hxxps://partnerstudio[.]vev[.]site/v3-helsedir---barnas-arbeidsmiljlov---sept-2023/

Analysis

max time kernel
211s
max time network
213s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2023 14:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://partnerstudio.vev.site/v3-helsedir---barnas-arbeidsmiljlov---sept-2023/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133415963844829757"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3084	chrome.exe
3084	chrome.exe
116	chrome.exe
116	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3084	chrome.exe
3084	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3084	chrome.exe
Token: SeCreatePagefilePrivilege	3084	chrome.exe
Token: SeShutdownPrivilege	3084	chrome.exe
Token: SeCreatePagefilePrivilege	3084	chrome.exe
Token: SeShutdownPrivilege	3084	chrome.exe
Token: SeCreatePagefilePrivilege	3084	chrome.exe
Token: SeShutdownPrivilege	3084	chrome.exe
Token: SeCreatePagefilePrivilege	3084	chrome.exe
Token: SeShutdownPrivilege	3084	chrome.exe
Token: SeCreatePagefilePrivilege	3084	chrome.exe
Token: SeShutdownPrivilege	3084	chrome.exe
Token: SeCreatePagefilePrivilege	3084	chrome.exe
Token: SeShutdownPrivilege	3084	chrome.exe
Token: SeCreatePagefilePrivilege	3084	chrome.exe
Token: SeShutdownPrivilege	3084	chrome.exe
Token: SeCreatePagefilePrivilege	3084	chrome.exe
Token: SeShutdownPrivilege	3084	chrome.exe
Token: SeCreatePagefilePrivilege	3084	chrome.exe
Token: SeShutdownPrivilege	3084	chrome.exe
Token: SeCreatePagefilePrivilege	3084	chrome.exe
Token: SeShutdownPrivilege	3084	chrome.exe
Token: SeCreatePagefilePrivilege	3084	chrome.exe
Token: SeShutdownPrivilege	3084	chrome.exe
Token: SeCreatePagefilePrivilege	3084	chrome.exe
Token: SeShutdownPrivilege	3084	chrome.exe
Token: SeCreatePagefilePrivilege	3084	chrome.exe
Token: SeShutdownPrivilege	3084	chrome.exe
Token: SeCreatePagefilePrivilege	3084	chrome.exe
Token: SeShutdownPrivilege	3084	chrome.exe
Token: SeCreatePagefilePrivilege	3084	chrome.exe
Token: SeShutdownPrivilege	3084	chrome.exe
Token: SeCreatePagefilePrivilege	3084	chrome.exe
Token: SeShutdownPrivilege	3084	chrome.exe
Token: SeCreatePagefilePrivilege	3084	chrome.exe
Token: SeShutdownPrivilege	3084	chrome.exe
Token: SeCreatePagefilePrivilege	3084	chrome.exe
Token: SeShutdownPrivilege	3084	chrome.exe
Token: SeCreatePagefilePrivilege	3084	chrome.exe
Token: SeShutdownPrivilege	3084	chrome.exe
Token: SeCreatePagefilePrivilege	3084	chrome.exe
Token: SeShutdownPrivilege	3084	chrome.exe
Token: SeCreatePagefilePrivilege	3084	chrome.exe
Token: SeShutdownPrivilege	3084	chrome.exe
Token: SeCreatePagefilePrivilege	3084	chrome.exe
Token: SeShutdownPrivilege	3084	chrome.exe
Token: SeCreatePagefilePrivilege	3084	chrome.exe
Token: SeShutdownPrivilege	3084	chrome.exe
Token: SeCreatePagefilePrivilege	3084	chrome.exe
Token: SeShutdownPrivilege	3084	chrome.exe
Token: SeCreatePagefilePrivilege	3084	chrome.exe
Token: SeShutdownPrivilege	3084	chrome.exe
Token: SeCreatePagefilePrivilege	3084	chrome.exe
Token: SeShutdownPrivilege	3084	chrome.exe
Token: SeCreatePagefilePrivilege	3084	chrome.exe
Token: SeShutdownPrivilege	3084	chrome.exe
Token: SeCreatePagefilePrivilege	3084	chrome.exe
Token: SeShutdownPrivilege	3084	chrome.exe
Token: SeCreatePagefilePrivilege	3084	chrome.exe
Token: SeShutdownPrivilege	3084	chrome.exe
Token: SeCreatePagefilePrivilege	3084	chrome.exe
Token: SeShutdownPrivilege	3084	chrome.exe
Token: SeCreatePagefilePrivilege	3084	chrome.exe
Token: SeShutdownPrivilege	3084	chrome.exe
Token: SeCreatePagefilePrivilege	3084	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3084	chrome.exe
3084	chrome.exe
3084	chrome.exe
3084	chrome.exe
3084	chrome.exe
3084	chrome.exe
3084	chrome.exe
3084	chrome.exe
3084	chrome.exe
3084	chrome.exe
3084	chrome.exe
3084	chrome.exe
3084	chrome.exe
3084	chrome.exe
3084	chrome.exe
3084	chrome.exe
3084	chrome.exe
3084	chrome.exe
3084	chrome.exe
3084	chrome.exe
3084	chrome.exe
3084	chrome.exe
3084	chrome.exe
3084	chrome.exe
3084	chrome.exe
3084	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3084	chrome.exe
3084	chrome.exe
3084	chrome.exe
3084	chrome.exe
3084	chrome.exe
3084	chrome.exe
3084	chrome.exe
3084	chrome.exe
3084	chrome.exe
3084	chrome.exe
3084	chrome.exe
3084	chrome.exe
3084	chrome.exe
3084	chrome.exe
3084	chrome.exe
3084	chrome.exe
3084	chrome.exe
3084	chrome.exe
3084	chrome.exe
3084	chrome.exe
3084	chrome.exe
3084	chrome.exe
3084	chrome.exe
3084	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3084 wrote to memory of 3832	3084	chrome.exe	41
PID 3084 wrote to memory of 3832	3084	chrome.exe	41
PID 3084 wrote to memory of 1260	3084	chrome.exe	89
PID 3084 wrote to memory of 1260	3084	chrome.exe	89
PID 3084 wrote to memory of 1260	3084	chrome.exe	89
PID 3084 wrote to memory of 1260	3084	chrome.exe	89
PID 3084 wrote to memory of 1260	3084	chrome.exe	89
PID 3084 wrote to memory of 1260	3084	chrome.exe	89
PID 3084 wrote to memory of 1260	3084	chrome.exe	89
PID 3084 wrote to memory of 1260	3084	chrome.exe	89
PID 3084 wrote to memory of 1260	3084	chrome.exe	89
PID 3084 wrote to memory of 1260	3084	chrome.exe	89
PID 3084 wrote to memory of 1260	3084	chrome.exe	89
PID 3084 wrote to memory of 1260	3084	chrome.exe	89
PID 3084 wrote to memory of 1260	3084	chrome.exe	89
PID 3084 wrote to memory of 1260	3084	chrome.exe	89
PID 3084 wrote to memory of 1260	3084	chrome.exe	89
PID 3084 wrote to memory of 1260	3084	chrome.exe	89
PID 3084 wrote to memory of 1260	3084	chrome.exe	89
PID 3084 wrote to memory of 1260	3084	chrome.exe	89
PID 3084 wrote to memory of 1260	3084	chrome.exe	89
PID 3084 wrote to memory of 1260	3084	chrome.exe	89
PID 3084 wrote to memory of 1260	3084	chrome.exe	89
PID 3084 wrote to memory of 1260	3084	chrome.exe	89
PID 3084 wrote to memory of 1260	3084	chrome.exe	89
PID 3084 wrote to memory of 1260	3084	chrome.exe	89
PID 3084 wrote to memory of 1260	3084	chrome.exe	89
PID 3084 wrote to memory of 1260	3084	chrome.exe	89
PID 3084 wrote to memory of 1260	3084	chrome.exe	89
PID 3084 wrote to memory of 1260	3084	chrome.exe	89
PID 3084 wrote to memory of 1260	3084	chrome.exe	89
PID 3084 wrote to memory of 1260	3084	chrome.exe	89
PID 3084 wrote to memory of 1260	3084	chrome.exe	89
PID 3084 wrote to memory of 1260	3084	chrome.exe	89
PID 3084 wrote to memory of 1260	3084	chrome.exe	89
PID 3084 wrote to memory of 1260	3084	chrome.exe	89
PID 3084 wrote to memory of 1260	3084	chrome.exe	89
PID 3084 wrote to memory of 1260	3084	chrome.exe	89
PID 3084 wrote to memory of 1260	3084	chrome.exe	89
PID 3084 wrote to memory of 1260	3084	chrome.exe	89
PID 3084 wrote to memory of 3052	3084	chrome.exe	90
PID 3084 wrote to memory of 3052	3084	chrome.exe	90
PID 3084 wrote to memory of 1608	3084	chrome.exe	91
PID 3084 wrote to memory of 1608	3084	chrome.exe	91
PID 3084 wrote to memory of 1608	3084	chrome.exe	91
PID 3084 wrote to memory of 1608	3084	chrome.exe	91
PID 3084 wrote to memory of 1608	3084	chrome.exe	91
PID 3084 wrote to memory of 1608	3084	chrome.exe	91
PID 3084 wrote to memory of 1608	3084	chrome.exe	91
PID 3084 wrote to memory of 1608	3084	chrome.exe	91
PID 3084 wrote to memory of 1608	3084	chrome.exe	91
PID 3084 wrote to memory of 1608	3084	chrome.exe	91
PID 3084 wrote to memory of 1608	3084	chrome.exe	91
PID 3084 wrote to memory of 1608	3084	chrome.exe	91
PID 3084 wrote to memory of 1608	3084	chrome.exe	91
PID 3084 wrote to memory of 1608	3084	chrome.exe	91
PID 3084 wrote to memory of 1608	3084	chrome.exe	91
PID 3084 wrote to memory of 1608	3084	chrome.exe	91
PID 3084 wrote to memory of 1608	3084	chrome.exe	91
PID 3084 wrote to memory of 1608	3084	chrome.exe	91
PID 3084 wrote to memory of 1608	3084	chrome.exe	91
PID 3084 wrote to memory of 1608	3084	chrome.exe	91
PID 3084 wrote to memory of 1608	3084	chrome.exe	91
PID 3084 wrote to memory of 1608	3084	chrome.exe	91

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://partnerstudio.vev.site/v3-helsedir---barnas-arbeidsmiljlov---sept-2023/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcd1b59758,0x7ffcd1b59768,0x7ffcd1b59778
  2⤵
  PID:3832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1668 --field-trial-handle=1812,i,16694021332955545213,1079123195083989592,131072 /prefetch:2
  2⤵
  PID:1260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=1812,i,16694021332955545213,1079123195083989592,131072 /prefetch:8
  2⤵
  PID:3052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2220 --field-trial-handle=1812,i,16694021332955545213,1079123195083989592,131072 /prefetch:8
  2⤵
  PID:1608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3216 --field-trial-handle=1812,i,16694021332955545213,1079123195083989592,131072 /prefetch:1
  2⤵
  PID:796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3192 --field-trial-handle=1812,i,16694021332955545213,1079123195083989592,131072 /prefetch:1
  2⤵
  PID:1424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4788 --field-trial-handle=1812,i,16694021332955545213,1079123195083989592,131072 /prefetch:8
  2⤵
  PID:2880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5540 --field-trial-handle=1812,i,16694021332955545213,1079123195083989592,131072 /prefetch:8
  2⤵
  PID:3280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 --field-trial-handle=1812,i,16694021332955545213,1079123195083989592,131072 /prefetch:8
  2⤵
  PID:1704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4580 --field-trial-handle=1812,i,16694021332955545213,1079123195083989592,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:116

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2232

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f4 0x510
1⤵
PID:408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\793e4933-1345-48e8-86c8-c9dcd640b62c.tmp

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
3b25db8c15a6a29adb7cf7f1e02d24fc

SHA1
c24b9ed22114d3c6e5757b826ec27d207a058edc

SHA256
17bf70297c7fbb9d941a310cfcffc017cfeb9d6dddf056e0439ff4a12c93e621

SHA512
0c75e1ad203ba12f14bbb1cfa70538c95abdd2a04ed73f0dbeed44b2c3f7994e868f434da2f95cd8d5814227d0c992c561270ff4f6ac896fd13f4d5b1ee30b34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
0ff3020ef7a0c324aca3c30200f714d8

SHA1
b41ce06f0d0e038baf6ce3e7f9f53e90f16b2e06

SHA256
3af4b0967d8d84f7d59070301ddce8e08c75ce478f387c41bf32cd6543c95a14

SHA512
8c1760d2dce6952126edb536bbbe93d3a9530fffeb1beded463519d4772ef3a1e6c8491a94c3a442f672b9850e75716f64eace7a596c7acb961217cfc3c518fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
fc729ef76bdd03c5792e8298e66926db

SHA1
1b2ca1cb32d722ddec183aaecac5b2156027c672

SHA256
b23b2160c6aa9354b1bbc57c01c1798b003fa6d12f5139a5becca11a5eb0cc4e

SHA512
2683f8f48ad42a14de7ec9f6163ed5a65cc83b75214b58da3f7794dd4fd59fafc4a48ffc362200c1e63915fc79f24cfeb416cb20fe0a56b1dd797055bb822e76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
db7a52450d30de256c50e6e3bcb9bb30

SHA1
33969d5acf6d8737b9ff5b482d0e0a75c07ee75b

SHA256
0f67b4073ab3cff12dca0fa59e5183820075d5a089a41fc4bd3801b0d16020b4

SHA512
6c2624c02c7bf2ba120e1a1fb9cf45f22eedf3ea3c5bfd8a05cad9ca593e716570da122b9e1141ded77dc2d8f0081414ad541b38489fb3bc9f4bd2c81edf2782

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e6cde860390f1cdce21dcbc47e14462a

SHA1
719a3da64df44fd34659d6e6962b02e74fd62a27

SHA256
8243a39bc281b2873879a8d22c2afdcb611ea186da5e29d7a4cf264dd8b69ccc

SHA512
c8dbb84b419eda04ebba3850e74a4029ffffcab85d9bf2a89ac514d1876abfe5cbd19e1805a03c1f2dd905f7ae7a4dbd4d834a42d71314784996bd2319679135

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
a92df029fd5f8e1ec69d316dbf98c70c

SHA1
9bc91f52d63f271e90f4e86f8d4077e3d24fc9de

SHA256
7fcd2226fc8449abe3401dfb967ec66455748ba851d8a83aba7f246c5fa05ea2

SHA512
45751275b84324b5341e6c565ce9b18b0a2e3d0e6fb1453a5ed2dd30b746e72bb1408d7c351934467bfb5f3ca9dff42c868bae07ebaecf209bc12cae77b60d95

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
c12116bf5cd2d81ee722d88fe84a49c5

SHA1
546cdb0c8d8a63b17994ba3af589dd5ea3b5da95

SHA256
54621697bef0b6903712ec7339bcc6eeddfb2a9e36afabe5d98bf4f75532c0ce

SHA512
2a76f7074ab154bf3adf8d0398307a909057c304f7096ab6c19e8027647c3f38baf01c4844ab7aca67556b82d8710b13de3b22f2ac1843896e0aeda6cef911c0

Download Submit