hxxps://www[.]virtualbox[.]org/

Analysis

max time kernel
1800s
max time network
1696s
platform
windows10-2004_x64
resource
win10v2004-20231020-es
resource tags

arch:x64arch:x86image:win10v2004-20231020-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
05/11/2023, 21:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.virtualbox.org/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133436947770951000"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2168	chrome.exe
2168	chrome.exe
2188	chrome.exe
2188	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2168	chrome.exe
2168	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 1088	2168	chrome.exe	31
PID 2168 wrote to memory of 1088	2168	chrome.exe	31
PID 2168 wrote to memory of 512	2168	chrome.exe	87
PID 2168 wrote to memory of 512	2168	chrome.exe	87
PID 2168 wrote to memory of 512	2168	chrome.exe	87
PID 2168 wrote to memory of 512	2168	chrome.exe	87
PID 2168 wrote to memory of 512	2168	chrome.exe	87
PID 2168 wrote to memory of 512	2168	chrome.exe	87
PID 2168 wrote to memory of 512	2168	chrome.exe	87
PID 2168 wrote to memory of 512	2168	chrome.exe	87
PID 2168 wrote to memory of 512	2168	chrome.exe	87
PID 2168 wrote to memory of 512	2168	chrome.exe	87
PID 2168 wrote to memory of 512	2168	chrome.exe	87
PID 2168 wrote to memory of 512	2168	chrome.exe	87
PID 2168 wrote to memory of 512	2168	chrome.exe	87
PID 2168 wrote to memory of 512	2168	chrome.exe	87
PID 2168 wrote to memory of 512	2168	chrome.exe	87
PID 2168 wrote to memory of 512	2168	chrome.exe	87
PID 2168 wrote to memory of 512	2168	chrome.exe	87
PID 2168 wrote to memory of 512	2168	chrome.exe	87
PID 2168 wrote to memory of 512	2168	chrome.exe	87
PID 2168 wrote to memory of 512	2168	chrome.exe	87
PID 2168 wrote to memory of 512	2168	chrome.exe	87
PID 2168 wrote to memory of 512	2168	chrome.exe	87
PID 2168 wrote to memory of 512	2168	chrome.exe	87
PID 2168 wrote to memory of 512	2168	chrome.exe	87
PID 2168 wrote to memory of 512	2168	chrome.exe	87
PID 2168 wrote to memory of 512	2168	chrome.exe	87
PID 2168 wrote to memory of 512	2168	chrome.exe	87
PID 2168 wrote to memory of 512	2168	chrome.exe	87
PID 2168 wrote to memory of 512	2168	chrome.exe	87
PID 2168 wrote to memory of 512	2168	chrome.exe	87
PID 2168 wrote to memory of 512	2168	chrome.exe	87
PID 2168 wrote to memory of 512	2168	chrome.exe	87
PID 2168 wrote to memory of 512	2168	chrome.exe	87
PID 2168 wrote to memory of 512	2168	chrome.exe	87
PID 2168 wrote to memory of 512	2168	chrome.exe	87
PID 2168 wrote to memory of 512	2168	chrome.exe	87
PID 2168 wrote to memory of 512	2168	chrome.exe	87
PID 2168 wrote to memory of 512	2168	chrome.exe	87
PID 2168 wrote to memory of 4704	2168	chrome.exe	88
PID 2168 wrote to memory of 4704	2168	chrome.exe	88
PID 2168 wrote to memory of 3364	2168	chrome.exe	89
PID 2168 wrote to memory of 3364	2168	chrome.exe	89
PID 2168 wrote to memory of 3364	2168	chrome.exe	89
PID 2168 wrote to memory of 3364	2168	chrome.exe	89
PID 2168 wrote to memory of 3364	2168	chrome.exe	89
PID 2168 wrote to memory of 3364	2168	chrome.exe	89
PID 2168 wrote to memory of 3364	2168	chrome.exe	89
PID 2168 wrote to memory of 3364	2168	chrome.exe	89
PID 2168 wrote to memory of 3364	2168	chrome.exe	89
PID 2168 wrote to memory of 3364	2168	chrome.exe	89
PID 2168 wrote to memory of 3364	2168	chrome.exe	89
PID 2168 wrote to memory of 3364	2168	chrome.exe	89
PID 2168 wrote to memory of 3364	2168	chrome.exe	89
PID 2168 wrote to memory of 3364	2168	chrome.exe	89
PID 2168 wrote to memory of 3364	2168	chrome.exe	89
PID 2168 wrote to memory of 3364	2168	chrome.exe	89
PID 2168 wrote to memory of 3364	2168	chrome.exe	89
PID 2168 wrote to memory of 3364	2168	chrome.exe	89
PID 2168 wrote to memory of 3364	2168	chrome.exe	89
PID 2168 wrote to memory of 3364	2168	chrome.exe	89
PID 2168 wrote to memory of 3364	2168	chrome.exe	89
PID 2168 wrote to memory of 3364	2168	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.virtualbox.org/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaf8719758,0x7ffaf8719768,0x7ffaf8719778
  2⤵
  PID:1088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1868,i,10399784194927480911,7264150990535775602,131072 /prefetch:2
  2⤵
  PID:512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 --field-trial-handle=1868,i,10399784194927480911,7264150990535775602,131072 /prefetch:8
  2⤵
  PID:4704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2208 --field-trial-handle=1868,i,10399784194927480911,7264150990535775602,131072 /prefetch:8
  2⤵
  PID:3364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2936 --field-trial-handle=1868,i,10399784194927480911,7264150990535775602,131072 /prefetch:1
  2⤵
  PID:4180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2944 --field-trial-handle=1868,i,10399784194927480911,7264150990535775602,131072 /prefetch:1
  2⤵
  PID:2496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4556 --field-trial-handle=1868,i,10399784194927480911,7264150990535775602,131072 /prefetch:8
  2⤵
  PID:4420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4796 --field-trial-handle=1868,i,10399784194927480911,7264150990535775602,131072 /prefetch:8
  2⤵
  PID:4600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4900 --field-trial-handle=1868,i,10399784194927480911,7264150990535775602,131072 /prefetch:8
  2⤵
  PID:3668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4764 --field-trial-handle=1868,i,10399784194927480911,7264150990535775602,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2188

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
4d841d3dfe8707b9168a605eba71dcdb

SHA1
f11c30dff0f3311b237c8a93fd513ea8e0f22da2

SHA256
60843d467af9525e7491e672c10028ee9f247a6b4ecac7b843a9bd009f21c3f9

SHA512
15c3bdfe3ef81858d50d58389f8665457284e5d4025cf4e45a8251ca94748de6e092608624fa7b29a654b641e06fcddebadb94125664a0604fc79dd8bef09393

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
9e1b5df41cae114757983d3c96586313

SHA1
6a8e490f796c93224da99f394fb573f07ebec508

SHA256
d808cd870a1d8a16293a1170a9b7912b6ac99a294e528af719bc741c8f9538bc

SHA512
2db26457162eba0516dab35037e8fb1b5bb5437a6aa9afa73807df8eac80978c857d368a266e9b58140ae793130ff5735f3bed5bd579ca5a647f0162ffe07970

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
51a470c92c71afa64eb4536216c2412c

SHA1
2f8ad915534e16a60b9e460845fc53b667d8b335

SHA256
36ead575dd25c80dc6b6f582e816dafaffa9087a3dff1023623ae35d9aa56726

SHA512
3e26646fdc340191a6ecde6dcf18a752932ff25a90dd8831298200613686572550f6cfa5ff4bd8583c369086fca465f6a338395db55201cf7562d87f3e7a510e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
537B

MD5
ba73afd3dd54e98407d1f934cf21a553

SHA1
52b056da650490654d0de4dbc0e10a463b2644f0

SHA256
041fe63d3b60343c8caa4bb2b5072aaa23f483ea3cfed2f6a9d523a3a2d32f3d

SHA512
cf2807eb93e4c4f0f208981f14c1db5c59956c1a55d604c533a1a355f2bc69fe0789c29e4fe5981a5b80837421a280e6f76e132384938d632ac4ad6901ad654b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\c23019cb-43a4-4a1c-aa1f-e60c5bc41f04.tmp

Filesize
1KB

MD5
d69e7ea4612d48133113decf76a8aad1

SHA1
f700baf4e80f1752d5c11448ba12d65730fc2ac0

SHA256
f698a9da0317b9b8f76bb2d671bd9b66152c8034fb6db3ac5211bed863375a2f

SHA512
975af476ec2dd5fb7d1f7d3afa123c6a4ae597a9801a6d2f1758c71f9f2d3c1a222bc75faa1ecaee6d05921536d6a753c69d552bd52f69651606571cc4eb29fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b4ef4c82cc7c29dbd25ac712976a9c44

SHA1
c055a51c26d4efd6671881ff9116a83ee95ba2e4

SHA256
cffee174c403315a8b380d2538af9197fb0bc2c240149018c38cfff5a3b91125

SHA512
7cf02fc6e37ec07eef3f5661a0373ae83d094e56e5204ee5c137f21c9dad891684447e96e9361b345756bb5e5eec6ce6714673cb7bf15e40a5b17f0f3ab38a50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b9054ca237ebead4d6b8aff91abc60a2

SHA1
672e744c39df10746957fbe83cc060c85e7f968e

SHA256
4763f03d3c4dbc48954d991a2de2abc13aa880a81833c53f550c7e99180efd14

SHA512
3b33b48cbdb1174bb91823db97d5896c3b456964107357dcfe544a7f29fdcb97a7188b267f3f014591d69bd502d3ce1852c2a9517eb3ffdf225fc3644fd86827

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
109KB

MD5
92230d0a345d237e1a20bf8aed31f881

SHA1
ccf8e91d1591728ebe1f3e1730978c0e37ed5f9b

SHA256
967515d996532c5af2b44b2f6a82501ad8c58e155e20b05ea04b51968dddaad2

SHA512
17dabe0abd71e0c524fc67021c15b4231c93fc857b21ee2a789513371c7bff7ebfa45f8392774309c87b10725ac257570485f18d687db6a54efb13fb621f715e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit