hxxp://www[.]isabelliana[.]one/Thorstein-raced/cba6ul2x395F86XC11b4c6fWGf52m24Lgh4rHIvEcswItafiD8sEIH411sQJd9od9jnm5r1i0P7VBMcY@9

Analysis

max time kernel
600s
max time network
595s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2023 05:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://www.isabelliana.one/Thorstein-raced/cba6ul2x395F86XC11b4c6fWGf52m24Lgh4rHIvEcswItafiD8sEIH411sQJd9od9jnm5r1i0P7VBMcY@9

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133406995579332371"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3804	chrome.exe
3804	chrome.exe
1968	chrome.exe
1968	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3804	chrome.exe
3804	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3804 wrote to memory of 2900	3804	chrome.exe	68
PID 3804 wrote to memory of 2900	3804	chrome.exe	68
PID 3804 wrote to memory of 5024	3804	chrome.exe	87
PID 3804 wrote to memory of 5024	3804	chrome.exe	87
PID 3804 wrote to memory of 5024	3804	chrome.exe	87
PID 3804 wrote to memory of 5024	3804	chrome.exe	87
PID 3804 wrote to memory of 5024	3804	chrome.exe	87
PID 3804 wrote to memory of 5024	3804	chrome.exe	87
PID 3804 wrote to memory of 5024	3804	chrome.exe	87
PID 3804 wrote to memory of 5024	3804	chrome.exe	87
PID 3804 wrote to memory of 5024	3804	chrome.exe	87
PID 3804 wrote to memory of 5024	3804	chrome.exe	87
PID 3804 wrote to memory of 5024	3804	chrome.exe	87
PID 3804 wrote to memory of 5024	3804	chrome.exe	87
PID 3804 wrote to memory of 5024	3804	chrome.exe	87
PID 3804 wrote to memory of 5024	3804	chrome.exe	87
PID 3804 wrote to memory of 5024	3804	chrome.exe	87
PID 3804 wrote to memory of 5024	3804	chrome.exe	87
PID 3804 wrote to memory of 5024	3804	chrome.exe	87
PID 3804 wrote to memory of 5024	3804	chrome.exe	87
PID 3804 wrote to memory of 5024	3804	chrome.exe	87
PID 3804 wrote to memory of 5024	3804	chrome.exe	87
PID 3804 wrote to memory of 5024	3804	chrome.exe	87
PID 3804 wrote to memory of 5024	3804	chrome.exe	87
PID 3804 wrote to memory of 5024	3804	chrome.exe	87
PID 3804 wrote to memory of 5024	3804	chrome.exe	87
PID 3804 wrote to memory of 5024	3804	chrome.exe	87
PID 3804 wrote to memory of 5024	3804	chrome.exe	87
PID 3804 wrote to memory of 5024	3804	chrome.exe	87
PID 3804 wrote to memory of 5024	3804	chrome.exe	87
PID 3804 wrote to memory of 5024	3804	chrome.exe	87
PID 3804 wrote to memory of 5024	3804	chrome.exe	87
PID 3804 wrote to memory of 5024	3804	chrome.exe	87
PID 3804 wrote to memory of 5024	3804	chrome.exe	87
PID 3804 wrote to memory of 5024	3804	chrome.exe	87
PID 3804 wrote to memory of 5024	3804	chrome.exe	87
PID 3804 wrote to memory of 5024	3804	chrome.exe	87
PID 3804 wrote to memory of 5024	3804	chrome.exe	87
PID 3804 wrote to memory of 5024	3804	chrome.exe	87
PID 3804 wrote to memory of 5024	3804	chrome.exe	87
PID 3804 wrote to memory of 2536	3804	chrome.exe	89
PID 3804 wrote to memory of 2536	3804	chrome.exe	89
PID 3804 wrote to memory of 4100	3804	chrome.exe	88
PID 3804 wrote to memory of 4100	3804	chrome.exe	88
PID 3804 wrote to memory of 4100	3804	chrome.exe	88
PID 3804 wrote to memory of 4100	3804	chrome.exe	88
PID 3804 wrote to memory of 4100	3804	chrome.exe	88
PID 3804 wrote to memory of 4100	3804	chrome.exe	88
PID 3804 wrote to memory of 4100	3804	chrome.exe	88
PID 3804 wrote to memory of 4100	3804	chrome.exe	88
PID 3804 wrote to memory of 4100	3804	chrome.exe	88
PID 3804 wrote to memory of 4100	3804	chrome.exe	88
PID 3804 wrote to memory of 4100	3804	chrome.exe	88
PID 3804 wrote to memory of 4100	3804	chrome.exe	88
PID 3804 wrote to memory of 4100	3804	chrome.exe	88
PID 3804 wrote to memory of 4100	3804	chrome.exe	88
PID 3804 wrote to memory of 4100	3804	chrome.exe	88
PID 3804 wrote to memory of 4100	3804	chrome.exe	88
PID 3804 wrote to memory of 4100	3804	chrome.exe	88
PID 3804 wrote to memory of 4100	3804	chrome.exe	88
PID 3804 wrote to memory of 4100	3804	chrome.exe	88
PID 3804 wrote to memory of 4100	3804	chrome.exe	88
PID 3804 wrote to memory of 4100	3804	chrome.exe	88
PID 3804 wrote to memory of 4100	3804	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://www.isabelliana.one/Thorstein-raced/cba6ul2x395F86XC11b4c6fWGf52m24Lgh4rHIvEcswItafiD8sEIH411sQJd9od9jnm5r1i0P7VBMcY@9
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffade759758,0x7ffade759768,0x7ffade759778
  2⤵
  PID:2900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1628 --field-trial-handle=1904,i,3025882519591975082,13478476982281362501,131072 /prefetch:2
  2⤵
  PID:5024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2212 --field-trial-handle=1904,i,3025882519591975082,13478476982281362501,131072 /prefetch:8
  2⤵
  PID:4100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1904,i,3025882519591975082,13478476982281362501,131072 /prefetch:8
  2⤵
  PID:2536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3008 --field-trial-handle=1904,i,3025882519591975082,13478476982281362501,131072 /prefetch:1
  2⤵
  PID:3076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2948 --field-trial-handle=1904,i,3025882519591975082,13478476982281362501,131072 /prefetch:1
  2⤵
  PID:1980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5020 --field-trial-handle=1904,i,3025882519591975082,13478476982281362501,131072 /prefetch:8
  2⤵
  PID:4596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 --field-trial-handle=1904,i,3025882519591975082,13478476982281362501,131072 /prefetch:8
  2⤵
  PID:4940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=876 --field-trial-handle=1904,i,3025882519591975082,13478476982281362501,131072 /prefetch:8
  2⤵
  PID:1536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2648 --field-trial-handle=1904,i,3025882519591975082,13478476982281362501,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1968

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
a9468b8ff4d1e621283dc9245b8d0263

SHA1
4684f1d7ca4ac35faed8cdc8285921fd9f621110

SHA256
5a5ddacb04ca85ba66ec32426ce9bd8e8408d1b20f540bfbc25975fef9f42517

SHA512
ebdf6c0103c4f7b52001cbaaf4f20c0fe0005e3c36f461dfd2eebf601eeaabd06023ad12abe789e43105a74c75e59deb266ade6cb13861e135821c3f8ee223ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d5b04253cd8c63937443b5526f9bce2c

SHA1
c7ce5d369e91957339458a662528c99e78fc02b9

SHA256
e9166311a86fd3007a498eb69028206bd5d256f2b4f96285f5522abfd171447f

SHA512
d9b69703bc7b06c48b7811d4d309e2c5eb99b7f9635857d67209ec9d5cefa4565ca07e970f85ff6ffa145955829ff77a65337f14973f1c2e118aca2717952222

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
dbea1987b1a1a53e7fcae707bb541a52

SHA1
673d8373b763c38452cd19814d6c23a252d4a70e

SHA256
4ddbd309be6f973ed8512fbf79ac1407a27c2324c4ae6e50cdf3cdbc68248c43

SHA512
f9c416b1c2ba7287908bf5e0495da8c6d6c34ad5d4b15fbb6e86368aeba1df5314d319815923569bb4426464344d73ee010e967c418386c75161b634b1b18a87

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
bde534c21843c460a9304ce1720582f3

SHA1
15b8d3ef99aab155da36b77d28f738281ab79e2b

SHA256
486327162021318e0d93dfc9b7bad94496883cca330c6a6b67bb25866ada0cfc

SHA512
9424bfb642e477cbf741159e0e651dbbc9c5ec13153e27c0e666bf7e0dd10e4bffa598b854a0597e0a0c067ea133e73b8ee3500ead76544e04a95af87bd5d513

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit