3680380b9161df7121554e1e5d177c20993a324

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
cd56fa71d72e52d5c94e2e035a7d7ccf

SHA1
c28752fb388e1fff9c80e3185082a3768d86c232

SHA256
2eafff50f028aa945eb30bbdd514fb814fe68fb5a0b9a3685fe7a6fdcb2b36bd

SHA512
1d0bb3f4091f6200d5422792f1bc745da557edb985c414d719d8062f99041c63a0cef930e1dde7eef2329c4c6586c8c9b714a8cf40827102f64abbc4b330de04

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
61468f9dd88d08574ae39857d71e5e44

SHA1
ff1d9e59c24bd4b441c28fca51bcdac31b60d319

SHA256
cc47bae24f31f87beeeb4555f31868f62eb5e9c6ce569200095c55cac9325af8

SHA512
fb1dd94059c5bbee36b0a9a4be880eaa8d6fee0bc85c6a5b72a621d8f17736a16f8267223f71b88644aa6fe842263bdcee3de1bfa04363869c4cd4376d84ada2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
da45f833bc7f1bfc6b42021fe660d7c9

SHA1
847d34ea38134e96e0109b57e0d11608393edbe7

SHA256
889157fff30d54d1d3c3dc3f9356074b9ebfd29e15a490b6d41e7b8419cea995

SHA512
69f83d9553529971d266e9932e854d66819e06f1feaabda4c56a5a01b55a47dad555fb3fd64c6d81034f123c98c7e7f80b3683f70487501fc548d01f2e5d5565

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
102KB

MD5
b3f5797575162ff9dcf1874464f0751d

SHA1
c17864816659cb1979fa9b0cda33a085ac174494

SHA256
5e171faf7238d24af74c333e0354b9e18012989c786273ac42b071a829f21c33

SHA512
a0125972e5dbaf201c66ad41eeadc4dfc6007a3245a2458e83c1c4eeedd1b9e1e8bdff8d406c6b242fac5073e97103741ed2b2610edd242084fe6effa6e0f32d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit