hxxp://cn[.]medical[.]canon

Analysis

max time kernel
121s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2023 13:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://cn.medical.canon

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133396044157888372"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1220	chrome.exe
1220	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 564	1220	chrome.exe	47
PID 1220 wrote to memory of 564	1220	chrome.exe	47
PID 1220 wrote to memory of 4236	1220	chrome.exe	89
PID 1220 wrote to memory of 4236	1220	chrome.exe	89
PID 1220 wrote to memory of 4236	1220	chrome.exe	89
PID 1220 wrote to memory of 4236	1220	chrome.exe	89
PID 1220 wrote to memory of 4236	1220	chrome.exe	89
PID 1220 wrote to memory of 4236	1220	chrome.exe	89
PID 1220 wrote to memory of 4236	1220	chrome.exe	89
PID 1220 wrote to memory of 4236	1220	chrome.exe	89
PID 1220 wrote to memory of 4236	1220	chrome.exe	89
PID 1220 wrote to memory of 4236	1220	chrome.exe	89
PID 1220 wrote to memory of 4236	1220	chrome.exe	89
PID 1220 wrote to memory of 4236	1220	chrome.exe	89
PID 1220 wrote to memory of 4236	1220	chrome.exe	89
PID 1220 wrote to memory of 4236	1220	chrome.exe	89
PID 1220 wrote to memory of 4236	1220	chrome.exe	89
PID 1220 wrote to memory of 4236	1220	chrome.exe	89
PID 1220 wrote to memory of 4236	1220	chrome.exe	89
PID 1220 wrote to memory of 4236	1220	chrome.exe	89
PID 1220 wrote to memory of 4236	1220	chrome.exe	89
PID 1220 wrote to memory of 4236	1220	chrome.exe	89
PID 1220 wrote to memory of 4236	1220	chrome.exe	89
PID 1220 wrote to memory of 4236	1220	chrome.exe	89
PID 1220 wrote to memory of 4236	1220	chrome.exe	89
PID 1220 wrote to memory of 4236	1220	chrome.exe	89
PID 1220 wrote to memory of 4236	1220	chrome.exe	89
PID 1220 wrote to memory of 4236	1220	chrome.exe	89
PID 1220 wrote to memory of 4236	1220	chrome.exe	89
PID 1220 wrote to memory of 4236	1220	chrome.exe	89
PID 1220 wrote to memory of 4236	1220	chrome.exe	89
PID 1220 wrote to memory of 4236	1220	chrome.exe	89
PID 1220 wrote to memory of 4236	1220	chrome.exe	89
PID 1220 wrote to memory of 4236	1220	chrome.exe	89
PID 1220 wrote to memory of 4236	1220	chrome.exe	89
PID 1220 wrote to memory of 4236	1220	chrome.exe	89
PID 1220 wrote to memory of 4236	1220	chrome.exe	89
PID 1220 wrote to memory of 4236	1220	chrome.exe	89
PID 1220 wrote to memory of 4236	1220	chrome.exe	89
PID 1220 wrote to memory of 4236	1220	chrome.exe	89
PID 1220 wrote to memory of 4580	1220	chrome.exe	90
PID 1220 wrote to memory of 4580	1220	chrome.exe	90
PID 1220 wrote to memory of 4104	1220	chrome.exe	91
PID 1220 wrote to memory of 4104	1220	chrome.exe	91
PID 1220 wrote to memory of 4104	1220	chrome.exe	91
PID 1220 wrote to memory of 4104	1220	chrome.exe	91
PID 1220 wrote to memory of 4104	1220	chrome.exe	91
PID 1220 wrote to memory of 4104	1220	chrome.exe	91
PID 1220 wrote to memory of 4104	1220	chrome.exe	91
PID 1220 wrote to memory of 4104	1220	chrome.exe	91
PID 1220 wrote to memory of 4104	1220	chrome.exe	91
PID 1220 wrote to memory of 4104	1220	chrome.exe	91
PID 1220 wrote to memory of 4104	1220	chrome.exe	91
PID 1220 wrote to memory of 4104	1220	chrome.exe	91
PID 1220 wrote to memory of 4104	1220	chrome.exe	91
PID 1220 wrote to memory of 4104	1220	chrome.exe	91
PID 1220 wrote to memory of 4104	1220	chrome.exe	91
PID 1220 wrote to memory of 4104	1220	chrome.exe	91
PID 1220 wrote to memory of 4104	1220	chrome.exe	91
PID 1220 wrote to memory of 4104	1220	chrome.exe	91
PID 1220 wrote to memory of 4104	1220	chrome.exe	91
PID 1220 wrote to memory of 4104	1220	chrome.exe	91
PID 1220 wrote to memory of 4104	1220	chrome.exe	91
PID 1220 wrote to memory of 4104	1220	chrome.exe	91

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://cn.medical.canon
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe46959758,0x7ffe46959768,0x7ffe46959778
  2⤵
  PID:564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1660 --field-trial-handle=1864,i,10161757012642167794,15278916348899661287,131072 /prefetch:2
  2⤵
  PID:4236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1864,i,10161757012642167794,15278916348899661287,131072 /prefetch:8
  2⤵
  PID:4580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 --field-trial-handle=1864,i,10161757012642167794,15278916348899661287,131072 /prefetch:8
  2⤵
  PID:4104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2864 --field-trial-handle=1864,i,10161757012642167794,15278916348899661287,131072 /prefetch:1
  2⤵
  PID:2904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2844 --field-trial-handle=1864,i,10161757012642167794,15278916348899661287,131072 /prefetch:1
  2⤵
  PID:1948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3984 --field-trial-handle=1864,i,10161757012642167794,15278916348899661287,131072 /prefetch:1
  2⤵
  PID:4492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3432 --field-trial-handle=1864,i,10161757012642167794,15278916348899661287,131072 /prefetch:1
  2⤵
  PID:1068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4944 --field-trial-handle=1864,i,10161757012642167794,15278916348899661287,131072 /prefetch:8
  2⤵
  PID:3880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5032 --field-trial-handle=1864,i,10161757012642167794,15278916348899661287,131072 /prefetch:8
  2⤵
  PID:4516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4016 --field-trial-handle=1864,i,10161757012642167794,15278916348899661287,131072 /prefetch:1
  2⤵
  PID:2108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4812 --field-trial-handle=1864,i,10161757012642167794,15278916348899661287,131072 /prefetch:1
  2⤵
  PID:2740

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
1663167abb24ec5216b94535a71ccdd7

SHA1
8e0ebf828bfa60d206cb1e44f833033f3fb1437e

SHA256
a38d2036486e4d569b88dd0d76cddfeb8e0028a415a97d8ddb4c0c451343264d

SHA512
4654ea1a565ad12f70d66e1be1973dae0ca0cb2d2519f91cfcf802aaed89ed0ef47b07ec50b81dfdf1a5d002485d055329a53a8c782f06dca4d281c4842475f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
9754f12ca5a11aee66811b46e9132827

SHA1
8aae00885d4d8f741dbde898dbe57de9031a0fbf

SHA256
5ad415dd18adad0dce63ff7b5a34dcfd560269eea424ee0f9847a77869fdc057

SHA512
f7a8f8108a9df26189151e102d5ac747470abf50fbe5455a6af45ea42cb4ea294eeed10803a1c1edde093d295da259db1ffff36856e12eedf817f23e538ff445

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
6bf49d1aec2c7a59959de980e7c64c48

SHA1
3f9fff394e2efda5dcfb41d1f545cf4bebbb67cd

SHA256
4ef05460be3c4340cadc298f49f7d3e28729cca520dfc3736db8cf9245b3aeee

SHA512
65c23fe7683016f19682282fc2ebcb6352bc2a2e328a8922514c15e10eeecfa099985a22c008d6157b4609b02598e290f2ff0dda19ee7cce6195ed7ecb1be95b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
053552613d8d3b0adbf42a16c3813fb8

SHA1
e74e9fe7281a18c5cc7856053da595acc7d71091

SHA256
839f46828a25438cc8e90b8754e798124b8e45e72752bf4199543cbd55d31007

SHA512
43be4ac0b7ebad66d64b1e4df2c2547b46573b18d0afec1d51b46a71180a6a41af7a030befd53c3c09eda2312fef35c5b114ee42c3337724ebf4441ec0136553

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\cee49075-9924-4982-82ae-92e5b7edd662.tmp

Filesize
6KB

MD5
feb1c24a3c765d7ab24ea6e1abf29aeb

SHA1
38fbf34d7627629d2026268d9402852c4f5cf30e

SHA256
6a5f75ab50b46678be55e72464249bf48fb589015ba6a24f227fd5f519ba08e5

SHA512
bdccab0f9bbfe65aba87310224613fda6c44042e15b3fe49c75b8529184767cd2e9f4487d1f044842dfc19c25b896f92b4880f74d0e66e7a7763fd31543b287f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
102KB

MD5
5f26dd11f22eeb79d344bdc41d4d97a0

SHA1
1e2c3339f82ff60b62bc1775066db8010f87cc22

SHA256
e342e87d27fb7f561941d9c9575ce0ed28c069d73dd6a3211c14120daa8b97bf

SHA512
3e1e0bd448c05fcf22f7f2b6044a9684a5b644259abd91e6d916861340c2723d53306ef56b3b027fdfd39cab9f459033c64094f678f8ae13df01e0b9977eb079

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit