hxxps://app[.]adsalesgenius[.]com/marketing/tag/?id=ABak%2FDLENXo13HRfB%2B%2B5woeuf0mIs4kHbwMXdnTJ6EibhFejM4NsFlG%2FIIMy%2FDyorwyprDUARCmM1IK22dpIL8EWDbsZSG1E99CAG%2FVmuQW7tNQeDCqjFFKn%2FyoY8TVFDpj9Pj6mi%2F4ELK4ZmXL3UfCO5HBTrk%2BHQv36L5gURgfkwR4Sxyqesln1zURK8CgO

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
04-10-2023 05:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://app.adsalesgenius.com/marketing/tag/?id=ABak%2FDLENXo13HRfB%2B%2B5woeuf0mIs4kHbwMXdnTJ6EibhFejM4NsFlG%2FIIMy%2FDyorwyprDUARCmM1IK22dpIL8EWDbsZSG1E99CAG%2FVmuQW7tNQeDCqjFFKn%2FyoY8TVFDpj9Pj6mi%2F4ELK4ZmXL3UfCO5HBTrk%2BHQv36L5gURgfkwR4Sxyqesln1zURK8CgO

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133408699095682638"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2872	chrome.exe
2872	chrome.exe
3204	chrome.exe
3204	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2872	chrome.exe
2872	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 1828	2872	chrome.exe	84
PID 2872 wrote to memory of 1828	2872	chrome.exe	84
PID 2872 wrote to memory of 2268	2872	chrome.exe	87
PID 2872 wrote to memory of 2268	2872	chrome.exe	87
PID 2872 wrote to memory of 2268	2872	chrome.exe	87
PID 2872 wrote to memory of 2268	2872	chrome.exe	87
PID 2872 wrote to memory of 2268	2872	chrome.exe	87
PID 2872 wrote to memory of 2268	2872	chrome.exe	87
PID 2872 wrote to memory of 2268	2872	chrome.exe	87
PID 2872 wrote to memory of 2268	2872	chrome.exe	87
PID 2872 wrote to memory of 2268	2872	chrome.exe	87
PID 2872 wrote to memory of 2268	2872	chrome.exe	87
PID 2872 wrote to memory of 2268	2872	chrome.exe	87
PID 2872 wrote to memory of 2268	2872	chrome.exe	87
PID 2872 wrote to memory of 2268	2872	chrome.exe	87
PID 2872 wrote to memory of 2268	2872	chrome.exe	87
PID 2872 wrote to memory of 2268	2872	chrome.exe	87
PID 2872 wrote to memory of 2268	2872	chrome.exe	87
PID 2872 wrote to memory of 2268	2872	chrome.exe	87
PID 2872 wrote to memory of 2268	2872	chrome.exe	87
PID 2872 wrote to memory of 2268	2872	chrome.exe	87
PID 2872 wrote to memory of 2268	2872	chrome.exe	87
PID 2872 wrote to memory of 2268	2872	chrome.exe	87
PID 2872 wrote to memory of 2268	2872	chrome.exe	87
PID 2872 wrote to memory of 2268	2872	chrome.exe	87
PID 2872 wrote to memory of 2268	2872	chrome.exe	87
PID 2872 wrote to memory of 2268	2872	chrome.exe	87
PID 2872 wrote to memory of 2268	2872	chrome.exe	87
PID 2872 wrote to memory of 2268	2872	chrome.exe	87
PID 2872 wrote to memory of 2268	2872	chrome.exe	87
PID 2872 wrote to memory of 2268	2872	chrome.exe	87
PID 2872 wrote to memory of 2268	2872	chrome.exe	87
PID 2872 wrote to memory of 2268	2872	chrome.exe	87
PID 2872 wrote to memory of 2268	2872	chrome.exe	87
PID 2872 wrote to memory of 2268	2872	chrome.exe	87
PID 2872 wrote to memory of 2268	2872	chrome.exe	87
PID 2872 wrote to memory of 2268	2872	chrome.exe	87
PID 2872 wrote to memory of 2268	2872	chrome.exe	87
PID 2872 wrote to memory of 2268	2872	chrome.exe	87
PID 2872 wrote to memory of 2268	2872	chrome.exe	87
PID 2872 wrote to memory of 3100	2872	chrome.exe	88
PID 2872 wrote to memory of 3100	2872	chrome.exe	88
PID 2872 wrote to memory of 4216	2872	chrome.exe	89
PID 2872 wrote to memory of 4216	2872	chrome.exe	89
PID 2872 wrote to memory of 4216	2872	chrome.exe	89
PID 2872 wrote to memory of 4216	2872	chrome.exe	89
PID 2872 wrote to memory of 4216	2872	chrome.exe	89
PID 2872 wrote to memory of 4216	2872	chrome.exe	89
PID 2872 wrote to memory of 4216	2872	chrome.exe	89
PID 2872 wrote to memory of 4216	2872	chrome.exe	89
PID 2872 wrote to memory of 4216	2872	chrome.exe	89
PID 2872 wrote to memory of 4216	2872	chrome.exe	89
PID 2872 wrote to memory of 4216	2872	chrome.exe	89
PID 2872 wrote to memory of 4216	2872	chrome.exe	89
PID 2872 wrote to memory of 4216	2872	chrome.exe	89
PID 2872 wrote to memory of 4216	2872	chrome.exe	89
PID 2872 wrote to memory of 4216	2872	chrome.exe	89
PID 2872 wrote to memory of 4216	2872	chrome.exe	89
PID 2872 wrote to memory of 4216	2872	chrome.exe	89
PID 2872 wrote to memory of 4216	2872	chrome.exe	89
PID 2872 wrote to memory of 4216	2872	chrome.exe	89
PID 2872 wrote to memory of 4216	2872	chrome.exe	89
PID 2872 wrote to memory of 4216	2872	chrome.exe	89
PID 2872 wrote to memory of 4216	2872	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://app.adsalesgenius.com/marketing/tag/?id=ABak%2FDLENXo13HRfB%2B%2B5woeuf0mIs4kHbwMXdnTJ6EibhFejM4NsFlG%2FIIMy%2FDyorwyprDUARCmM1IK22dpIL8EWDbsZSG1E99CAG%2FVmuQW7tNQeDCqjFFKn%2FyoY8TVFDpj9Pj6mi%2F4ELK4ZmXL3UfCO5HBTrk%2BHQv36L5gURgfkwR4Sxyqesln1zURK8CgO
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe84929758,0x7ffe84929768,0x7ffe84929778
  2⤵
  PID:1828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1888,i,765034393302756370,12214589052779263912,131072 /prefetch:2
  2⤵
  PID:2268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1888,i,765034393302756370,12214589052779263912,131072 /prefetch:8
  2⤵
  PID:3100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2188 --field-trial-handle=1888,i,765034393302756370,12214589052779263912,131072 /prefetch:8
  2⤵
  PID:4216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3064 --field-trial-handle=1888,i,765034393302756370,12214589052779263912,131072 /prefetch:1
  2⤵
  PID:4604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3040 --field-trial-handle=1888,i,765034393302756370,12214589052779263912,131072 /prefetch:1
  2⤵
  PID:2160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4828 --field-trial-handle=1888,i,765034393302756370,12214589052779263912,131072 /prefetch:8
  2⤵
  PID:1348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4916 --field-trial-handle=1888,i,765034393302756370,12214589052779263912,131072 /prefetch:8
  2⤵
  PID:1200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1828 --field-trial-handle=1888,i,765034393302756370,12214589052779263912,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3204

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
33f00df00093661ec237737da4a14f7a

SHA1
2aa51c426f6f805113a68178dab4d059ad3061ec

SHA256
40f76ae362556b9550bca818240f0e5531b39fc3138cdd37971ba21cc2986ac7

SHA512
adc563998bfcf007c76f01f9ec5ddecdae9539720a4053269d16af5174943ccabca067b47e0f10bec835c69641fbc340da073744c81dfe81cd8e6c847778a571

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
124349533863dfafe77e8097b51e366d

SHA1
401819679ffde7035ce441ad10dbafbf4b581e5d

SHA256
56dfa2ba77c55334161296fb46301030f73588126cbabbc78f0674e96cb4fcb8

SHA512
f2e0bce8376d67bbe03b36b5b75a7159677c32c0c96c9c4f10d820f52013afcc4226a979eb572ce7c81eabc3fb495e042f6f7090a86567d29f5789581d6b84f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
e0630b060e6d528a870dff02e0eee6f7

SHA1
74ab41156ecf357844e1f6a89f1b6aca3bbb732e

SHA256
cbf82a7ca354184886f60cfe96c878638880be5644d121f9590b4366e34a6aa7

SHA512
352b023a8e6510d40fe28b3de7b99a95f6c9a404fdba946e7dfe4d663376a1b5b3a4f1b65e137d479809f82830c09e6aa70d5b7b5881a72abe549da5b73e49d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
54708c423f3109a30958c59727ee2342

SHA1
3f5d7e9fd2b847aad4afb7d363d9d6c36106b21c

SHA256
05e01cc43b509b2bb8d7c4a761766bc0097c95dc92af07c36936ccab0ce2d98c

SHA512
3f45e45c1d29015b83f8e28173ed2af876687c65cfe5837f1268c6082fdfd3a0fbd880521981d147d9942242c2b67d76f027834151830e70855038577b9d1250

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
a3cb231528e7bac22ac1260454b35659

SHA1
c98abfd70786736bddc6b329c457398ef16dcee9

SHA256
1beb658400dccc729d04c4a17ac6af711318aa00fae8aee40e6545c27da51dc4

SHA512
1ebb483acbebbc8c9ec95d165f5e0f7e4810f8c27879ddbd03f78172ee5cc4617509223b7896c8577cc349e9e14d8bdd4d0d08d542c70f6054a3091763be2f27

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit