hxxps://apconetforum[.]org/eweb/dynamicpage[.]aspx?site=myapco&webcode=APCOCorrespondence&key=fc37f330-f6ed-42c0-bbb1-d057c074fd2a

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
05/11/2023, 13:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://apconetforum.org/eweb/dynamicpage.aspx?site=myapco&webcode=APCOCorrespondence&key=fc37f330-f6ed-42c0-bbb1-d057c074fd2a

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133436638150836919"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4000	chrome.exe
4000	chrome.exe
3640	chrome.exe
3640	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4000	chrome.exe
4000	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4000	chrome.exe
Token: SeCreatePagefilePrivilege	4000	chrome.exe
Token: SeShutdownPrivilege	4000	chrome.exe
Token: SeCreatePagefilePrivilege	4000	chrome.exe
Token: SeShutdownPrivilege	4000	chrome.exe
Token: SeCreatePagefilePrivilege	4000	chrome.exe
Token: SeShutdownPrivilege	4000	chrome.exe
Token: SeCreatePagefilePrivilege	4000	chrome.exe
Token: SeShutdownPrivilege	4000	chrome.exe
Token: SeCreatePagefilePrivilege	4000	chrome.exe
Token: SeShutdownPrivilege	4000	chrome.exe
Token: SeCreatePagefilePrivilege	4000	chrome.exe
Token: SeShutdownPrivilege	4000	chrome.exe
Token: SeCreatePagefilePrivilege	4000	chrome.exe
Token: SeShutdownPrivilege	4000	chrome.exe
Token: SeCreatePagefilePrivilege	4000	chrome.exe
Token: SeShutdownPrivilege	4000	chrome.exe
Token: SeCreatePagefilePrivilege	4000	chrome.exe
Token: SeShutdownPrivilege	4000	chrome.exe
Token: SeCreatePagefilePrivilege	4000	chrome.exe
Token: SeShutdownPrivilege	4000	chrome.exe
Token: SeCreatePagefilePrivilege	4000	chrome.exe
Token: SeShutdownPrivilege	4000	chrome.exe
Token: SeCreatePagefilePrivilege	4000	chrome.exe
Token: SeShutdownPrivilege	4000	chrome.exe
Token: SeCreatePagefilePrivilege	4000	chrome.exe
Token: SeShutdownPrivilege	4000	chrome.exe
Token: SeCreatePagefilePrivilege	4000	chrome.exe
Token: SeShutdownPrivilege	4000	chrome.exe
Token: SeCreatePagefilePrivilege	4000	chrome.exe
Token: SeShutdownPrivilege	4000	chrome.exe
Token: SeCreatePagefilePrivilege	4000	chrome.exe
Token: SeShutdownPrivilege	4000	chrome.exe
Token: SeCreatePagefilePrivilege	4000	chrome.exe
Token: SeShutdownPrivilege	4000	chrome.exe
Token: SeCreatePagefilePrivilege	4000	chrome.exe
Token: SeShutdownPrivilege	4000	chrome.exe
Token: SeCreatePagefilePrivilege	4000	chrome.exe
Token: SeShutdownPrivilege	4000	chrome.exe
Token: SeCreatePagefilePrivilege	4000	chrome.exe
Token: SeShutdownPrivilege	4000	chrome.exe
Token: SeCreatePagefilePrivilege	4000	chrome.exe
Token: SeShutdownPrivilege	4000	chrome.exe
Token: SeCreatePagefilePrivilege	4000	chrome.exe
Token: SeShutdownPrivilege	4000	chrome.exe
Token: SeCreatePagefilePrivilege	4000	chrome.exe
Token: SeShutdownPrivilege	4000	chrome.exe
Token: SeCreatePagefilePrivilege	4000	chrome.exe
Token: SeShutdownPrivilege	4000	chrome.exe
Token: SeCreatePagefilePrivilege	4000	chrome.exe
Token: SeShutdownPrivilege	4000	chrome.exe
Token: SeCreatePagefilePrivilege	4000	chrome.exe
Token: SeShutdownPrivilege	4000	chrome.exe
Token: SeCreatePagefilePrivilege	4000	chrome.exe
Token: SeShutdownPrivilege	4000	chrome.exe
Token: SeCreatePagefilePrivilege	4000	chrome.exe
Token: SeShutdownPrivilege	4000	chrome.exe
Token: SeCreatePagefilePrivilege	4000	chrome.exe
Token: SeShutdownPrivilege	4000	chrome.exe
Token: SeCreatePagefilePrivilege	4000	chrome.exe
Token: SeShutdownPrivilege	4000	chrome.exe
Token: SeCreatePagefilePrivilege	4000	chrome.exe
Token: SeShutdownPrivilege	4000	chrome.exe
Token: SeCreatePagefilePrivilege	4000	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4000 wrote to memory of 4780	4000	chrome.exe	59
PID 4000 wrote to memory of 4780	4000	chrome.exe	59
PID 4000 wrote to memory of 2968	4000	chrome.exe	86
PID 4000 wrote to memory of 2968	4000	chrome.exe	86
PID 4000 wrote to memory of 2968	4000	chrome.exe	86
PID 4000 wrote to memory of 2968	4000	chrome.exe	86
PID 4000 wrote to memory of 2968	4000	chrome.exe	86
PID 4000 wrote to memory of 2968	4000	chrome.exe	86
PID 4000 wrote to memory of 2968	4000	chrome.exe	86
PID 4000 wrote to memory of 2968	4000	chrome.exe	86
PID 4000 wrote to memory of 2968	4000	chrome.exe	86
PID 4000 wrote to memory of 2968	4000	chrome.exe	86
PID 4000 wrote to memory of 2968	4000	chrome.exe	86
PID 4000 wrote to memory of 2968	4000	chrome.exe	86
PID 4000 wrote to memory of 2968	4000	chrome.exe	86
PID 4000 wrote to memory of 2968	4000	chrome.exe	86
PID 4000 wrote to memory of 2968	4000	chrome.exe	86
PID 4000 wrote to memory of 2968	4000	chrome.exe	86
PID 4000 wrote to memory of 2968	4000	chrome.exe	86
PID 4000 wrote to memory of 2968	4000	chrome.exe	86
PID 4000 wrote to memory of 2968	4000	chrome.exe	86
PID 4000 wrote to memory of 2968	4000	chrome.exe	86
PID 4000 wrote to memory of 2968	4000	chrome.exe	86
PID 4000 wrote to memory of 2968	4000	chrome.exe	86
PID 4000 wrote to memory of 2968	4000	chrome.exe	86
PID 4000 wrote to memory of 2968	4000	chrome.exe	86
PID 4000 wrote to memory of 2968	4000	chrome.exe	86
PID 4000 wrote to memory of 2968	4000	chrome.exe	86
PID 4000 wrote to memory of 2968	4000	chrome.exe	86
PID 4000 wrote to memory of 2968	4000	chrome.exe	86
PID 4000 wrote to memory of 2968	4000	chrome.exe	86
PID 4000 wrote to memory of 2968	4000	chrome.exe	86
PID 4000 wrote to memory of 2968	4000	chrome.exe	86
PID 4000 wrote to memory of 2968	4000	chrome.exe	86
PID 4000 wrote to memory of 2968	4000	chrome.exe	86
PID 4000 wrote to memory of 2968	4000	chrome.exe	86
PID 4000 wrote to memory of 2968	4000	chrome.exe	86
PID 4000 wrote to memory of 2968	4000	chrome.exe	86
PID 4000 wrote to memory of 2968	4000	chrome.exe	86
PID 4000 wrote to memory of 2968	4000	chrome.exe	86
PID 4000 wrote to memory of 4700	4000	chrome.exe	87
PID 4000 wrote to memory of 4700	4000	chrome.exe	87
PID 4000 wrote to memory of 2516	4000	chrome.exe	88
PID 4000 wrote to memory of 2516	4000	chrome.exe	88
PID 4000 wrote to memory of 2516	4000	chrome.exe	88
PID 4000 wrote to memory of 2516	4000	chrome.exe	88
PID 4000 wrote to memory of 2516	4000	chrome.exe	88
PID 4000 wrote to memory of 2516	4000	chrome.exe	88
PID 4000 wrote to memory of 2516	4000	chrome.exe	88
PID 4000 wrote to memory of 2516	4000	chrome.exe	88
PID 4000 wrote to memory of 2516	4000	chrome.exe	88
PID 4000 wrote to memory of 2516	4000	chrome.exe	88
PID 4000 wrote to memory of 2516	4000	chrome.exe	88
PID 4000 wrote to memory of 2516	4000	chrome.exe	88
PID 4000 wrote to memory of 2516	4000	chrome.exe	88
PID 4000 wrote to memory of 2516	4000	chrome.exe	88
PID 4000 wrote to memory of 2516	4000	chrome.exe	88
PID 4000 wrote to memory of 2516	4000	chrome.exe	88
PID 4000 wrote to memory of 2516	4000	chrome.exe	88
PID 4000 wrote to memory of 2516	4000	chrome.exe	88
PID 4000 wrote to memory of 2516	4000	chrome.exe	88
PID 4000 wrote to memory of 2516	4000	chrome.exe	88
PID 4000 wrote to memory of 2516	4000	chrome.exe	88
PID 4000 wrote to memory of 2516	4000	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://apconetforum.org/eweb/dynamicpage.aspx?site=myapco&webcode=APCOCorrespondence&key=fc37f330-f6ed-42c0-bbb1-d057c074fd2a
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xc4,0x108,0x7ff8c45c9758,0x7ff8c45c9768,0x7ff8c45c9778
  2⤵
  PID:4780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1720 --field-trial-handle=1828,i,4662231040752150308,14468010247351769838,131072 /prefetch:2
  2⤵
  PID:2968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1828,i,4662231040752150308,14468010247351769838,131072 /prefetch:8
  2⤵
  PID:4700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2248 --field-trial-handle=1828,i,4662231040752150308,14468010247351769838,131072 /prefetch:8
  2⤵
  PID:2516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3120 --field-trial-handle=1828,i,4662231040752150308,14468010247351769838,131072 /prefetch:1
  2⤵
  PID:4656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3144 --field-trial-handle=1828,i,4662231040752150308,14468010247351769838,131072 /prefetch:1
  2⤵
  PID:3852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 --field-trial-handle=1828,i,4662231040752150308,14468010247351769838,131072 /prefetch:8
  2⤵
  PID:2808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 --field-trial-handle=1828,i,4662231040752150308,14468010247351769838,131072 /prefetch:8
  2⤵
  PID:1876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2736 --field-trial-handle=1828,i,4662231040752150308,14468010247351769838,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3640

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
06987d4070461b70eccc67af4c2857ad

SHA1
7b5ea82f82939468ff07926cf8c9d0ed4765466f

SHA256
6348237bb73cb100203960b57c74d1246d536000d0626f42b339b8faee334483

SHA512
b73ca153156e36049256ebd93e29d663c401d33925417b776f3f54f6160a187f6156e811def738d6d58a4707bdf904672d548127071fccd778231ce038417fc1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
22c5132a1442d0732600b1ea1f56a92f

SHA1
0842730bc537581b1856d8c4aeb61744ebce395a

SHA256
adf96c47bcec9c8e37eb8dfacb0e471f72f765027f7081ebbf95a59f77d3d471

SHA512
036a6a48554732b62abccd9cd67a0d30eb36cbf8f2c905707cd16cf938f166c0f88a9840384e1bc22f485e8f19f8f27535625583c7743c94ddda84aaf5c35a9d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
703B

MD5
bd99dc25347b1802658e7a32ea157885

SHA1
094b7d2c98ba55d6d67b34fb2021b62fbf99e162

SHA256
18f6686d125f6f3fd21deb6b410c3c77d7be06598f0c34b776fdcc47f717985b

SHA512
a33466bbc7185558282668132c9a8af916e637dd31154d3ff52f30a8c95e39c0dcacb6cfa8e8bd2884bf13f8de97c1bacb1c06e769e0fae51399ead3026d1c67

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
f75c8da7a44fe7dd650994c695936a26

SHA1
cce15253d43940b2bec7b0b878ea90ccbff80e4f

SHA256
45cc49830fd34c8d850a62c1cb8aa34e1b752fedb3cdc9724e2b867ab48fc8b6

SHA512
57bf26fe900779ab584ebdcf33fba54128c9c2edd17c83028c463d313848d4effce05c8cf7d23e504ebc2fc72ad21b3b85699f6130e3e11ea3f5117c8eea7272

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
d1eaabee49662e7d71d50d46f172be3a

SHA1
625f3f4c2a97227884af59a2ddbaa0a0cf9c818d

SHA256
39f5f0b27b4aeb4455e8fbb686ad6dc1909c0bfdd31dc06d897f3f08b2565c6f

SHA512
87017d6e70ecfde9f2d443b177c6f964c543fe6841253412d58fb0db9631bc5f2d9bd09128cfa8850460e274e8dd8289eb9d97b1d9e45a9acc208da37b89f86c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
ddf999f84342d7e5bd1117d425c7e1c2

SHA1
34288e1bcfdbb7d0a5771ded9377c8011d20abf7

SHA256
33386ca5587833f231a4d98cfd6f97d388ce279894bd6928d7316524ac7f8f26

SHA512
7ec0a4b7becbb86ee73463751a573eccac526d19a140081c98c4b2d946a95a3fb79bcb71b536497d1415aa931bf76a2279392ee48ede66bff7273b2e6b11918a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
109KB

MD5
1d59d3ccbe67ce602ba80001c06b516a

SHA1
ccf7c15b6913d7d1bd60cf773a64975831ce6203

SHA256
5eb25cca2543f13c332e9b96a913b4aa731628816831892be609f13e6c8ed648

SHA512
b3e16842cc6aa75b19618d73aa21470b1768ea90fcb1f9c961f8c93362e28926f103e2b25a063d5e57145e9baa67e317ff87cbdf051da73b3f89edf77469fd1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit