hxxp://www[.]excellentpublicity[.]com

Analysis

max time kernel
149s
max time network
145s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
09/10/2023, 12:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://www.excellentpublicity.com

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133413265584133902"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2968	chrome.exe
2968	chrome.exe
3524	chrome.exe
3524	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 3384	2968	chrome.exe	55
PID 2968 wrote to memory of 3384	2968	chrome.exe	55
PID 2968 wrote to memory of 652	2968	chrome.exe	76
PID 2968 wrote to memory of 652	2968	chrome.exe	76
PID 2968 wrote to memory of 652	2968	chrome.exe	76
PID 2968 wrote to memory of 652	2968	chrome.exe	76
PID 2968 wrote to memory of 652	2968	chrome.exe	76
PID 2968 wrote to memory of 652	2968	chrome.exe	76
PID 2968 wrote to memory of 652	2968	chrome.exe	76
PID 2968 wrote to memory of 652	2968	chrome.exe	76
PID 2968 wrote to memory of 652	2968	chrome.exe	76
PID 2968 wrote to memory of 652	2968	chrome.exe	76
PID 2968 wrote to memory of 652	2968	chrome.exe	76
PID 2968 wrote to memory of 652	2968	chrome.exe	76
PID 2968 wrote to memory of 652	2968	chrome.exe	76
PID 2968 wrote to memory of 652	2968	chrome.exe	76
PID 2968 wrote to memory of 652	2968	chrome.exe	76
PID 2968 wrote to memory of 652	2968	chrome.exe	76
PID 2968 wrote to memory of 652	2968	chrome.exe	76
PID 2968 wrote to memory of 652	2968	chrome.exe	76
PID 2968 wrote to memory of 652	2968	chrome.exe	76
PID 2968 wrote to memory of 652	2968	chrome.exe	76
PID 2968 wrote to memory of 652	2968	chrome.exe	76
PID 2968 wrote to memory of 652	2968	chrome.exe	76
PID 2968 wrote to memory of 652	2968	chrome.exe	76
PID 2968 wrote to memory of 652	2968	chrome.exe	76
PID 2968 wrote to memory of 652	2968	chrome.exe	76
PID 2968 wrote to memory of 652	2968	chrome.exe	76
PID 2968 wrote to memory of 652	2968	chrome.exe	76
PID 2968 wrote to memory of 652	2968	chrome.exe	76
PID 2968 wrote to memory of 652	2968	chrome.exe	76
PID 2968 wrote to memory of 652	2968	chrome.exe	76
PID 2968 wrote to memory of 652	2968	chrome.exe	76
PID 2968 wrote to memory of 652	2968	chrome.exe	76
PID 2968 wrote to memory of 652	2968	chrome.exe	76
PID 2968 wrote to memory of 652	2968	chrome.exe	76
PID 2968 wrote to memory of 652	2968	chrome.exe	76
PID 2968 wrote to memory of 652	2968	chrome.exe	76
PID 2968 wrote to memory of 652	2968	chrome.exe	76
PID 2968 wrote to memory of 652	2968	chrome.exe	76
PID 2968 wrote to memory of 292	2968	chrome.exe	72
PID 2968 wrote to memory of 292	2968	chrome.exe	72
PID 2968 wrote to memory of 3620	2968	chrome.exe	75
PID 2968 wrote to memory of 3620	2968	chrome.exe	75
PID 2968 wrote to memory of 3620	2968	chrome.exe	75
PID 2968 wrote to memory of 3620	2968	chrome.exe	75
PID 2968 wrote to memory of 3620	2968	chrome.exe	75
PID 2968 wrote to memory of 3620	2968	chrome.exe	75
PID 2968 wrote to memory of 3620	2968	chrome.exe	75
PID 2968 wrote to memory of 3620	2968	chrome.exe	75
PID 2968 wrote to memory of 3620	2968	chrome.exe	75
PID 2968 wrote to memory of 3620	2968	chrome.exe	75
PID 2968 wrote to memory of 3620	2968	chrome.exe	75
PID 2968 wrote to memory of 3620	2968	chrome.exe	75
PID 2968 wrote to memory of 3620	2968	chrome.exe	75
PID 2968 wrote to memory of 3620	2968	chrome.exe	75
PID 2968 wrote to memory of 3620	2968	chrome.exe	75
PID 2968 wrote to memory of 3620	2968	chrome.exe	75
PID 2968 wrote to memory of 3620	2968	chrome.exe	75
PID 2968 wrote to memory of 3620	2968	chrome.exe	75
PID 2968 wrote to memory of 3620	2968	chrome.exe	75
PID 2968 wrote to memory of 3620	2968	chrome.exe	75
PID 2968 wrote to memory of 3620	2968	chrome.exe	75
PID 2968 wrote to memory of 3620	2968	chrome.exe	75

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://www.excellentpublicity.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fffa7249758,0x7fffa7249768,0x7fffa7249778
  2⤵
  PID:3384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1808 --field-trial-handle=1744,i,11181016944863059091,15361831986509720099,131072 /prefetch:8
  2⤵
  PID:292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2624 --field-trial-handle=1744,i,11181016944863059091,15361831986509720099,131072 /prefetch:1
  2⤵
  PID:5028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2616 --field-trial-handle=1744,i,11181016944863059091,15361831986509720099,131072 /prefetch:1
  2⤵
  PID:2536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2064 --field-trial-handle=1744,i,11181016944863059091,15361831986509720099,131072 /prefetch:8
  2⤵
  PID:3620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1648 --field-trial-handle=1744,i,11181016944863059091,15361831986509720099,131072 /prefetch:2
  2⤵
  PID:652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4436 --field-trial-handle=1744,i,11181016944863059091,15361831986509720099,131072 /prefetch:1
  2⤵
  PID:4988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 --field-trial-handle=1744,i,11181016944863059091,15361831986509720099,131072 /prefetch:8
  2⤵
  PID:4372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 --field-trial-handle=1744,i,11181016944863059091,15361831986509720099,131072 /prefetch:8
  2⤵
  PID:3896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4500 --field-trial-handle=1744,i,11181016944863059091,15361831986509720099,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3524

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
744B

MD5
3eba69df3273d15b6c4e582236bbeedc

SHA1
2500e1abf3c7ed586e55e926bca707f0358966a3

SHA256
6c41d59b857f749b1d001ffe7a2020edbe979558702940552f98ed15c1a74abb

SHA512
3bafd9f8f47cca94d78374b11db77c449ed0082fc40f69c9750d4d90c3571cd0c942707391e8ba280f12bd297dce84a114aaccf254214e4730dfe9a7e3012314

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
a56571ffca3b9496c9989b9ff19c1366

SHA1
1155513addb0ef4e61c5be0d77e039ac1c81710e

SHA256
79da0889cd75a9f284ac428fffbe14f0ae18024cce6d4f5b5aeba3f9527591b5

SHA512
4293dca23e781ecd2b874e82df6f294c4a60b8f204475fbe0e1f105dae7bcde4e855d8732da3f01ef25d783cc724c7543c552f11bc9bdaf0872b4537144ebda7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
35f8f1d1930bc144b35ae7cbc1b01de5

SHA1
628911577a6408aa0c535c4d6df073c1af30bdd0

SHA256
91da377b211a469e549dd5c01db7d7bf68389ab14d9df501b4c8725d307c277a

SHA512
83f4483b67153d0c7dc25a982625f1437b42e3065f7c3859dc64a5f64552d3e67d7af1bfd41ce9babdceff4ccc465bb0b40af8f8151a8722edf4c25cc9860ec6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
ede29a282651677e25e26f8295f2efba

SHA1
1f94d79da79ebc3160b5bfe5ef6681fc600c5dcd

SHA256
a85780e4cf36813a6bf431c0a058a6136d6186546bcfa3360db9e2578cb6e173

SHA512
1b2fca18ec47f2e97cf23c99d07ddbd33c24d8a781f6f6a9f1fbcf69091b658b20c08dbc862cb52741a1cf4696043d1587d3decfc8edd483def127c874b7f980

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
8ca84033f9b7862248abd859f6fca3e3

SHA1
fe4e773b40e09b27e3a0b3d00f4a000c00eee6ba

SHA256
299b7812c3b8ad9dfd40c4ba737ab488626b29c3dc2c979ee5e930b059dd5a1d

SHA512
b0c75a3493b4d81a7f5940898c23d53bd17d2c524f46d80052c009824427e6cdc4ebf269bf26dc8a93e1f792968c752a043289d730b5204c7dd7f0a6c4532c7d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
ed28237a61e48d874f8777efb6bd7238

SHA1
8936734e7623277840a06158cb64c6fab39f758c

SHA256
58e565c17df2052e14cd11c1408f02b55d9e80864867e5a9804b840e6fe75ce1

SHA512
4511578d07ca107662f795d162819fca617ae79ed63422027f3c9384d7208c7d3eb64edea27cf6f2f9b8c9711f1614a2a570bac6d99bf108286bd73571be6da9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
dc489d27c54d17c4bef3e2919e214f19

SHA1
eba58fae0fb5c5699e849370efcfe65d8233be4a

SHA256
d28243915979ea2aaa7a9f88bd199372a3a88dc34f359d2376706789875aa27e

SHA512
8257bb8b952939d251f1b6cbfa904a947cd60dca7c64e25b99c20b1657b41a67305ccfa2085d9bd90575dbb450261875667b920ee5d905ef7fda3e64d239d44e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
94e4400eef0ac0b0237621a485498220

SHA1
d3c6771f5e5e7cb8dcaa55a96fcf1696c136c40c

SHA256
ebc2df51c23cf25de374f3acf611c45231e1cea69f423d9122ad6becaeb6ade7

SHA512
3add5aa53477f806fe501332894ffc08452c5fb3ed6bc54a5170eab3a7bfe3f2a491cb87c64d8a5a7b39bbc7f71cee1eca803695c7b156dae2b6ba73ac5bef20

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit