hxxp://www[.]google-analytics[.]com

Analysis

max time kernel
1800s
max time network
1690s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
30-10-2023 08:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://www.google-analytics.com

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133431274902707421"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3652	chrome.exe
3652	chrome.exe
4372	chrome.exe
4372	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe
Token: SeShutdownPrivilege	3652	chrome.exe
Token: SeCreatePagefilePrivilege	3652	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3652 wrote to memory of 2348	3652	chrome.exe	25
PID 3652 wrote to memory of 2348	3652	chrome.exe	25
PID 3652 wrote to memory of 3284	3652	chrome.exe	88
PID 3652 wrote to memory of 3284	3652	chrome.exe	88
PID 3652 wrote to memory of 3284	3652	chrome.exe	88
PID 3652 wrote to memory of 3284	3652	chrome.exe	88
PID 3652 wrote to memory of 3284	3652	chrome.exe	88
PID 3652 wrote to memory of 3284	3652	chrome.exe	88
PID 3652 wrote to memory of 3284	3652	chrome.exe	88
PID 3652 wrote to memory of 3284	3652	chrome.exe	88
PID 3652 wrote to memory of 3284	3652	chrome.exe	88
PID 3652 wrote to memory of 3284	3652	chrome.exe	88
PID 3652 wrote to memory of 3284	3652	chrome.exe	88
PID 3652 wrote to memory of 3284	3652	chrome.exe	88
PID 3652 wrote to memory of 3284	3652	chrome.exe	88
PID 3652 wrote to memory of 3284	3652	chrome.exe	88
PID 3652 wrote to memory of 3284	3652	chrome.exe	88
PID 3652 wrote to memory of 3284	3652	chrome.exe	88
PID 3652 wrote to memory of 3284	3652	chrome.exe	88
PID 3652 wrote to memory of 3284	3652	chrome.exe	88
PID 3652 wrote to memory of 3284	3652	chrome.exe	88
PID 3652 wrote to memory of 3284	3652	chrome.exe	88
PID 3652 wrote to memory of 3284	3652	chrome.exe	88
PID 3652 wrote to memory of 3284	3652	chrome.exe	88
PID 3652 wrote to memory of 3284	3652	chrome.exe	88
PID 3652 wrote to memory of 3284	3652	chrome.exe	88
PID 3652 wrote to memory of 3284	3652	chrome.exe	88
PID 3652 wrote to memory of 3284	3652	chrome.exe	88
PID 3652 wrote to memory of 3284	3652	chrome.exe	88
PID 3652 wrote to memory of 3284	3652	chrome.exe	88
PID 3652 wrote to memory of 3284	3652	chrome.exe	88
PID 3652 wrote to memory of 3284	3652	chrome.exe	88
PID 3652 wrote to memory of 3284	3652	chrome.exe	88
PID 3652 wrote to memory of 3284	3652	chrome.exe	88
PID 3652 wrote to memory of 3284	3652	chrome.exe	88
PID 3652 wrote to memory of 3284	3652	chrome.exe	88
PID 3652 wrote to memory of 3284	3652	chrome.exe	88
PID 3652 wrote to memory of 3284	3652	chrome.exe	88
PID 3652 wrote to memory of 3284	3652	chrome.exe	88
PID 3652 wrote to memory of 3284	3652	chrome.exe	88
PID 3652 wrote to memory of 5064	3652	chrome.exe	90
PID 3652 wrote to memory of 5064	3652	chrome.exe	90
PID 3652 wrote to memory of 4792	3652	chrome.exe	89
PID 3652 wrote to memory of 4792	3652	chrome.exe	89
PID 3652 wrote to memory of 4792	3652	chrome.exe	89
PID 3652 wrote to memory of 4792	3652	chrome.exe	89
PID 3652 wrote to memory of 4792	3652	chrome.exe	89
PID 3652 wrote to memory of 4792	3652	chrome.exe	89
PID 3652 wrote to memory of 4792	3652	chrome.exe	89
PID 3652 wrote to memory of 4792	3652	chrome.exe	89
PID 3652 wrote to memory of 4792	3652	chrome.exe	89
PID 3652 wrote to memory of 4792	3652	chrome.exe	89
PID 3652 wrote to memory of 4792	3652	chrome.exe	89
PID 3652 wrote to memory of 4792	3652	chrome.exe	89
PID 3652 wrote to memory of 4792	3652	chrome.exe	89
PID 3652 wrote to memory of 4792	3652	chrome.exe	89
PID 3652 wrote to memory of 4792	3652	chrome.exe	89
PID 3652 wrote to memory of 4792	3652	chrome.exe	89
PID 3652 wrote to memory of 4792	3652	chrome.exe	89
PID 3652 wrote to memory of 4792	3652	chrome.exe	89
PID 3652 wrote to memory of 4792	3652	chrome.exe	89
PID 3652 wrote to memory of 4792	3652	chrome.exe	89
PID 3652 wrote to memory of 4792	3652	chrome.exe	89
PID 3652 wrote to memory of 4792	3652	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://www.google-analytics.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8fca99758,0x7ff8fca99768,0x7ff8fca99778
  2⤵
  PID:2348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1656 --field-trial-handle=1872,i,14449104102410249260,15597537934481777220,131072 /prefetch:2
  2⤵
  PID:3284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2212 --field-trial-handle=1872,i,14449104102410249260,15597537934481777220,131072 /prefetch:8
  2⤵
  PID:4792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1872,i,14449104102410249260,15597537934481777220,131072 /prefetch:8
  2⤵
  PID:5064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3092 --field-trial-handle=1872,i,14449104102410249260,15597537934481777220,131072 /prefetch:1
  2⤵
  PID:1512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2964 --field-trial-handle=1872,i,14449104102410249260,15597537934481777220,131072 /prefetch:1
  2⤵
  PID:2936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3748 --field-trial-handle=1872,i,14449104102410249260,15597537934481777220,131072 /prefetch:1
  2⤵
  PID:4160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4896 --field-trial-handle=1872,i,14449104102410249260,15597537934481777220,131072 /prefetch:8
  2⤵
  PID:4404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5024 --field-trial-handle=1872,i,14449104102410249260,15597537934481777220,131072 /prefetch:8
  2⤵
  PID:2760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1672 --field-trial-handle=1872,i,14449104102410249260,15597537934481777220,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4372

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
0e6506bbb02f2298fb23c5621f4fe2c9

SHA1
363bf1b3c20bc05cc6d11bd45757edc526b351b5

SHA256
60106e1f5cb8515466b5605eb996dbf71975c4dbb4ed2ab88e36e16fe5bc0b31

SHA512
88f3302dc3017c0122e5c8e558734c9236bcf4b2f0a9090d9f1828e6372ab640ca925d92384bb64f7d411c5365e6b49cc1e1a587909b6245ac3d0fc11cb50ee3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
465776d2c643ec59f12d405549520387

SHA1
439e002573bee4d96bbbfa44342fad50898bd9c9

SHA256
70da9308ee018ac72c8e9e70bf1efa65c6b0e7faa70b77dd9772298b9079037d

SHA512
37f1f2977f17986a667f6a602536a353c82e46f3aa1a1c408f864fd87dfa06227b6ea4d509f2bd46252bd2ab12ab2dacd64bd6f59a16bb6e65dae01ac44b8646

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
0b3c89ebed57b33fb6a5125c24f4e1f4

SHA1
241289d1ab9fe7f188b192b4330e52c1d7598294

SHA256
1727a31e22d5898513224fd9cd87579fbcbfbf0073df95565076a5f7bb7a2705

SHA512
81b36c1f5dcb19abe236947dc5ede87a8f8495e691f7a0018b5ee0566ed99f9708e56696cf04da8788f3f4a5fd8bf9c1496c8d6b5242b83a57c2e3e094d42fce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
9d9beb633a61006636c0d801f5329573

SHA1
6c3acba6846d031edf40ba80537ed43fbe1e2474

SHA256
9e16fd98afc8f6d9cfdf5b6052ea956c7e1b48431a58306f8c6408ccf5cd48aa

SHA512
b5469fb5b4bcf285148f13ef49ec27b1ec6896a03a5297aceb78cb0902b05b012865111238a7e9e5c0e61c2e847d5214807d11d0554a79e5ab6768e06d6d6628

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
662c2054881fc72c1b76feb1e647cd73

SHA1
2085f82c2a50c2b9376625057bcd45a054d1e524

SHA256
52d7ab1c69fd2a65176c6e19d4a54673d94e7c3492403dbef382ad5a96cf811f

SHA512
2f816ef7aa499adab419f1d20379a217eedec317f44e26a39b9c3d94caf05638417e8fd47274e64ac6b26f14b35db87a04a96ce5db14a5443835b8259cf2636c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
c787bf1f667ec99ce73bc34da51a7d8c

SHA1
7b45d7d73f622b87fb5648a4c2a9f9ece699119c

SHA256
d113eb5d5bbaae3bf06e8626f4fa10dad36a887c9f3058e26be51108043b239f

SHA512
a820440783c873b3f24056976deefee126e98f67e850bdf61b5c0698d5a7aefefdc96cb7aeb937e44bda18400a048fab5ca772708dd4f827421cc0b152f20ca7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
214KB

MD5
71808a79c5b98e4d339b25e25efd3b78

SHA1
c12a8da492221dd6f1140eedf854addded8d0c50

SHA256
74eb5264c7ac376eef947d1741276e5c01b385bbb3764e98e125e77d0502b9f3

SHA512
e7b289a45d012e61aa98b5f525ebca2c5685a3e4d6c4c9f2850063b19e43e123af831793637cf2b1c4c0a7ca8f2855079302fb6e992fabbedf5f9fe376ddd41c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit