hxxps://xdnpkfbt[.]legacytattoostudio[.]com/energy/ZGtsaW5nZXJAc29zLnRleGFzLmdvdg==

Analysis

max time kernel
51s
max time network
42s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
24-10-2023 15:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://xdnpkfbt.legacytattoostudio.com/energy/ZGtsaW5nZXJAc29zLnRleGFzLmdvdg==

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4996	chrome.exe
4996	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4996 wrote to memory of 3864	4996	chrome.exe	21
PID 4996 wrote to memory of 3864	4996	chrome.exe	21
PID 4996 wrote to memory of 2568	4996	chrome.exe	84
PID 4996 wrote to memory of 2568	4996	chrome.exe	84
PID 4996 wrote to memory of 2568	4996	chrome.exe	84
PID 4996 wrote to memory of 2568	4996	chrome.exe	84
PID 4996 wrote to memory of 2568	4996	chrome.exe	84
PID 4996 wrote to memory of 2568	4996	chrome.exe	84
PID 4996 wrote to memory of 2568	4996	chrome.exe	84
PID 4996 wrote to memory of 2568	4996	chrome.exe	84
PID 4996 wrote to memory of 2568	4996	chrome.exe	84
PID 4996 wrote to memory of 2568	4996	chrome.exe	84
PID 4996 wrote to memory of 2568	4996	chrome.exe	84
PID 4996 wrote to memory of 2568	4996	chrome.exe	84
PID 4996 wrote to memory of 2568	4996	chrome.exe	84
PID 4996 wrote to memory of 2568	4996	chrome.exe	84
PID 4996 wrote to memory of 2568	4996	chrome.exe	84
PID 4996 wrote to memory of 2568	4996	chrome.exe	84
PID 4996 wrote to memory of 2568	4996	chrome.exe	84
PID 4996 wrote to memory of 2568	4996	chrome.exe	84
PID 4996 wrote to memory of 2568	4996	chrome.exe	84
PID 4996 wrote to memory of 2568	4996	chrome.exe	84
PID 4996 wrote to memory of 2568	4996	chrome.exe	84
PID 4996 wrote to memory of 2568	4996	chrome.exe	84
PID 4996 wrote to memory of 2568	4996	chrome.exe	84
PID 4996 wrote to memory of 2568	4996	chrome.exe	84
PID 4996 wrote to memory of 2568	4996	chrome.exe	84
PID 4996 wrote to memory of 2568	4996	chrome.exe	84
PID 4996 wrote to memory of 2568	4996	chrome.exe	84
PID 4996 wrote to memory of 2568	4996	chrome.exe	84
PID 4996 wrote to memory of 2568	4996	chrome.exe	84
PID 4996 wrote to memory of 2568	4996	chrome.exe	84
PID 4996 wrote to memory of 2568	4996	chrome.exe	84
PID 4996 wrote to memory of 2568	4996	chrome.exe	84
PID 4996 wrote to memory of 2568	4996	chrome.exe	84
PID 4996 wrote to memory of 2568	4996	chrome.exe	84
PID 4996 wrote to memory of 2568	4996	chrome.exe	84
PID 4996 wrote to memory of 2568	4996	chrome.exe	84
PID 4996 wrote to memory of 2568	4996	chrome.exe	84
PID 4996 wrote to memory of 2568	4996	chrome.exe	84
PID 4996 wrote to memory of 892	4996	chrome.exe	85
PID 4996 wrote to memory of 892	4996	chrome.exe	85
PID 4996 wrote to memory of 4240	4996	chrome.exe	86
PID 4996 wrote to memory of 4240	4996	chrome.exe	86
PID 4996 wrote to memory of 4240	4996	chrome.exe	86
PID 4996 wrote to memory of 4240	4996	chrome.exe	86
PID 4996 wrote to memory of 4240	4996	chrome.exe	86
PID 4996 wrote to memory of 4240	4996	chrome.exe	86
PID 4996 wrote to memory of 4240	4996	chrome.exe	86
PID 4996 wrote to memory of 4240	4996	chrome.exe	86
PID 4996 wrote to memory of 4240	4996	chrome.exe	86
PID 4996 wrote to memory of 4240	4996	chrome.exe	86
PID 4996 wrote to memory of 4240	4996	chrome.exe	86
PID 4996 wrote to memory of 4240	4996	chrome.exe	86
PID 4996 wrote to memory of 4240	4996	chrome.exe	86
PID 4996 wrote to memory of 4240	4996	chrome.exe	86
PID 4996 wrote to memory of 4240	4996	chrome.exe	86
PID 4996 wrote to memory of 4240	4996	chrome.exe	86
PID 4996 wrote to memory of 4240	4996	chrome.exe	86
PID 4996 wrote to memory of 4240	4996	chrome.exe	86
PID 4996 wrote to memory of 4240	4996	chrome.exe	86
PID 4996 wrote to memory of 4240	4996	chrome.exe	86
PID 4996 wrote to memory of 4240	4996	chrome.exe	86
PID 4996 wrote to memory of 4240	4996	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://xdnpkfbt.legacytattoostudio.com/energy/ZGtsaW5nZXJAc29zLnRleGFzLmdvdg==
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcd8869758,0x7ffcd8869768,0x7ffcd8869778
  2⤵
  PID:3864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1712 --field-trial-handle=1884,i,646354653232926718,16861691373764017535,131072 /prefetch:2
  2⤵
  PID:2568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1884,i,646354653232926718,16861691373764017535,131072 /prefetch:8
  2⤵
  PID:892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2216 --field-trial-handle=1884,i,646354653232926718,16861691373764017535,131072 /prefetch:8
  2⤵
  PID:4240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3056 --field-trial-handle=1884,i,646354653232926718,16861691373764017535,131072 /prefetch:1
  2⤵
  PID:4528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2964 --field-trial-handle=1884,i,646354653232926718,16861691373764017535,131072 /prefetch:1
  2⤵
  PID:4224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4788 --field-trial-handle=1884,i,646354653232926718,16861691373764017535,131072 /prefetch:8
  2⤵
  PID:2116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4876 --field-trial-handle=1884,i,646354653232926718,16861691373764017535,131072 /prefetch:8
  2⤵
  PID:4244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=5032 --field-trial-handle=1884,i,646354653232926718,16861691373764017535,131072 /prefetch:1
  2⤵
  PID:3772

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
34427de8494ae147f05198c1f57a6ae8

SHA1
36ec948eb9ea0971508ea201596af0cc45664417

SHA256
4f7e18daa5980886362964984d435dfa17aa7a87d50bbfaa3799dfa0a1df32bf

SHA512
b429faf4424cfd27da9da78124f1ddad7f4558ac9503ec0db7c33242668d4a69c6978f81cb110bc942c86975377549b2d5ece0ed4ed8cc731548cdeffc3da34e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
096ad18bbdaa64688307a0af8065f0aa

SHA1
dac2f3e168d234e4cc9dd4c0e750470eb884c2d1

SHA256
17c910ff6d03896b652780b4356f579084ae8b59a5a7af9cf93180c2fbb5d8dc

SHA512
b0bd2ad77611ce2e13d277945d6196b47b7417ca9e4f02f41fab2f00f7e520b96cfad5470a99ecb4ba348b3ae015c5da14d67bbdad8a55628f1e3f9c3a3a640b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
c17c9963a3a674e88c628c46ebabe640

SHA1
9cdadc9e227a8400bafe2f96cea384b7cbcf66eb

SHA256
d72935c0a2d29c1a24f5b1eac6ab616f5f16b3e895a11d8903b8c57df1cfe32b

SHA512
58144385e07206a2152e6a8e64e0fb7fa62c3429f2b35295dce29f99985eab59397d11781ed7c76ccc1d3fe6a20fa3e95102c19339f59b098568e58e6d96f57f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
64d3e9af3f8952c058678312329b7b39

SHA1
f6c3a7993923cc4baa22473c9521ca7d96f8f891

SHA256
ac1ade85ca1b9ff7c1e858b5894ddd09c8de72770b0302327a6d76f919b8ba7d

SHA512
cebe4bf472cf8fa50b9b14cf12c6e07b16da79459da7f0459cea50f88fcd6e3e0e395302b9dea04a628b54c3e2e784dbf5b00f95d544b3b208fa9bf785b309d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
109KB

MD5
d04563fb79bdde951019e2bf19c52932

SHA1
222b5a97010f86ca2509bd9749d84288777c51bf

SHA256
d7f0e00bdacd6cc401fb22baabec85b36d5ef816aa4d1a06c9f1dbf47d8d4d5a

SHA512
37bc5a28cb8d49d8ae034fa182424e4bf6f090052c69ec746c7cbd740f6f8f82f59093238f684324ac3656689f389ae544a351687b67f01b5d8ee71f5dea4e43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit