hxxp://mytaxverification-incomedocu[.]xyz/

Analysis

max time kernel
158s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
29-10-2023 22:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://mytaxverification-incomedocu.xyz/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133430933008124169"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1092	chrome.exe
1092	chrome.exe
2268	chrome.exe
2268	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1092 wrote to memory of 1812	1092	chrome.exe	86
PID 1092 wrote to memory of 1812	1092	chrome.exe	86
PID 1092 wrote to memory of 4304	1092	chrome.exe	90
PID 1092 wrote to memory of 4304	1092	chrome.exe	90
PID 1092 wrote to memory of 4304	1092	chrome.exe	90
PID 1092 wrote to memory of 4304	1092	chrome.exe	90
PID 1092 wrote to memory of 4304	1092	chrome.exe	90
PID 1092 wrote to memory of 4304	1092	chrome.exe	90
PID 1092 wrote to memory of 4304	1092	chrome.exe	90
PID 1092 wrote to memory of 4304	1092	chrome.exe	90
PID 1092 wrote to memory of 4304	1092	chrome.exe	90
PID 1092 wrote to memory of 4304	1092	chrome.exe	90
PID 1092 wrote to memory of 4304	1092	chrome.exe	90
PID 1092 wrote to memory of 4304	1092	chrome.exe	90
PID 1092 wrote to memory of 4304	1092	chrome.exe	90
PID 1092 wrote to memory of 4304	1092	chrome.exe	90
PID 1092 wrote to memory of 4304	1092	chrome.exe	90
PID 1092 wrote to memory of 4304	1092	chrome.exe	90
PID 1092 wrote to memory of 4304	1092	chrome.exe	90
PID 1092 wrote to memory of 4304	1092	chrome.exe	90
PID 1092 wrote to memory of 4304	1092	chrome.exe	90
PID 1092 wrote to memory of 4304	1092	chrome.exe	90
PID 1092 wrote to memory of 4304	1092	chrome.exe	90
PID 1092 wrote to memory of 4304	1092	chrome.exe	90
PID 1092 wrote to memory of 4304	1092	chrome.exe	90
PID 1092 wrote to memory of 4304	1092	chrome.exe	90
PID 1092 wrote to memory of 4304	1092	chrome.exe	90
PID 1092 wrote to memory of 4304	1092	chrome.exe	90
PID 1092 wrote to memory of 4304	1092	chrome.exe	90
PID 1092 wrote to memory of 4304	1092	chrome.exe	90
PID 1092 wrote to memory of 4304	1092	chrome.exe	90
PID 1092 wrote to memory of 4304	1092	chrome.exe	90
PID 1092 wrote to memory of 4304	1092	chrome.exe	90
PID 1092 wrote to memory of 4304	1092	chrome.exe	90
PID 1092 wrote to memory of 4304	1092	chrome.exe	90
PID 1092 wrote to memory of 4304	1092	chrome.exe	90
PID 1092 wrote to memory of 4304	1092	chrome.exe	90
PID 1092 wrote to memory of 4304	1092	chrome.exe	90
PID 1092 wrote to memory of 4304	1092	chrome.exe	90
PID 1092 wrote to memory of 4304	1092	chrome.exe	90
PID 1092 wrote to memory of 2960	1092	chrome.exe	88
PID 1092 wrote to memory of 2960	1092	chrome.exe	88
PID 1092 wrote to memory of 2740	1092	chrome.exe	89
PID 1092 wrote to memory of 2740	1092	chrome.exe	89
PID 1092 wrote to memory of 2740	1092	chrome.exe	89
PID 1092 wrote to memory of 2740	1092	chrome.exe	89
PID 1092 wrote to memory of 2740	1092	chrome.exe	89
PID 1092 wrote to memory of 2740	1092	chrome.exe	89
PID 1092 wrote to memory of 2740	1092	chrome.exe	89
PID 1092 wrote to memory of 2740	1092	chrome.exe	89
PID 1092 wrote to memory of 2740	1092	chrome.exe	89
PID 1092 wrote to memory of 2740	1092	chrome.exe	89
PID 1092 wrote to memory of 2740	1092	chrome.exe	89
PID 1092 wrote to memory of 2740	1092	chrome.exe	89
PID 1092 wrote to memory of 2740	1092	chrome.exe	89
PID 1092 wrote to memory of 2740	1092	chrome.exe	89
PID 1092 wrote to memory of 2740	1092	chrome.exe	89
PID 1092 wrote to memory of 2740	1092	chrome.exe	89
PID 1092 wrote to memory of 2740	1092	chrome.exe	89
PID 1092 wrote to memory of 2740	1092	chrome.exe	89
PID 1092 wrote to memory of 2740	1092	chrome.exe	89
PID 1092 wrote to memory of 2740	1092	chrome.exe	89
PID 1092 wrote to memory of 2740	1092	chrome.exe	89
PID 1092 wrote to memory of 2740	1092	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://mytaxverification-incomedocu.xyz/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffffb849758,0x7ffffb849768,0x7ffffb849778
  2⤵
  PID:1812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1640 --field-trial-handle=1924,i,6217787814114576853,7224610301819292280,131072 /prefetch:8
  2⤵
  PID:2960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2220 --field-trial-handle=1924,i,6217787814114576853,7224610301819292280,131072 /prefetch:8
  2⤵
  PID:2740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1644 --field-trial-handle=1924,i,6217787814114576853,7224610301819292280,131072 /prefetch:2
  2⤵
  PID:4304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2964 --field-trial-handle=1924,i,6217787814114576853,7224610301819292280,131072 /prefetch:1
  2⤵
  PID:2396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2972 --field-trial-handle=1924,i,6217787814114576853,7224610301819292280,131072 /prefetch:1
  2⤵
  PID:1376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3732 --field-trial-handle=1924,i,6217787814114576853,7224610301819292280,131072 /prefetch:1
  2⤵
  PID:1636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5312 --field-trial-handle=1924,i,6217787814114576853,7224610301819292280,131072 /prefetch:8
  2⤵
  PID:4364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 --field-trial-handle=1924,i,6217787814114576853,7224610301819292280,131072 /prefetch:8
  2⤵
  PID:2460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3760 --field-trial-handle=1924,i,6217787814114576853,7224610301819292280,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2268

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
cc88d78798d5880164033aff3a01c9e0

SHA1
89a36dee325021e72d41bd0768d451897b44f484

SHA256
61117094eb90b711bbc4afae8d5912edbabe966c934a68248e002c2bab9e7dab

SHA512
a5bc58da2387f784c1a84ebcdc9591b8e40c097bcb22b4b15442e403a9c6b81b560b653baff62d621ee1b0418612cc4e4c839d4327106bf27a3e1caf4f9ca69e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
72021b65264ada89d78c82bfdb52eeee

SHA1
06004ddc2e5b64ebd2df0148693e57e819fe3938

SHA256
5783b8923847566ab1c3603c82a988a2784f9d18533e9b3c35143b7d86f77cd0

SHA512
9e9111fcfc046ff3370e9a418a6fad9880ef69ca04ad828587909a7ae4500bf7b3dc4de72cac1ba0f405e33a423c0c7095d0b2f89a17607591c4745cb34d7f8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
537B

MD5
15d6cecbc75d3bb57b596c0f417dd0cb

SHA1
7b85ee95d3cc27cf4e7a638d93c165d94bc07838

SHA256
ae102b5c77d7694055dac4333b978eab6483c28e0f4cd61255528c9ebec98112

SHA512
46f9bc6a4ee5561ba8fee89c853779be854a51f16ea0eb0f4efd86a40ecd49b5482fa30db5a260aa73944d8c4feed292747099d3bbd7d24e46954f439af5e480

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
6c1d9d762fbcd1c046036b8461f5e9b5

SHA1
ed869deef64417a4e20978a63003396057f27f8f

SHA256
e613070acd280cf7a99e407e3ea6f2941587562a4b97836590b36f6c9fe56034

SHA512
e02b05d507cb71eea92ff5e780baf39844ef11fd73569fb4869f87588f70242b6dd54a85da2da6f94a944b7530ea494cccb5683b777b1d3c172eecb89f5db9b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
109KB

MD5
1e18576508ffb1392da8303f2f731653

SHA1
09b7b4ff30b2b2c384ab76e8b379b28042c06ae1

SHA256
523136c22379fddee2581a112023393d6e45d143b547767b50a2247c2a592455

SHA512
d781c040139ddab609b2b24befb19ae7fdae48b9ec9657d69e9ed0d7f693101b224a027a73e9f1e377a92dd392fd703cfbb8b7460e4b2d51a692dd92db0da751

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit