hxxps://app133-api-dwtc[.]expoplatform[.]com/goto?e=test@test[.]com&act=ath&en=message&action=message&init_id=374830&rec_id=419566&eid=280&token=ee6e8f59ef9b6082ea95c0c4201ebcbb&go=messenger/?cid=374830

Analysis

max time kernel
300s
max time network
304s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
05/10/2023, 11:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://app133-api-dwtc.expoplatform.com/[email protected]&act=ath&en=message&action=message&init_id=374830&rec_id=419566&eid=280&token=ee6e8f59ef9b6082ea95c0c4201ebcbb&go=messenger/?cid=374830

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133409800315752932"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3396	chrome.exe
3396	chrome.exe
3576	chrome.exe
3576	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3396 wrote to memory of 3260	3396	chrome.exe	64
PID 3396 wrote to memory of 3260	3396	chrome.exe	64
PID 3396 wrote to memory of 4424	3396	chrome.exe	88
PID 3396 wrote to memory of 4424	3396	chrome.exe	88
PID 3396 wrote to memory of 4424	3396	chrome.exe	88
PID 3396 wrote to memory of 4424	3396	chrome.exe	88
PID 3396 wrote to memory of 4424	3396	chrome.exe	88
PID 3396 wrote to memory of 4424	3396	chrome.exe	88
PID 3396 wrote to memory of 4424	3396	chrome.exe	88
PID 3396 wrote to memory of 4424	3396	chrome.exe	88
PID 3396 wrote to memory of 4424	3396	chrome.exe	88
PID 3396 wrote to memory of 4424	3396	chrome.exe	88
PID 3396 wrote to memory of 4424	3396	chrome.exe	88
PID 3396 wrote to memory of 4424	3396	chrome.exe	88
PID 3396 wrote to memory of 4424	3396	chrome.exe	88
PID 3396 wrote to memory of 4424	3396	chrome.exe	88
PID 3396 wrote to memory of 4424	3396	chrome.exe	88
PID 3396 wrote to memory of 4424	3396	chrome.exe	88
PID 3396 wrote to memory of 4424	3396	chrome.exe	88
PID 3396 wrote to memory of 4424	3396	chrome.exe	88
PID 3396 wrote to memory of 4424	3396	chrome.exe	88
PID 3396 wrote to memory of 4424	3396	chrome.exe	88
PID 3396 wrote to memory of 4424	3396	chrome.exe	88
PID 3396 wrote to memory of 4424	3396	chrome.exe	88
PID 3396 wrote to memory of 4424	3396	chrome.exe	88
PID 3396 wrote to memory of 4424	3396	chrome.exe	88
PID 3396 wrote to memory of 4424	3396	chrome.exe	88
PID 3396 wrote to memory of 4424	3396	chrome.exe	88
PID 3396 wrote to memory of 4424	3396	chrome.exe	88
PID 3396 wrote to memory of 4424	3396	chrome.exe	88
PID 3396 wrote to memory of 4424	3396	chrome.exe	88
PID 3396 wrote to memory of 4424	3396	chrome.exe	88
PID 3396 wrote to memory of 4424	3396	chrome.exe	88
PID 3396 wrote to memory of 4424	3396	chrome.exe	88
PID 3396 wrote to memory of 4424	3396	chrome.exe	88
PID 3396 wrote to memory of 4424	3396	chrome.exe	88
PID 3396 wrote to memory of 4424	3396	chrome.exe	88
PID 3396 wrote to memory of 4424	3396	chrome.exe	88
PID 3396 wrote to memory of 4424	3396	chrome.exe	88
PID 3396 wrote to memory of 4424	3396	chrome.exe	88
PID 3396 wrote to memory of 4972	3396	chrome.exe	89
PID 3396 wrote to memory of 4972	3396	chrome.exe	89
PID 3396 wrote to memory of 380	3396	chrome.exe	90
PID 3396 wrote to memory of 380	3396	chrome.exe	90
PID 3396 wrote to memory of 380	3396	chrome.exe	90
PID 3396 wrote to memory of 380	3396	chrome.exe	90
PID 3396 wrote to memory of 380	3396	chrome.exe	90
PID 3396 wrote to memory of 380	3396	chrome.exe	90
PID 3396 wrote to memory of 380	3396	chrome.exe	90
PID 3396 wrote to memory of 380	3396	chrome.exe	90
PID 3396 wrote to memory of 380	3396	chrome.exe	90
PID 3396 wrote to memory of 380	3396	chrome.exe	90
PID 3396 wrote to memory of 380	3396	chrome.exe	90
PID 3396 wrote to memory of 380	3396	chrome.exe	90
PID 3396 wrote to memory of 380	3396	chrome.exe	90
PID 3396 wrote to memory of 380	3396	chrome.exe	90
PID 3396 wrote to memory of 380	3396	chrome.exe	90
PID 3396 wrote to memory of 380	3396	chrome.exe	90
PID 3396 wrote to memory of 380	3396	chrome.exe	90
PID 3396 wrote to memory of 380	3396	chrome.exe	90
PID 3396 wrote to memory of 380	3396	chrome.exe	90
PID 3396 wrote to memory of 380	3396	chrome.exe	90
PID 3396 wrote to memory of 380	3396	chrome.exe	90
PID 3396 wrote to memory of 380	3396	chrome.exe	90

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://app133-api-dwtc.expoplatform.com/[email protected]&act=ath&en=message&action=message&init_id=374830&rec_id=419566&eid=280&token=ee6e8f59ef9b6082ea95c0c4201ebcbb&go=messenger/?cid=374830
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb572e9758,0x7ffb572e9768,0x7ffb572e9778
  2⤵
  PID:3260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1664 --field-trial-handle=1884,i,16113850254147858968,5765574679624943107,131072 /prefetch:2
  2⤵
  PID:4424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1884,i,16113850254147858968,5765574679624943107,131072 /prefetch:8
  2⤵
  PID:4972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2216 --field-trial-handle=1884,i,16113850254147858968,5765574679624943107,131072 /prefetch:8
  2⤵
  PID:380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3028 --field-trial-handle=1884,i,16113850254147858968,5765574679624943107,131072 /prefetch:1
  2⤵
  PID:4932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3020 --field-trial-handle=1884,i,16113850254147858968,5765574679624943107,131072 /prefetch:1
  2⤵
  PID:4780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4680 --field-trial-handle=1884,i,16113850254147858968,5765574679624943107,131072 /prefetch:1
  2⤵
  PID:2072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 --field-trial-handle=1884,i,16113850254147858968,5765574679624943107,131072 /prefetch:8
  2⤵
  PID:4932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3208 --field-trial-handle=1884,i,16113850254147858968,5765574679624943107,131072 /prefetch:8
  2⤵
  PID:4936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2400 --field-trial-handle=1884,i,16113850254147858968,5765574679624943107,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3576

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\480bcb3e-60ab-4e3e-91b3-2349facd9104.tmp

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
240B

MD5
f8667d39929ce0851336acc3fcc4472e

SHA1
ff41982ce44e638ad1526ac1852cb1f7382779e0

SHA256
0960b8d85bfff1caad8a1b15a72d3f79b911c796e41753a509b7cf146dfced0e

SHA512
ae3f6e1ba375f98c618cdac27709c6447a2b7d907b720a180ea3d0c4aedb1041937cd64bee1c32901a095d91b8fb9b8a21681a73b656d916fdf65c9ccce87ad0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
651659eff425dbaf82eba4a92bce56bb

SHA1
0217f8fcf82ffbea1579cad80f842d6965563e28

SHA256
fed5308969ab826b33c693589a8d08f0ed42211c0a19769e9a403144519878f4

SHA512
d1a04e29093d3e46b006c660d744e244df171b0267223e407df99edf247b3a091a7d85aa1219e2d33212c1971dd7224566145759b9fa1e485730964e8f7cf785

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
7ec36b6dde9945efb6395b9ad0b4bd26

SHA1
c10c1edcb01ea646c8bc5583b756e73a07c00ca8

SHA256
31c717b5628b16544a9198e5800d29bf0709a5a4f5d021f1b7bbfbe7b293bc7e

SHA512
64f8560b60f755c03c8d65ab09a4c3abb5fdc1e6ea701b31f6af52076d108b3cbab738418ada929b6329041a31f37723175d38e08c361d937d246c47b226f3d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
5e32b4e9c4ef876ebe8a285944e089c7

SHA1
092bebc8c92bede9bf7761fd4f1f44c1e163aaf3

SHA256
fdfae7fc5cc60e798379aae8bdc5e110139c1f6c7e29728ad7b9cc4d64549575

SHA512
f9dac50029534043c562747af75af27e2f63bb71edd3e3cb0f546594576917c527d56a43f78647e2cf5506d746197af1b11ff9fb556e54aab776532bde7c1879

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
3e90f34ed7b93670a37edaaba0b3d288

SHA1
450b29277e9ce450ee5c98264b343641feaac921

SHA256
35aa8eb5496e267e58e13e1d51f078ec68c1939150bb94d177c1f5d8a020fb45

SHA512
98a4fce78b1c2fd14ae82e1eb8ed785554e319702e4a80ab9abe8feb52d6ba1173511f4964057819a941ef05ea2ee9e63d9ec7d8ab5ef7c202186ad44665718c

Download Submit