hxxps://virtualsecretaryservices[.]com/online/tunupd[.]php

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
10/10/2023, 13:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://virtualsecretaryservices.com/online/tunupd.php

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133414183673331367"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3568	chrome.exe
3568	chrome.exe
4772	chrome.exe
4772	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3568	chrome.exe
3568	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3568	chrome.exe
Token: SeCreatePagefilePrivilege	3568	chrome.exe
Token: SeShutdownPrivilege	3568	chrome.exe
Token: SeCreatePagefilePrivilege	3568	chrome.exe
Token: SeShutdownPrivilege	3568	chrome.exe
Token: SeCreatePagefilePrivilege	3568	chrome.exe
Token: SeShutdownPrivilege	3568	chrome.exe
Token: SeCreatePagefilePrivilege	3568	chrome.exe
Token: SeShutdownPrivilege	3568	chrome.exe
Token: SeCreatePagefilePrivilege	3568	chrome.exe
Token: SeShutdownPrivilege	3568	chrome.exe
Token: SeCreatePagefilePrivilege	3568	chrome.exe
Token: SeShutdownPrivilege	3568	chrome.exe
Token: SeCreatePagefilePrivilege	3568	chrome.exe
Token: SeShutdownPrivilege	3568	chrome.exe
Token: SeCreatePagefilePrivilege	3568	chrome.exe
Token: SeShutdownPrivilege	3568	chrome.exe
Token: SeCreatePagefilePrivilege	3568	chrome.exe
Token: SeShutdownPrivilege	3568	chrome.exe
Token: SeCreatePagefilePrivilege	3568	chrome.exe
Token: SeShutdownPrivilege	3568	chrome.exe
Token: SeCreatePagefilePrivilege	3568	chrome.exe
Token: SeShutdownPrivilege	3568	chrome.exe
Token: SeCreatePagefilePrivilege	3568	chrome.exe
Token: SeShutdownPrivilege	3568	chrome.exe
Token: SeCreatePagefilePrivilege	3568	chrome.exe
Token: SeShutdownPrivilege	3568	chrome.exe
Token: SeCreatePagefilePrivilege	3568	chrome.exe
Token: SeShutdownPrivilege	3568	chrome.exe
Token: SeCreatePagefilePrivilege	3568	chrome.exe
Token: SeShutdownPrivilege	3568	chrome.exe
Token: SeCreatePagefilePrivilege	3568	chrome.exe
Token: SeShutdownPrivilege	3568	chrome.exe
Token: SeCreatePagefilePrivilege	3568	chrome.exe
Token: SeShutdownPrivilege	3568	chrome.exe
Token: SeCreatePagefilePrivilege	3568	chrome.exe
Token: SeShutdownPrivilege	3568	chrome.exe
Token: SeCreatePagefilePrivilege	3568	chrome.exe
Token: SeShutdownPrivilege	3568	chrome.exe
Token: SeCreatePagefilePrivilege	3568	chrome.exe
Token: SeShutdownPrivilege	3568	chrome.exe
Token: SeCreatePagefilePrivilege	3568	chrome.exe
Token: SeShutdownPrivilege	3568	chrome.exe
Token: SeCreatePagefilePrivilege	3568	chrome.exe
Token: SeShutdownPrivilege	3568	chrome.exe
Token: SeCreatePagefilePrivilege	3568	chrome.exe
Token: SeShutdownPrivilege	3568	chrome.exe
Token: SeCreatePagefilePrivilege	3568	chrome.exe
Token: SeShutdownPrivilege	3568	chrome.exe
Token: SeCreatePagefilePrivilege	3568	chrome.exe
Token: SeShutdownPrivilege	3568	chrome.exe
Token: SeCreatePagefilePrivilege	3568	chrome.exe
Token: SeShutdownPrivilege	3568	chrome.exe
Token: SeCreatePagefilePrivilege	3568	chrome.exe
Token: SeShutdownPrivilege	3568	chrome.exe
Token: SeCreatePagefilePrivilege	3568	chrome.exe
Token: SeShutdownPrivilege	3568	chrome.exe
Token: SeCreatePagefilePrivilege	3568	chrome.exe
Token: SeShutdownPrivilege	3568	chrome.exe
Token: SeCreatePagefilePrivilege	3568	chrome.exe
Token: SeShutdownPrivilege	3568	chrome.exe
Token: SeCreatePagefilePrivilege	3568	chrome.exe
Token: SeShutdownPrivilege	3568	chrome.exe
Token: SeCreatePagefilePrivilege	3568	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3568 wrote to memory of 5084	3568	chrome.exe	20
PID 3568 wrote to memory of 5084	3568	chrome.exe	20
PID 3568 wrote to memory of 4752	3568	chrome.exe	88
PID 3568 wrote to memory of 4752	3568	chrome.exe	88
PID 3568 wrote to memory of 4752	3568	chrome.exe	88
PID 3568 wrote to memory of 4752	3568	chrome.exe	88
PID 3568 wrote to memory of 4752	3568	chrome.exe	88
PID 3568 wrote to memory of 4752	3568	chrome.exe	88
PID 3568 wrote to memory of 4752	3568	chrome.exe	88
PID 3568 wrote to memory of 4752	3568	chrome.exe	88
PID 3568 wrote to memory of 4752	3568	chrome.exe	88
PID 3568 wrote to memory of 4752	3568	chrome.exe	88
PID 3568 wrote to memory of 4752	3568	chrome.exe	88
PID 3568 wrote to memory of 4752	3568	chrome.exe	88
PID 3568 wrote to memory of 4752	3568	chrome.exe	88
PID 3568 wrote to memory of 4752	3568	chrome.exe	88
PID 3568 wrote to memory of 4752	3568	chrome.exe	88
PID 3568 wrote to memory of 4752	3568	chrome.exe	88
PID 3568 wrote to memory of 4752	3568	chrome.exe	88
PID 3568 wrote to memory of 4752	3568	chrome.exe	88
PID 3568 wrote to memory of 4752	3568	chrome.exe	88
PID 3568 wrote to memory of 4752	3568	chrome.exe	88
PID 3568 wrote to memory of 4752	3568	chrome.exe	88
PID 3568 wrote to memory of 4752	3568	chrome.exe	88
PID 3568 wrote to memory of 4752	3568	chrome.exe	88
PID 3568 wrote to memory of 4752	3568	chrome.exe	88
PID 3568 wrote to memory of 4752	3568	chrome.exe	88
PID 3568 wrote to memory of 4752	3568	chrome.exe	88
PID 3568 wrote to memory of 4752	3568	chrome.exe	88
PID 3568 wrote to memory of 4752	3568	chrome.exe	88
PID 3568 wrote to memory of 4752	3568	chrome.exe	88
PID 3568 wrote to memory of 4752	3568	chrome.exe	88
PID 3568 wrote to memory of 4752	3568	chrome.exe	88
PID 3568 wrote to memory of 4752	3568	chrome.exe	88
PID 3568 wrote to memory of 4752	3568	chrome.exe	88
PID 3568 wrote to memory of 4752	3568	chrome.exe	88
PID 3568 wrote to memory of 4752	3568	chrome.exe	88
PID 3568 wrote to memory of 4752	3568	chrome.exe	88
PID 3568 wrote to memory of 4752	3568	chrome.exe	88
PID 3568 wrote to memory of 4752	3568	chrome.exe	88
PID 3568 wrote to memory of 3408	3568	chrome.exe	87
PID 3568 wrote to memory of 3408	3568	chrome.exe	87
PID 3568 wrote to memory of 1496	3568	chrome.exe	89
PID 3568 wrote to memory of 1496	3568	chrome.exe	89
PID 3568 wrote to memory of 1496	3568	chrome.exe	89
PID 3568 wrote to memory of 1496	3568	chrome.exe	89
PID 3568 wrote to memory of 1496	3568	chrome.exe	89
PID 3568 wrote to memory of 1496	3568	chrome.exe	89
PID 3568 wrote to memory of 1496	3568	chrome.exe	89
PID 3568 wrote to memory of 1496	3568	chrome.exe	89
PID 3568 wrote to memory of 1496	3568	chrome.exe	89
PID 3568 wrote to memory of 1496	3568	chrome.exe	89
PID 3568 wrote to memory of 1496	3568	chrome.exe	89
PID 3568 wrote to memory of 1496	3568	chrome.exe	89
PID 3568 wrote to memory of 1496	3568	chrome.exe	89
PID 3568 wrote to memory of 1496	3568	chrome.exe	89
PID 3568 wrote to memory of 1496	3568	chrome.exe	89
PID 3568 wrote to memory of 1496	3568	chrome.exe	89
PID 3568 wrote to memory of 1496	3568	chrome.exe	89
PID 3568 wrote to memory of 1496	3568	chrome.exe	89
PID 3568 wrote to memory of 1496	3568	chrome.exe	89
PID 3568 wrote to memory of 1496	3568	chrome.exe	89
PID 3568 wrote to memory of 1496	3568	chrome.exe	89
PID 3568 wrote to memory of 1496	3568	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://virtualsecretaryservices.com/online/tunupd.php
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff175f9758,0x7fff175f9768,0x7fff175f9778
  2⤵
  PID:5084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 --field-trial-handle=1692,i,204111140987174876,3116073956061391511,131072 /prefetch:8
  2⤵
  PID:3408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1768 --field-trial-handle=1692,i,204111140987174876,3116073956061391511,131072 /prefetch:2
  2⤵
  PID:4752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2172 --field-trial-handle=1692,i,204111140987174876,3116073956061391511,131072 /prefetch:8
  2⤵
  PID:1496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2972 --field-trial-handle=1692,i,204111140987174876,3116073956061391511,131072 /prefetch:1
  2⤵
  PID:3344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2964 --field-trial-handle=1692,i,204111140987174876,3116073956061391511,131072 /prefetch:1
  2⤵
  PID:5024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5016 --field-trial-handle=1692,i,204111140987174876,3116073956061391511,131072 /prefetch:8
  2⤵
  PID:2812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 --field-trial-handle=1692,i,204111140987174876,3116073956061391511,131072 /prefetch:8
  2⤵
  PID:2772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1628 --field-trial-handle=1692,i,204111140987174876,3116073956061391511,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4772

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
0ec58e6a44b61cbd67d3a833fbe0a03d

SHA1
6b68e2c059e68a0bdb8fc94f0a2258dbec845d96

SHA256
f3473b2209104618cd366fc83a86fd9a0ec10ba6f27f39bc9193a952915a35b4

SHA512
379719b3ab7d033fd6f6e47edf9db81fa410ee06aaec05859ded37d6accc8e6e5932f6ad5c4a8249b50c55385910f026c2ee34846a6abf54f75a9a844d63039c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
23212a286277f42d4486eb2f31f8b963

SHA1
2dbec84ebf8bfa92de7ec82fed930a2b7d1413eb

SHA256
343c56a23e70e24f31ec67b38924a0038be8849e1d08e1deafb38e254c863b78

SHA512
f59f4d0f4e9613380da3e4d70a75d333c88d277e5a377ef30a46e2160084eb8c5d57d68754915c4b47eb88a6a02b4724345d44354eb09882d0718a37b8edae4e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
6789041fb4c5282b9893813de813e505

SHA1
b9960407ade81bdb3914a7853fa2e505e0905316

SHA256
5df2ae6d08f01f56db66ca4c2990cc17326b43a10970b9f5895bf41e02ac1b00

SHA512
332a7249aec947e76b82da995da8fc19ca1c8a725dccae2b31d52b1b365822a4855befc1bc9d7496216f1cac75c9d404d55a590f963a13ce7eda3a97e43ec60b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
f73c65666a09de82a2a355f6799825d4

SHA1
bbae0da9df107a61506952d62ac8a370403d4d42

SHA256
d88132ace18ae4426d43aa3694a8fe06a4163ac056a4ecfda784b9eb0e0be527

SHA512
ff933f2aa433717847947ea3e3f26f9913e55b7cea0a40afcab9f18bfef1aac78649337f1aa70fd94fffcba09bd7111ed82d187580c97d25086d19f77a3dfc4b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit