hxxp://epcm-nas01[.]quickconnect[.]to/sharing/gq2FGyDzD

Analysis

max time kernel
13s
max time network
28s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
14/11/2023, 10:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://epcm-nas01.quickconnect.to/sharing/gq2FGyDzD

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133444306608076323"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3952	chrome.exe
3952	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3952 wrote to memory of 4116	3952	chrome.exe	86
PID 3952 wrote to memory of 4116	3952	chrome.exe	86
PID 3952 wrote to memory of 3984	3952	chrome.exe	88
PID 3952 wrote to memory of 3984	3952	chrome.exe	88
PID 3952 wrote to memory of 3984	3952	chrome.exe	88
PID 3952 wrote to memory of 3984	3952	chrome.exe	88
PID 3952 wrote to memory of 3984	3952	chrome.exe	88
PID 3952 wrote to memory of 3984	3952	chrome.exe	88
PID 3952 wrote to memory of 3984	3952	chrome.exe	88
PID 3952 wrote to memory of 3984	3952	chrome.exe	88
PID 3952 wrote to memory of 3984	3952	chrome.exe	88
PID 3952 wrote to memory of 3984	3952	chrome.exe	88
PID 3952 wrote to memory of 3984	3952	chrome.exe	88
PID 3952 wrote to memory of 3984	3952	chrome.exe	88
PID 3952 wrote to memory of 3984	3952	chrome.exe	88
PID 3952 wrote to memory of 3984	3952	chrome.exe	88
PID 3952 wrote to memory of 3984	3952	chrome.exe	88
PID 3952 wrote to memory of 3984	3952	chrome.exe	88
PID 3952 wrote to memory of 3984	3952	chrome.exe	88
PID 3952 wrote to memory of 3984	3952	chrome.exe	88
PID 3952 wrote to memory of 3984	3952	chrome.exe	88
PID 3952 wrote to memory of 3984	3952	chrome.exe	88
PID 3952 wrote to memory of 3984	3952	chrome.exe	88
PID 3952 wrote to memory of 3984	3952	chrome.exe	88
PID 3952 wrote to memory of 3984	3952	chrome.exe	88
PID 3952 wrote to memory of 3984	3952	chrome.exe	88
PID 3952 wrote to memory of 3984	3952	chrome.exe	88
PID 3952 wrote to memory of 3984	3952	chrome.exe	88
PID 3952 wrote to memory of 3984	3952	chrome.exe	88
PID 3952 wrote to memory of 3984	3952	chrome.exe	88
PID 3952 wrote to memory of 3984	3952	chrome.exe	88
PID 3952 wrote to memory of 3984	3952	chrome.exe	88
PID 3952 wrote to memory of 3984	3952	chrome.exe	88
PID 3952 wrote to memory of 3984	3952	chrome.exe	88
PID 3952 wrote to memory of 3984	3952	chrome.exe	88
PID 3952 wrote to memory of 3984	3952	chrome.exe	88
PID 3952 wrote to memory of 3984	3952	chrome.exe	88
PID 3952 wrote to memory of 3984	3952	chrome.exe	88
PID 3952 wrote to memory of 3984	3952	chrome.exe	88
PID 3952 wrote to memory of 3984	3952	chrome.exe	88
PID 3952 wrote to memory of 2376	3952	chrome.exe	89
PID 3952 wrote to memory of 2376	3952	chrome.exe	89
PID 3952 wrote to memory of 5116	3952	chrome.exe	90
PID 3952 wrote to memory of 5116	3952	chrome.exe	90
PID 3952 wrote to memory of 5116	3952	chrome.exe	90
PID 3952 wrote to memory of 5116	3952	chrome.exe	90
PID 3952 wrote to memory of 5116	3952	chrome.exe	90
PID 3952 wrote to memory of 5116	3952	chrome.exe	90
PID 3952 wrote to memory of 5116	3952	chrome.exe	90
PID 3952 wrote to memory of 5116	3952	chrome.exe	90
PID 3952 wrote to memory of 5116	3952	chrome.exe	90
PID 3952 wrote to memory of 5116	3952	chrome.exe	90
PID 3952 wrote to memory of 5116	3952	chrome.exe	90
PID 3952 wrote to memory of 5116	3952	chrome.exe	90
PID 3952 wrote to memory of 5116	3952	chrome.exe	90
PID 3952 wrote to memory of 5116	3952	chrome.exe	90
PID 3952 wrote to memory of 5116	3952	chrome.exe	90
PID 3952 wrote to memory of 5116	3952	chrome.exe	90
PID 3952 wrote to memory of 5116	3952	chrome.exe	90
PID 3952 wrote to memory of 5116	3952	chrome.exe	90
PID 3952 wrote to memory of 5116	3952	chrome.exe	90
PID 3952 wrote to memory of 5116	3952	chrome.exe	90
PID 3952 wrote to memory of 5116	3952	chrome.exe	90
PID 3952 wrote to memory of 5116	3952	chrome.exe	90

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://epcm-nas01.quickconnect.to/sharing/gq2FGyDzD
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff9c00d9758,0x7ff9c00d9768,0x7ff9c00d9778
  2⤵
  PID:4116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1648 --field-trial-handle=1876,i,11802568446902288830,17621577434642936905,131072 /prefetch:2
  2⤵
  PID:3984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1876,i,11802568446902288830,17621577434642936905,131072 /prefetch:8
  2⤵
  PID:2376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2240 --field-trial-handle=1876,i,11802568446902288830,17621577434642936905,131072 /prefetch:8
  2⤵
  PID:5116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2916 --field-trial-handle=1876,i,11802568446902288830,17621577434642936905,131072 /prefetch:1
  2⤵
  PID:4856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2908 --field-trial-handle=1876,i,11802568446902288830,17621577434642936905,131072 /prefetch:1
  2⤵
  PID:3940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4528 --field-trial-handle=1876,i,11802568446902288830,17621577434642936905,131072 /prefetch:1
  2⤵
  PID:2464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5392 --field-trial-handle=1876,i,11802568446902288830,17621577434642936905,131072 /prefetch:8
  2⤵
  PID:3528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4552 --field-trial-handle=1876,i,11802568446902288830,17621577434642936905,131072 /prefetch:8
  2⤵
  PID:4540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2340 --field-trial-handle=1876,i,11802568446902288830,17621577434642936905,131072 /prefetch:2
  2⤵
  PID:5028

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
672B

MD5
9433bc0cbff092fac1ef99578249e37a

SHA1
c06cc356340636672aa5351172f9f842828bf537

SHA256
089a0c9bea303cce01da57b6bcb6d11a86fe363c4767d2f83daea664cbd45009

SHA512
7d664859f04226f74b0e0edd1a216c248f8dce50c13e9bbb70f64eaa24d94407aba4404b9c4e9b747a5dfa4de49b8d8f2618c575e8c0c549538b2d58255c681d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
96f86f96d6a9ef11a1275a99d286b8a4

SHA1
7426c172142b53f5e24d9146102bbb33ac5845ce

SHA256
bd915c725dce9d5c2b7813c8ad58470a5ff55c4b3a3546cecb3fbeebbb81004f

SHA512
d15c08fd2e4a7a81bd1316b5b19bafb5f7bbe976384bcef651eaa6b38c10181fb32ae5a6444c1e78d425a3409dfbf0df637ebacfeee755b468cab65f5ee1b86e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
84139beda1a4b629a6a460d4f4fdf044

SHA1
594c766f806556f713541e1ae84ce21c19092de8

SHA256
1d16fa9262334d5fbc4627bd722e50eab0597caa037019d04e0c3dc1dd181a22

SHA512
c0753d419bf4581b44a33cc67cc254203bf74b4c43d0ea40131d1be3b6afa27d50530b812fffba1b6e5b8e763efcdb502b5f00489cd54280863e296d11184633

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
e2bea053a45a2ea57a9ff5871202d339

SHA1
1ccbdbed0e2d38fba7fe1322d7e5324f89b28585

SHA256
8165aa8bd8fd36cceb793c35860d15e0eb9bb669e89268ef316c2804d33f76b5

SHA512
8c2633044c53a5db1be91848157fda219951598d08663f2ff79be643bb42f51ce882a099e3620a663e1e2b09afc77507c0d4f68429594484a9962f05fbd2eb88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
cf5093736e84bc3780e0cb5cef0e7e66

SHA1
a0133ef84913b832db6271bf22fad2dc32c45c8c

SHA256
8040794cb9461b276e7d8468e0629b45f8ba26a21703cd80b50d381a6e66f2fd

SHA512
066cbaad2e3fdd376909b05714ad109dc0baa241e6a40aea1730019f32c22db835ea0328111142e66991da9169cd52d59640d5bfe7a7a107ea2e79b691cf35b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
81d6689891ee884689aed6d63a545102

SHA1
88f5a0323f9fa280af698d8747eca7e9337f680d

SHA256
6a98c99cec9986443a14d7bd9234e0b63184d9cce91ea34470b9b2fc4c326e0e

SHA512
f384c9a2dd6cbe9d39e7f501fc465fa029a3efa70737356195e8459f26d62e98d95a8328f433dc4d603bb8312f7c15bab3d6ae038f7edd692c6347a3b483c2b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
214KB

MD5
eb98927d5eed8985d49b663397af1e64

SHA1
de01aa790d2999e81e773fdc69e48f6385c8dae0

SHA256
2beeecedcf0e5fefbd4db74566a057f8eacfc0bb9d221670d34adcbb49932bb1

SHA512
0408c3a45e711a1eb69879937f37742d2b7d591785609332637c3bca028474ea0bdd88568b10b65d8d5cb272b4382f876cf371e41bfa1201e2422296405065bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit