Analysis
-
max time kernel
177s -
max time network
183s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
12/10/2023, 14:31
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://www.baidu.com/link?url=aW9Ix1-fMp7s_cpS9yBd0EifeYunbv67Fb0xr-NuJEHcI2G0M1-df8B0xbhm_ERN#Y2FuZGFjZS5sb25ndGluQHN0cmVhbWxpbmV2cnMuY29t
Resource
win10v2004-20230915-en
General
-
Target
http://www.baidu.com/link?url=aW9Ix1-fMp7s_cpS9yBd0EifeYunbv67Fb0xr-NuJEHcI2G0M1-df8B0xbhm_ERN#Y2FuZGFjZS5sb25ndGluQHN0cmVhbWxpbmV2cnMuY29t
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133415947882558258" chrome.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 860 chrome.exe 860 chrome.exe 4564 chrome.exe 4564 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
pid Process 860 chrome.exe 860 chrome.exe 860 chrome.exe 860 chrome.exe 860 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 860 chrome.exe Token: SeCreatePagefilePrivilege 860 chrome.exe Token: SeShutdownPrivilege 860 chrome.exe Token: SeCreatePagefilePrivilege 860 chrome.exe Token: SeShutdownPrivilege 860 chrome.exe Token: SeCreatePagefilePrivilege 860 chrome.exe Token: SeShutdownPrivilege 860 chrome.exe Token: SeCreatePagefilePrivilege 860 chrome.exe Token: SeShutdownPrivilege 860 chrome.exe Token: SeCreatePagefilePrivilege 860 chrome.exe Token: SeShutdownPrivilege 860 chrome.exe Token: SeCreatePagefilePrivilege 860 chrome.exe Token: SeShutdownPrivilege 860 chrome.exe Token: SeCreatePagefilePrivilege 860 chrome.exe Token: SeShutdownPrivilege 860 chrome.exe Token: SeCreatePagefilePrivilege 860 chrome.exe Token: SeShutdownPrivilege 860 chrome.exe Token: SeCreatePagefilePrivilege 860 chrome.exe Token: SeShutdownPrivilege 860 chrome.exe Token: SeCreatePagefilePrivilege 860 chrome.exe Token: SeShutdownPrivilege 860 chrome.exe Token: SeCreatePagefilePrivilege 860 chrome.exe Token: SeShutdownPrivilege 860 chrome.exe Token: SeCreatePagefilePrivilege 860 chrome.exe Token: SeShutdownPrivilege 860 chrome.exe Token: SeCreatePagefilePrivilege 860 chrome.exe Token: SeShutdownPrivilege 860 chrome.exe Token: SeCreatePagefilePrivilege 860 chrome.exe Token: SeShutdownPrivilege 860 chrome.exe Token: SeCreatePagefilePrivilege 860 chrome.exe Token: SeShutdownPrivilege 860 chrome.exe Token: SeCreatePagefilePrivilege 860 chrome.exe Token: SeShutdownPrivilege 860 chrome.exe Token: SeCreatePagefilePrivilege 860 chrome.exe Token: SeShutdownPrivilege 860 chrome.exe Token: SeCreatePagefilePrivilege 860 chrome.exe Token: SeShutdownPrivilege 860 chrome.exe Token: SeCreatePagefilePrivilege 860 chrome.exe Token: SeShutdownPrivilege 860 chrome.exe Token: SeCreatePagefilePrivilege 860 chrome.exe Token: SeShutdownPrivilege 860 chrome.exe Token: SeCreatePagefilePrivilege 860 chrome.exe Token: SeShutdownPrivilege 860 chrome.exe Token: SeCreatePagefilePrivilege 860 chrome.exe Token: SeShutdownPrivilege 860 chrome.exe Token: SeCreatePagefilePrivilege 860 chrome.exe Token: SeShutdownPrivilege 860 chrome.exe Token: SeCreatePagefilePrivilege 860 chrome.exe Token: SeShutdownPrivilege 860 chrome.exe Token: SeCreatePagefilePrivilege 860 chrome.exe Token: SeShutdownPrivilege 860 chrome.exe Token: SeCreatePagefilePrivilege 860 chrome.exe Token: SeShutdownPrivilege 860 chrome.exe Token: SeCreatePagefilePrivilege 860 chrome.exe Token: SeShutdownPrivilege 860 chrome.exe Token: SeCreatePagefilePrivilege 860 chrome.exe Token: SeShutdownPrivilege 860 chrome.exe Token: SeCreatePagefilePrivilege 860 chrome.exe Token: SeShutdownPrivilege 860 chrome.exe Token: SeCreatePagefilePrivilege 860 chrome.exe Token: SeShutdownPrivilege 860 chrome.exe Token: SeCreatePagefilePrivilege 860 chrome.exe Token: SeShutdownPrivilege 860 chrome.exe Token: SeCreatePagefilePrivilege 860 chrome.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 860 chrome.exe 860 chrome.exe 860 chrome.exe 860 chrome.exe 860 chrome.exe 860 chrome.exe 860 chrome.exe 860 chrome.exe 860 chrome.exe 860 chrome.exe 860 chrome.exe 860 chrome.exe 860 chrome.exe 860 chrome.exe 860 chrome.exe 860 chrome.exe 860 chrome.exe 860 chrome.exe 860 chrome.exe 860 chrome.exe 860 chrome.exe 860 chrome.exe 860 chrome.exe 860 chrome.exe 860 chrome.exe 860 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 860 chrome.exe 860 chrome.exe 860 chrome.exe 860 chrome.exe 860 chrome.exe 860 chrome.exe 860 chrome.exe 860 chrome.exe 860 chrome.exe 860 chrome.exe 860 chrome.exe 860 chrome.exe 860 chrome.exe 860 chrome.exe 860 chrome.exe 860 chrome.exe 860 chrome.exe 860 chrome.exe 860 chrome.exe 860 chrome.exe 860 chrome.exe 860 chrome.exe 860 chrome.exe 860 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 860 wrote to memory of 1136 860 chrome.exe 87 PID 860 wrote to memory of 1136 860 chrome.exe 87 PID 860 wrote to memory of 4104 860 chrome.exe 90 PID 860 wrote to memory of 4104 860 chrome.exe 90 PID 860 wrote to memory of 4104 860 chrome.exe 90 PID 860 wrote to memory of 4104 860 chrome.exe 90 PID 860 wrote to memory of 4104 860 chrome.exe 90 PID 860 wrote to memory of 4104 860 chrome.exe 90 PID 860 wrote to memory of 4104 860 chrome.exe 90 PID 860 wrote to memory of 4104 860 chrome.exe 90 PID 860 wrote to memory of 4104 860 chrome.exe 90 PID 860 wrote to memory of 4104 860 chrome.exe 90 PID 860 wrote to memory of 4104 860 chrome.exe 90 PID 860 wrote to memory of 4104 860 chrome.exe 90 PID 860 wrote to memory of 4104 860 chrome.exe 90 PID 860 wrote to memory of 4104 860 chrome.exe 90 PID 860 wrote to memory of 4104 860 chrome.exe 90 PID 860 wrote to memory of 4104 860 chrome.exe 90 PID 860 wrote to memory of 4104 860 chrome.exe 90 PID 860 wrote to memory of 4104 860 chrome.exe 90 PID 860 wrote to memory of 4104 860 chrome.exe 90 PID 860 wrote to memory of 4104 860 chrome.exe 90 PID 860 wrote to memory of 4104 860 chrome.exe 90 PID 860 wrote to memory of 4104 860 chrome.exe 90 PID 860 wrote to memory of 4104 860 chrome.exe 90 PID 860 wrote to memory of 4104 860 chrome.exe 90 PID 860 wrote to memory of 4104 860 chrome.exe 90 PID 860 wrote to memory of 4104 860 chrome.exe 90 PID 860 wrote to memory of 4104 860 chrome.exe 90 PID 860 wrote to memory of 4104 860 chrome.exe 90 PID 860 wrote to memory of 4104 860 chrome.exe 90 PID 860 wrote to memory of 4104 860 chrome.exe 90 PID 860 wrote to memory of 4104 860 chrome.exe 90 PID 860 wrote to memory of 4104 860 chrome.exe 90 PID 860 wrote to memory of 4104 860 chrome.exe 90 PID 860 wrote to memory of 4104 860 chrome.exe 90 PID 860 wrote to memory of 4104 860 chrome.exe 90 PID 860 wrote to memory of 4104 860 chrome.exe 90 PID 860 wrote to memory of 4104 860 chrome.exe 90 PID 860 wrote to memory of 4104 860 chrome.exe 90 PID 860 wrote to memory of 1052 860 chrome.exe 89 PID 860 wrote to memory of 1052 860 chrome.exe 89 PID 860 wrote to memory of 3356 860 chrome.exe 91 PID 860 wrote to memory of 3356 860 chrome.exe 91 PID 860 wrote to memory of 3356 860 chrome.exe 91 PID 860 wrote to memory of 3356 860 chrome.exe 91 PID 860 wrote to memory of 3356 860 chrome.exe 91 PID 860 wrote to memory of 3356 860 chrome.exe 91 PID 860 wrote to memory of 3356 860 chrome.exe 91 PID 860 wrote to memory of 3356 860 chrome.exe 91 PID 860 wrote to memory of 3356 860 chrome.exe 91 PID 860 wrote to memory of 3356 860 chrome.exe 91 PID 860 wrote to memory of 3356 860 chrome.exe 91 PID 860 wrote to memory of 3356 860 chrome.exe 91 PID 860 wrote to memory of 3356 860 chrome.exe 91 PID 860 wrote to memory of 3356 860 chrome.exe 91 PID 860 wrote to memory of 3356 860 chrome.exe 91 PID 860 wrote to memory of 3356 860 chrome.exe 91 PID 860 wrote to memory of 3356 860 chrome.exe 91 PID 860 wrote to memory of 3356 860 chrome.exe 91 PID 860 wrote to memory of 3356 860 chrome.exe 91 PID 860 wrote to memory of 3356 860 chrome.exe 91 PID 860 wrote to memory of 3356 860 chrome.exe 91 PID 860 wrote to memory of 3356 860 chrome.exe 91
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://www.baidu.com/link?url=aW9Ix1-fMp7s_cpS9yBd0EifeYunbv67Fb0xr-NuJEHcI2G0M1-df8B0xbhm_ERN#Y2FuZGFjZS5sb25ndGluQHN0cmVhbWxpbmV2cnMuY29t1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8ead99758,0x7ff8ead99768,0x7ff8ead997782⤵PID:1136
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1888,i,10294102421133644382,818756078228635161,131072 /prefetch:82⤵PID:1052
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1296 --field-trial-handle=1888,i,10294102421133644382,818756078228635161,131072 /prefetch:22⤵PID:4104
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2152 --field-trial-handle=1888,i,10294102421133644382,818756078228635161,131072 /prefetch:82⤵PID:3356
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3036 --field-trial-handle=1888,i,10294102421133644382,818756078228635161,131072 /prefetch:12⤵PID:4040
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2988 --field-trial-handle=1888,i,10294102421133644382,818756078228635161,131072 /prefetch:12⤵PID:4400
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4732 --field-trial-handle=1888,i,10294102421133644382,818756078228635161,131072 /prefetch:12⤵PID:4080
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5352 --field-trial-handle=1888,i,10294102421133644382,818756078228635161,131072 /prefetch:82⤵PID:2212
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4396 --field-trial-handle=1888,i,10294102421133644382,818756078228635161,131072 /prefetch:12⤵PID:940
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 --field-trial-handle=1888,i,10294102421133644382,818756078228635161,131072 /prefetch:82⤵PID:5092
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5556 --field-trial-handle=1888,i,10294102421133644382,818756078228635161,131072 /prefetch:12⤵PID:1648
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3796 --field-trial-handle=1888,i,10294102421133644382,818756078228635161,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4564
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:4872
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
528B
MD598a0a9c186fd4efefa4fd82fe8290ff7
SHA1bef3297bf5b19b64096e94e290d3e198c81e02fa
SHA256b1018c56a93597fae2f6e1712b4bc52120e10d37e72728db610565e26009da4d
SHA5128a66df55b2a1bc62aaf9146b0cb4a6d3c0b3d2622934023449583e04ae211ecb11e6a5606b8c2a73de3e42c0fd2b2924c539839569efb14df1233a832932e46e
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\445ef74a-86cb-40e5-9c2d-e523144d6b00.tmp
Filesize1KB
MD5eac3d8d603c22f1b4a5deaa7babeb619
SHA11d56f40abb7d0b21dd6cde72f24527503983534d
SHA256ea6c119b29e168621c9691ca5f3682f0e587a191fa1140ee72b83cb660aeb515
SHA512f2b19ae2875051a89c8d0f6c06ad2335d219a3142875c465a5cb4b5c4969e4987090527b9fa0895dbab791cf5ed2365e15ac6df0ef90005146cb3a574a6b478e
-
Filesize
4KB
MD591355a584ec12f28bbde946dbc360057
SHA14db02ec9385d202904e9abdd8ec2683eb42a4054
SHA2562c116a76d38e5673ef418957c42b89fcedfa9c7e017e08e18fb0e6322ad098e5
SHA512cb749834af3a2aa55b53645eafbd3dce99ad650c494254e48f862c9faa5eea7bb647037174e94ac22caffb46391b5d25906f3bc441afd5585b87960119a63156
-
Filesize
1KB
MD56ec4ecc44c8d8ea14b4310d32f13a6a0
SHA1d6361a6205a3b8ba694e2ac82f198f0e11e3ac24
SHA256efdcf2964412dc654abc2004d9f7e0023b53b3b9b7661ee567be136ffc2fd15a
SHA512309ccabb72b7da71892b3fdc6b31871eb11c7f92f5573ac2398bb9151a9b44f9b03aa0fdfff1c1bf95fbcdbfd14ce748f8ffdb75d1cfd1a0ba6734f5c4bc2153
-
Filesize
873B
MD5d24f0abec832bb6a4ddd23e439519f09
SHA1b9c5e9f25bf3f9a377e4715f0b207da5b8a409db
SHA256c7610fcae09d366fa3db87d4767dfd1a79fc62064984dbfba3552a58224bcf7f
SHA512ce6424f8da9c114def60e035504b9613ce90c4cc6a19b619d63e69de900841e27d8b1c7fd3eb4fe1551d1a45e9fbdc25695c906eb273577b2d1ef298266af3f8
-
Filesize
6KB
MD532f1be70d729d94cdbcbdd8685f6fd1a
SHA1c367ea81f074913e87e752246899c6719acc09f5
SHA256098811980f1a16a932cb9acf011324fcee9f7974575bf6f949ea799cb1fe3042
SHA51200d69c910ff8d16b22e6eb0f63fbb823b999f1e6dd12cb7433b3c67ab3d4a12e1ab72758d65686e43faa433857b110562e6f21bb0ce017b5401efb32d36f2a1b
-
Filesize
101KB
MD557c7f0c40f98fc8028abb988122ba6dc
SHA11b7519b7119f8f1508f0d4b486c23736812e53c7
SHA256a820eff4323e8179c9be6c12ad4b74d2f34ba8cb90e2cfdef328b07556783c80
SHA5121d209c235036d63f2cf909bb8fe050a49b54930328512826e7295bd2e2696b75f4fb50b5d78b82d3bd637acedf0eeed922fe0d3db8263308ebe395362df2df95
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd