hxxps://checkip[.]amazonaws[.]com/

Analysis

max time kernel
1799s
max time network
1692s
platform
windows10-1703_x64
resource
win10-20231020-en
resource tags

arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
submitted
22-10-2023 20:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://checkip.amazonaws.com/

Score

6^/10

Malware Config

Signatures

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	checkip.amazonaws.com
3	checkip.amazonaws.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133424817064040573"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4216	chrome.exe
4216	chrome.exe
2004	chrome.exe
2004	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4216	chrome.exe
4216	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4216	chrome.exe
Token: SeCreatePagefilePrivilege	4216	chrome.exe
Token: SeShutdownPrivilege	4216	chrome.exe
Token: SeCreatePagefilePrivilege	4216	chrome.exe
Token: SeShutdownPrivilege	4216	chrome.exe
Token: SeCreatePagefilePrivilege	4216	chrome.exe
Token: SeShutdownPrivilege	4216	chrome.exe
Token: SeCreatePagefilePrivilege	4216	chrome.exe
Token: SeShutdownPrivilege	4216	chrome.exe
Token: SeCreatePagefilePrivilege	4216	chrome.exe
Token: SeShutdownPrivilege	4216	chrome.exe
Token: SeCreatePagefilePrivilege	4216	chrome.exe
Token: SeShutdownPrivilege	4216	chrome.exe
Token: SeCreatePagefilePrivilege	4216	chrome.exe
Token: SeShutdownPrivilege	4216	chrome.exe
Token: SeCreatePagefilePrivilege	4216	chrome.exe
Token: SeShutdownPrivilege	4216	chrome.exe
Token: SeCreatePagefilePrivilege	4216	chrome.exe
Token: SeShutdownPrivilege	4216	chrome.exe
Token: SeCreatePagefilePrivilege	4216	chrome.exe
Token: SeShutdownPrivilege	4216	chrome.exe
Token: SeCreatePagefilePrivilege	4216	chrome.exe
Token: SeShutdownPrivilege	4216	chrome.exe
Token: SeCreatePagefilePrivilege	4216	chrome.exe
Token: SeShutdownPrivilege	4216	chrome.exe
Token: SeCreatePagefilePrivilege	4216	chrome.exe
Token: SeShutdownPrivilege	4216	chrome.exe
Token: SeCreatePagefilePrivilege	4216	chrome.exe
Token: SeShutdownPrivilege	4216	chrome.exe
Token: SeCreatePagefilePrivilege	4216	chrome.exe
Token: SeShutdownPrivilege	4216	chrome.exe
Token: SeCreatePagefilePrivilege	4216	chrome.exe
Token: SeShutdownPrivilege	4216	chrome.exe
Token: SeCreatePagefilePrivilege	4216	chrome.exe
Token: SeShutdownPrivilege	4216	chrome.exe
Token: SeCreatePagefilePrivilege	4216	chrome.exe
Token: SeShutdownPrivilege	4216	chrome.exe
Token: SeCreatePagefilePrivilege	4216	chrome.exe
Token: SeShutdownPrivilege	4216	chrome.exe
Token: SeCreatePagefilePrivilege	4216	chrome.exe
Token: SeShutdownPrivilege	4216	chrome.exe
Token: SeCreatePagefilePrivilege	4216	chrome.exe
Token: SeShutdownPrivilege	4216	chrome.exe
Token: SeCreatePagefilePrivilege	4216	chrome.exe
Token: SeShutdownPrivilege	4216	chrome.exe
Token: SeCreatePagefilePrivilege	4216	chrome.exe
Token: SeShutdownPrivilege	4216	chrome.exe
Token: SeCreatePagefilePrivilege	4216	chrome.exe
Token: SeShutdownPrivilege	4216	chrome.exe
Token: SeCreatePagefilePrivilege	4216	chrome.exe
Token: SeShutdownPrivilege	4216	chrome.exe
Token: SeCreatePagefilePrivilege	4216	chrome.exe
Token: SeShutdownPrivilege	4216	chrome.exe
Token: SeCreatePagefilePrivilege	4216	chrome.exe
Token: SeShutdownPrivilege	4216	chrome.exe
Token: SeCreatePagefilePrivilege	4216	chrome.exe
Token: SeShutdownPrivilege	4216	chrome.exe
Token: SeCreatePagefilePrivilege	4216	chrome.exe
Token: SeShutdownPrivilege	4216	chrome.exe
Token: SeCreatePagefilePrivilege	4216	chrome.exe
Token: SeShutdownPrivilege	4216	chrome.exe
Token: SeCreatePagefilePrivilege	4216	chrome.exe
Token: SeShutdownPrivilege	4216	chrome.exe
Token: SeCreatePagefilePrivilege	4216	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4216 wrote to memory of 2744	4216	chrome.exe	71
PID 4216 wrote to memory of 2744	4216	chrome.exe	71
PID 4216 wrote to memory of 924	4216	chrome.exe	73
PID 4216 wrote to memory of 924	4216	chrome.exe	73
PID 4216 wrote to memory of 924	4216	chrome.exe	73
PID 4216 wrote to memory of 924	4216	chrome.exe	73
PID 4216 wrote to memory of 924	4216	chrome.exe	73
PID 4216 wrote to memory of 924	4216	chrome.exe	73
PID 4216 wrote to memory of 924	4216	chrome.exe	73
PID 4216 wrote to memory of 924	4216	chrome.exe	73
PID 4216 wrote to memory of 924	4216	chrome.exe	73
PID 4216 wrote to memory of 924	4216	chrome.exe	73
PID 4216 wrote to memory of 924	4216	chrome.exe	73
PID 4216 wrote to memory of 924	4216	chrome.exe	73
PID 4216 wrote to memory of 924	4216	chrome.exe	73
PID 4216 wrote to memory of 924	4216	chrome.exe	73
PID 4216 wrote to memory of 924	4216	chrome.exe	73
PID 4216 wrote to memory of 924	4216	chrome.exe	73
PID 4216 wrote to memory of 924	4216	chrome.exe	73
PID 4216 wrote to memory of 924	4216	chrome.exe	73
PID 4216 wrote to memory of 924	4216	chrome.exe	73
PID 4216 wrote to memory of 924	4216	chrome.exe	73
PID 4216 wrote to memory of 924	4216	chrome.exe	73
PID 4216 wrote to memory of 924	4216	chrome.exe	73
PID 4216 wrote to memory of 924	4216	chrome.exe	73
PID 4216 wrote to memory of 924	4216	chrome.exe	73
PID 4216 wrote to memory of 924	4216	chrome.exe	73
PID 4216 wrote to memory of 924	4216	chrome.exe	73
PID 4216 wrote to memory of 924	4216	chrome.exe	73
PID 4216 wrote to memory of 924	4216	chrome.exe	73
PID 4216 wrote to memory of 924	4216	chrome.exe	73
PID 4216 wrote to memory of 924	4216	chrome.exe	73
PID 4216 wrote to memory of 924	4216	chrome.exe	73
PID 4216 wrote to memory of 924	4216	chrome.exe	73
PID 4216 wrote to memory of 924	4216	chrome.exe	73
PID 4216 wrote to memory of 924	4216	chrome.exe	73
PID 4216 wrote to memory of 924	4216	chrome.exe	73
PID 4216 wrote to memory of 924	4216	chrome.exe	73
PID 4216 wrote to memory of 924	4216	chrome.exe	73
PID 4216 wrote to memory of 924	4216	chrome.exe	73
PID 4216 wrote to memory of 684	4216	chrome.exe	74
PID 4216 wrote to memory of 684	4216	chrome.exe	74
PID 4216 wrote to memory of 3852	4216	chrome.exe	75
PID 4216 wrote to memory of 3852	4216	chrome.exe	75
PID 4216 wrote to memory of 3852	4216	chrome.exe	75
PID 4216 wrote to memory of 3852	4216	chrome.exe	75
PID 4216 wrote to memory of 3852	4216	chrome.exe	75
PID 4216 wrote to memory of 3852	4216	chrome.exe	75
PID 4216 wrote to memory of 3852	4216	chrome.exe	75
PID 4216 wrote to memory of 3852	4216	chrome.exe	75
PID 4216 wrote to memory of 3852	4216	chrome.exe	75
PID 4216 wrote to memory of 3852	4216	chrome.exe	75
PID 4216 wrote to memory of 3852	4216	chrome.exe	75
PID 4216 wrote to memory of 3852	4216	chrome.exe	75
PID 4216 wrote to memory of 3852	4216	chrome.exe	75
PID 4216 wrote to memory of 3852	4216	chrome.exe	75
PID 4216 wrote to memory of 3852	4216	chrome.exe	75
PID 4216 wrote to memory of 3852	4216	chrome.exe	75
PID 4216 wrote to memory of 3852	4216	chrome.exe	75
PID 4216 wrote to memory of 3852	4216	chrome.exe	75
PID 4216 wrote to memory of 3852	4216	chrome.exe	75
PID 4216 wrote to memory of 3852	4216	chrome.exe	75
PID 4216 wrote to memory of 3852	4216	chrome.exe	75
PID 4216 wrote to memory of 3852	4216	chrome.exe	75

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://checkip.amazonaws.com/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff9c7a89758,0x7ff9c7a89768,0x7ff9c7a89778
  2⤵
  PID:2744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1528 --field-trial-handle=1752,i,11673308744715691484,1864449094497810308,131072 /prefetch:2
  2⤵
  PID:924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2008 --field-trial-handle=1752,i,11673308744715691484,1864449094497810308,131072 /prefetch:8
  2⤵
  PID:684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2092 --field-trial-handle=1752,i,11673308744715691484,1864449094497810308,131072 /prefetch:8
  2⤵
  PID:3852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3032 --field-trial-handle=1752,i,11673308744715691484,1864449094497810308,131072 /prefetch:1
  2⤵
  PID:4488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2896 --field-trial-handle=1752,i,11673308744715691484,1864449094497810308,131072 /prefetch:1
  2⤵
  PID:5052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4788 --field-trial-handle=1752,i,11673308744715691484,1864449094497810308,131072 /prefetch:8
  2⤵
  PID:3328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4860 --field-trial-handle=1752,i,11673308744715691484,1864449094497810308,131072 /prefetch:8
  2⤵
  PID:4040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1496 --field-trial-handle=1752,i,11673308744715691484,1864449094497810308,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2004

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
6b6be8287e2d3f75d7fd983b24dfc628

SHA1
085dde139104bde22aef88f33bc3224dee664991

SHA256
dafb294aaeaf7ebd39262cd6a31da8e9bba641f0b905af4cfb1c133440d28306

SHA512
d7112495d5eb6e0f43f4f6c177ecb4457e1635db66a75c224ca9f343a8ebc03d803c23625db16bbf0306a5d4a3c2400435cb122622ce45eb93d3c8f20f35ecb5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
a68d40092fcf6a1e46eecb6b922d6c11

SHA1
611966be52f6cdead1062e7613f95a2b5ce8adb1

SHA256
bf25b759b36e684bfa02a74fd20ef0877d13d9579b3f638ab6716112530b62f7

SHA512
956814ffec658ab8e4d2b276d554ca15bc618d83b26b683c052e53835a1a574dd5470852b85c558618647939a9183bffe2176c86374da03d077987a9239511f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
8c9b58bb36a44c63e164b62cdc5f7e5d

SHA1
485b43d25d41566d8ad733c81242f0ab6d810d92

SHA256
52462242a657461733f9e225ab141145b35f4d15b960ed31fb824d0e999b5cc9

SHA512
a251964ff018e319af3282ca15e6c4d5e8b773323699914688213685049e3fb912419941c239a88610eb8a5bc8484dee1428eac14bc2be8f9fe7e14c337cfa63

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
106KB

MD5
7d571071d6caa7dc69b0d26d4170b057

SHA1
8d9e3c26b2231545653138c844000e9fc8de5063

SHA256
e4f7ab81a7d25ab83941ca72bc69f2e7f9be123c6508d46ed674ab963d9842ab

SHA512
ce35952d0ac28739b2e2f49f4a1fc05be79779f5690da5aa50736686b63f6ccb05f4887e3577b71cda4e156801833353fd427ebda124b0fb1d97be0d0f4f2d05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit