hxxp://mygovauprofile[.]info

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
01-11-2023 03:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://mygovauprofile.info

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133432847431114079"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1652	chrome.exe
1652	chrome.exe
4112	chrome.exe
4112	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 32	1652	chrome.exe	56
PID 1652 wrote to memory of 32	1652	chrome.exe	56
PID 1652 wrote to memory of 552	1652	chrome.exe	88
PID 1652 wrote to memory of 552	1652	chrome.exe	88
PID 1652 wrote to memory of 552	1652	chrome.exe	88
PID 1652 wrote to memory of 552	1652	chrome.exe	88
PID 1652 wrote to memory of 552	1652	chrome.exe	88
PID 1652 wrote to memory of 552	1652	chrome.exe	88
PID 1652 wrote to memory of 552	1652	chrome.exe	88
PID 1652 wrote to memory of 552	1652	chrome.exe	88
PID 1652 wrote to memory of 552	1652	chrome.exe	88
PID 1652 wrote to memory of 552	1652	chrome.exe	88
PID 1652 wrote to memory of 552	1652	chrome.exe	88
PID 1652 wrote to memory of 552	1652	chrome.exe	88
PID 1652 wrote to memory of 552	1652	chrome.exe	88
PID 1652 wrote to memory of 552	1652	chrome.exe	88
PID 1652 wrote to memory of 552	1652	chrome.exe	88
PID 1652 wrote to memory of 552	1652	chrome.exe	88
PID 1652 wrote to memory of 552	1652	chrome.exe	88
PID 1652 wrote to memory of 552	1652	chrome.exe	88
PID 1652 wrote to memory of 552	1652	chrome.exe	88
PID 1652 wrote to memory of 552	1652	chrome.exe	88
PID 1652 wrote to memory of 552	1652	chrome.exe	88
PID 1652 wrote to memory of 552	1652	chrome.exe	88
PID 1652 wrote to memory of 552	1652	chrome.exe	88
PID 1652 wrote to memory of 552	1652	chrome.exe	88
PID 1652 wrote to memory of 552	1652	chrome.exe	88
PID 1652 wrote to memory of 552	1652	chrome.exe	88
PID 1652 wrote to memory of 552	1652	chrome.exe	88
PID 1652 wrote to memory of 552	1652	chrome.exe	88
PID 1652 wrote to memory of 552	1652	chrome.exe	88
PID 1652 wrote to memory of 552	1652	chrome.exe	88
PID 1652 wrote to memory of 552	1652	chrome.exe	88
PID 1652 wrote to memory of 552	1652	chrome.exe	88
PID 1652 wrote to memory of 552	1652	chrome.exe	88
PID 1652 wrote to memory of 552	1652	chrome.exe	88
PID 1652 wrote to memory of 552	1652	chrome.exe	88
PID 1652 wrote to memory of 552	1652	chrome.exe	88
PID 1652 wrote to memory of 552	1652	chrome.exe	88
PID 1652 wrote to memory of 552	1652	chrome.exe	88
PID 1652 wrote to memory of 4248	1652	chrome.exe	87
PID 1652 wrote to memory of 4248	1652	chrome.exe	87
PID 1652 wrote to memory of 984	1652	chrome.exe	89
PID 1652 wrote to memory of 984	1652	chrome.exe	89
PID 1652 wrote to memory of 984	1652	chrome.exe	89
PID 1652 wrote to memory of 984	1652	chrome.exe	89
PID 1652 wrote to memory of 984	1652	chrome.exe	89
PID 1652 wrote to memory of 984	1652	chrome.exe	89
PID 1652 wrote to memory of 984	1652	chrome.exe	89
PID 1652 wrote to memory of 984	1652	chrome.exe	89
PID 1652 wrote to memory of 984	1652	chrome.exe	89
PID 1652 wrote to memory of 984	1652	chrome.exe	89
PID 1652 wrote to memory of 984	1652	chrome.exe	89
PID 1652 wrote to memory of 984	1652	chrome.exe	89
PID 1652 wrote to memory of 984	1652	chrome.exe	89
PID 1652 wrote to memory of 984	1652	chrome.exe	89
PID 1652 wrote to memory of 984	1652	chrome.exe	89
PID 1652 wrote to memory of 984	1652	chrome.exe	89
PID 1652 wrote to memory of 984	1652	chrome.exe	89
PID 1652 wrote to memory of 984	1652	chrome.exe	89
PID 1652 wrote to memory of 984	1652	chrome.exe	89
PID 1652 wrote to memory of 984	1652	chrome.exe	89
PID 1652 wrote to memory of 984	1652	chrome.exe	89
PID 1652 wrote to memory of 984	1652	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://mygovauprofile.info
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd29d49758,0x7ffd29d49768,0x7ffd29d49778
  2⤵
  PID:32
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 --field-trial-handle=1876,i,7018690843743611043,9998076709928662715,131072 /prefetch:8
  2⤵
  PID:4248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1720 --field-trial-handle=1876,i,7018690843743611043,9998076709928662715,131072 /prefetch:2
  2⤵
  PID:552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2220 --field-trial-handle=1876,i,7018690843743611043,9998076709928662715,131072 /prefetch:8
  2⤵
  PID:984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2920 --field-trial-handle=1876,i,7018690843743611043,9998076709928662715,131072 /prefetch:1
  2⤵
  PID:2064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2940 --field-trial-handle=1876,i,7018690843743611043,9998076709928662715,131072 /prefetch:1
  2⤵
  PID:4308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3924 --field-trial-handle=1876,i,7018690843743611043,9998076709928662715,131072 /prefetch:1
  2⤵
  PID:2416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2936 --field-trial-handle=1876,i,7018690843743611043,9998076709928662715,131072 /prefetch:1
  2⤵
  PID:988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 --field-trial-handle=1876,i,7018690843743611043,9998076709928662715,131072 /prefetch:8
  2⤵
  PID:1580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5036 --field-trial-handle=1876,i,7018690843743611043,9998076709928662715,131072 /prefetch:8
  2⤵
  PID:1540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4084 --field-trial-handle=1876,i,7018690843743611043,9998076709928662715,131072 /prefetch:1
  2⤵
  PID:4600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=2724 --field-trial-handle=1876,i,7018690843743611043,9998076709928662715,131072 /prefetch:1
  2⤵
  PID:524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4092 --field-trial-handle=1876,i,7018690843743611043,9998076709928662715,131072 /prefetch:1
  2⤵
  PID:4156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1864 --field-trial-handle=1876,i,7018690843743611043,9998076709928662715,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4112

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
ba8970bfa65e79f1f91a6f57fbf75e91

SHA1
ba49eee679a12504d88d24f8561946add5ef3365

SHA256
0a999f25565f9563ddfb97d493dd9e00272ff854319ba798acdd95fc4c28c858

SHA512
8ba0244f3bf9e5bafa260c65d80de25884ea1899150712b70d91c27a6f829d18945e25deeb23486dfe44040f0a17d914d83ae167ef4ab133b2079e9196e883be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
31da28571b1c85e8169efacf3bf082de

SHA1
e066213cada83323f963c8a0928dfd49318fd080

SHA256
d924884beaaf606fe4d5a8eea41524f0e0b4fafebde085f45bd0d2d1f47c6890

SHA512
81000285977ec7e77b24a66f6f4f5fe6f026af47995f053b1998febe270d523c3e3b7cfe2912ecdab8cf742ffdf3546579e1d05ac5e524796afaf27ae049df11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
0b9618f52231bccbb026429b686306e5

SHA1
77550627e580e6a496099500da09974344c1c8c3

SHA256
fc5d313e9b12f24296b711ed03c35ea44598f81d3c791b0898d8a9b1570a97c4

SHA512
c8d83e6d6a3f8cb74b1b23b67e81a6a26e6d76d8228d1cb91764d563c857cdc1dd88e06b34a9cca3be929a700c5d89d88e9048138589996c196da6b7ea445bcb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
109KB

MD5
9953c8e1520d656c3f6daf92f5559ee7

SHA1
3541bdb2e82f1b1eb32e8807c7cde2e05c5a660a

SHA256
ddfd85519282693e0f6af7363bcaf20907659796dcbfab1f7e7a475e152e420a

SHA512
29d332723cc26ea6497f06c43f2f23976b46cc069bc71227605832723767838a99be394a21b94b7765cafc1c60386dfe3f59562a49ec2246a66acd7b53f66f79

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit