8c76103357393864e3fe31f634ab9b715d114c7f55d98ff9269ca8a59360fb4d

Analysis

max time kernel
160s
max time network
212s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 13:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

triage-report_13869-dgalambos_AT_caton_com/body.html
Size

17KB
MD5

2b30c4c8bebca86f2ebf87338ba8f1f6
SHA1

083c51f747b4361cdee16a6a0660ca4e3b1c6aa5
SHA256

4c24a56a6dd1d804587c1efa3009877862697fa11b6accea21d580e73790274f
SHA512

24ccdd1d8172eb9eee75a31b7f26b02e20266fbbf54d2a687d6f6c4cb0857c78d09dd7c8a4bc99295a128af463c8045f63c78722a01cdc576168b7f48ae85c92
SSDEEP

192:+CO+qJVam7hUIQig1n3BE/NGBdqK2BE/Ir848VSW2BE/wW0yawXUXXphU7D7:GJVtIEodqXEmtrEVGmUHpU7

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133415041648637746"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3348	chrome.exe
3348	chrome.exe
5908	chrome.exe
5908	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3348	chrome.exe
3348	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3348	chrome.exe
Token: SeCreatePagefilePrivilege	3348	chrome.exe
Token: SeShutdownPrivilege	3348	chrome.exe
Token: SeCreatePagefilePrivilege	3348	chrome.exe
Token: SeShutdownPrivilege	3348	chrome.exe
Token: SeCreatePagefilePrivilege	3348	chrome.exe
Token: SeShutdownPrivilege	3348	chrome.exe
Token: SeCreatePagefilePrivilege	3348	chrome.exe
Token: SeShutdownPrivilege	3348	chrome.exe
Token: SeCreatePagefilePrivilege	3348	chrome.exe
Token: SeShutdownPrivilege	3348	chrome.exe
Token: SeCreatePagefilePrivilege	3348	chrome.exe
Token: SeShutdownPrivilege	3348	chrome.exe
Token: SeCreatePagefilePrivilege	3348	chrome.exe
Token: SeShutdownPrivilege	3348	chrome.exe
Token: SeCreatePagefilePrivilege	3348	chrome.exe
Token: SeShutdownPrivilege	3348	chrome.exe
Token: SeCreatePagefilePrivilege	3348	chrome.exe
Token: SeShutdownPrivilege	3348	chrome.exe
Token: SeCreatePagefilePrivilege	3348	chrome.exe
Token: SeShutdownPrivilege	3348	chrome.exe
Token: SeCreatePagefilePrivilege	3348	chrome.exe
Token: SeShutdownPrivilege	3348	chrome.exe
Token: SeCreatePagefilePrivilege	3348	chrome.exe
Token: SeShutdownPrivilege	3348	chrome.exe
Token: SeCreatePagefilePrivilege	3348	chrome.exe
Token: SeShutdownPrivilege	3348	chrome.exe
Token: SeCreatePagefilePrivilege	3348	chrome.exe
Token: SeShutdownPrivilege	3348	chrome.exe
Token: SeCreatePagefilePrivilege	3348	chrome.exe
Token: SeShutdownPrivilege	3348	chrome.exe
Token: SeCreatePagefilePrivilege	3348	chrome.exe
Token: SeShutdownPrivilege	3348	chrome.exe
Token: SeCreatePagefilePrivilege	3348	chrome.exe
Token: SeShutdownPrivilege	3348	chrome.exe
Token: SeCreatePagefilePrivilege	3348	chrome.exe
Token: SeShutdownPrivilege	3348	chrome.exe
Token: SeCreatePagefilePrivilege	3348	chrome.exe
Token: SeShutdownPrivilege	3348	chrome.exe
Token: SeCreatePagefilePrivilege	3348	chrome.exe
Token: SeShutdownPrivilege	3348	chrome.exe
Token: SeCreatePagefilePrivilege	3348	chrome.exe
Token: SeShutdownPrivilege	3348	chrome.exe
Token: SeCreatePagefilePrivilege	3348	chrome.exe
Token: SeShutdownPrivilege	3348	chrome.exe
Token: SeCreatePagefilePrivilege	3348	chrome.exe
Token: SeShutdownPrivilege	3348	chrome.exe
Token: SeCreatePagefilePrivilege	3348	chrome.exe
Token: SeShutdownPrivilege	3348	chrome.exe
Token: SeCreatePagefilePrivilege	3348	chrome.exe
Token: SeShutdownPrivilege	3348	chrome.exe
Token: SeCreatePagefilePrivilege	3348	chrome.exe
Token: SeShutdownPrivilege	3348	chrome.exe
Token: SeCreatePagefilePrivilege	3348	chrome.exe
Token: SeShutdownPrivilege	3348	chrome.exe
Token: SeCreatePagefilePrivilege	3348	chrome.exe
Token: SeShutdownPrivilege	3348	chrome.exe
Token: SeCreatePagefilePrivilege	3348	chrome.exe
Token: SeShutdownPrivilege	3348	chrome.exe
Token: SeCreatePagefilePrivilege	3348	chrome.exe
Token: SeShutdownPrivilege	3348	chrome.exe
Token: SeCreatePagefilePrivilege	3348	chrome.exe
Token: SeShutdownPrivilege	3348	chrome.exe
Token: SeCreatePagefilePrivilege	3348	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3348 wrote to memory of 3120	3348	chrome.exe	45
PID 3348 wrote to memory of 3120	3348	chrome.exe	45
PID 3348 wrote to memory of 1460	3348	chrome.exe	100
PID 3348 wrote to memory of 1460	3348	chrome.exe	100
PID 3348 wrote to memory of 1460	3348	chrome.exe	100
PID 3348 wrote to memory of 1460	3348	chrome.exe	100
PID 3348 wrote to memory of 1460	3348	chrome.exe	100
PID 3348 wrote to memory of 1460	3348	chrome.exe	100
PID 3348 wrote to memory of 1460	3348	chrome.exe	100
PID 3348 wrote to memory of 1460	3348	chrome.exe	100
PID 3348 wrote to memory of 1460	3348	chrome.exe	100
PID 3348 wrote to memory of 1460	3348	chrome.exe	100
PID 3348 wrote to memory of 1460	3348	chrome.exe	100
PID 3348 wrote to memory of 1460	3348	chrome.exe	100
PID 3348 wrote to memory of 1460	3348	chrome.exe	100
PID 3348 wrote to memory of 1460	3348	chrome.exe	100
PID 3348 wrote to memory of 1460	3348	chrome.exe	100
PID 3348 wrote to memory of 1460	3348	chrome.exe	100
PID 3348 wrote to memory of 1460	3348	chrome.exe	100
PID 3348 wrote to memory of 1460	3348	chrome.exe	100
PID 3348 wrote to memory of 1460	3348	chrome.exe	100
PID 3348 wrote to memory of 1460	3348	chrome.exe	100
PID 3348 wrote to memory of 1460	3348	chrome.exe	100
PID 3348 wrote to memory of 1460	3348	chrome.exe	100
PID 3348 wrote to memory of 1460	3348	chrome.exe	100
PID 3348 wrote to memory of 1460	3348	chrome.exe	100
PID 3348 wrote to memory of 1460	3348	chrome.exe	100
PID 3348 wrote to memory of 1460	3348	chrome.exe	100
PID 3348 wrote to memory of 1460	3348	chrome.exe	100
PID 3348 wrote to memory of 1460	3348	chrome.exe	100
PID 3348 wrote to memory of 1460	3348	chrome.exe	100
PID 3348 wrote to memory of 1460	3348	chrome.exe	100
PID 3348 wrote to memory of 1460	3348	chrome.exe	100
PID 3348 wrote to memory of 1460	3348	chrome.exe	100
PID 3348 wrote to memory of 1460	3348	chrome.exe	100
PID 3348 wrote to memory of 1460	3348	chrome.exe	100
PID 3348 wrote to memory of 1460	3348	chrome.exe	100
PID 3348 wrote to memory of 1460	3348	chrome.exe	100
PID 3348 wrote to memory of 1460	3348	chrome.exe	100
PID 3348 wrote to memory of 1460	3348	chrome.exe	100
PID 3348 wrote to memory of 848	3348	chrome.exe	98
PID 3348 wrote to memory of 848	3348	chrome.exe	98
PID 3348 wrote to memory of 4388	3348	chrome.exe	99
PID 3348 wrote to memory of 4388	3348	chrome.exe	99
PID 3348 wrote to memory of 4388	3348	chrome.exe	99
PID 3348 wrote to memory of 4388	3348	chrome.exe	99
PID 3348 wrote to memory of 4388	3348	chrome.exe	99
PID 3348 wrote to memory of 4388	3348	chrome.exe	99
PID 3348 wrote to memory of 4388	3348	chrome.exe	99
PID 3348 wrote to memory of 4388	3348	chrome.exe	99
PID 3348 wrote to memory of 4388	3348	chrome.exe	99
PID 3348 wrote to memory of 4388	3348	chrome.exe	99
PID 3348 wrote to memory of 4388	3348	chrome.exe	99
PID 3348 wrote to memory of 4388	3348	chrome.exe	99
PID 3348 wrote to memory of 4388	3348	chrome.exe	99
PID 3348 wrote to memory of 4388	3348	chrome.exe	99
PID 3348 wrote to memory of 4388	3348	chrome.exe	99
PID 3348 wrote to memory of 4388	3348	chrome.exe	99
PID 3348 wrote to memory of 4388	3348	chrome.exe	99
PID 3348 wrote to memory of 4388	3348	chrome.exe	99
PID 3348 wrote to memory of 4388	3348	chrome.exe	99
PID 3348 wrote to memory of 4388	3348	chrome.exe	99
PID 3348 wrote to memory of 4388	3348	chrome.exe	99
PID 3348 wrote to memory of 4388	3348	chrome.exe	99

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\triage-report_13869-dgalambos_AT_caton_com\body.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe3bbe9758,0x7ffe3bbe9768,0x7ffe3bbe9778
  2⤵
  PID:3120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1864,i,9229354908963234149,1533634667612895484,131072 /prefetch:8
  2⤵
  PID:848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2200 --field-trial-handle=1864,i,9229354908963234149,1533634667612895484,131072 /prefetch:8
  2⤵
  PID:4388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1804 --field-trial-handle=1864,i,9229354908963234149,1533634667612895484,131072 /prefetch:2
  2⤵
  PID:1460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3204 --field-trial-handle=1864,i,9229354908963234149,1533634667612895484,131072 /prefetch:1
  2⤵
  PID:1308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3184 --field-trial-handle=1864,i,9229354908963234149,1533634667612895484,131072 /prefetch:1
  2⤵
  PID:4092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4864 --field-trial-handle=1864,i,9229354908963234149,1533634667612895484,131072 /prefetch:8
  2⤵
  PID:5496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4976 --field-trial-handle=1864,i,9229354908963234149,1533634667612895484,131072 /prefetch:8
  2⤵
  PID:5608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2688 --field-trial-handle=1864,i,9229354908963234149,1533634667612895484,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5908

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
94808c598795273de046d9275b2a0e74

SHA1
56cae0c8c8871e977c8e8a24ec622b0a7075a9c4

SHA256
fa84fb9b03f86c07ccfc17d9a3e126f794140ad8c1c3f28ff55c6adcec2a1fb6

SHA512
33a4bfc79488ac14925704836784d946c72ef2a1a70a57b248e6947136fef964991c6a65bdeb7f60412a088ef6dd901ac029b8bc62da35f234496bd8d63c144d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
c5a9fe8d78a0830ddfb5c1a8402347ad

SHA1
4e30781dc7733b993560faae88f9098f2115c0fd

SHA256
58c76b612282eccf87a17629325eaea9c8b2f54d54ecc7724f25de35f3df50ae

SHA512
36647bbd1c9e38d8cf40f8f9bcc9b66c5459d165178ff3d1c13b9f5fc7a2ed054efd4ad40753e8b8c9c8429d44b3fef8b965fe2c184dcf9f9b1e1538070845df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
39d648b40ad91c0afa25b5a48ae8ad33

SHA1
4b3108f8d29343df86a0a5de1c4816961c538aad

SHA256
543f77b5ad6adb668665e0e1df462a56af5e4aa9810d9c1b802cef038b86abe1

SHA512
be2bdf7002bcc74dbce4020305fdc079b9b9ef0e3f12f6438ec11e3af2100cd031087710f52b1f0ea101024bb727ffaca6668920b3828382031215686b8a3704

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
940053040c18106f785f4dd43e264136

SHA1
f5069e125e65eb4e2374ecdca73880f8e98f5e50

SHA256
96e64ac05881210945c04fe889a1557841c3adfc7ee8bff272edb651b0176d1d

SHA512
217a9dda1580f2b5f45efdb208b19a61eebad9543b021e4c2bfffb97e99f95d350521dfc10dfc3578e776eea1522c5a5e7ee9fb4a9f3852c4b76e73ffe2c1868

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit