hxxp://www[.]torproject[.]org

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
15/11/2023, 08:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://www.torproject.org

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133445090836319505"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4640	chrome.exe
4640	chrome.exe
452	chrome.exe
452	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4640	chrome.exe
Token: SeCreatePagefilePrivilege	4640	chrome.exe
Token: SeShutdownPrivilege	4640	chrome.exe
Token: SeCreatePagefilePrivilege	4640	chrome.exe
Token: SeShutdownPrivilege	4640	chrome.exe
Token: SeCreatePagefilePrivilege	4640	chrome.exe
Token: SeShutdownPrivilege	4640	chrome.exe
Token: SeCreatePagefilePrivilege	4640	chrome.exe
Token: SeShutdownPrivilege	4640	chrome.exe
Token: SeCreatePagefilePrivilege	4640	chrome.exe
Token: SeShutdownPrivilege	4640	chrome.exe
Token: SeCreatePagefilePrivilege	4640	chrome.exe
Token: SeShutdownPrivilege	4640	chrome.exe
Token: SeCreatePagefilePrivilege	4640	chrome.exe
Token: SeShutdownPrivilege	4640	chrome.exe
Token: SeCreatePagefilePrivilege	4640	chrome.exe
Token: SeShutdownPrivilege	4640	chrome.exe
Token: SeCreatePagefilePrivilege	4640	chrome.exe
Token: SeShutdownPrivilege	4640	chrome.exe
Token: SeCreatePagefilePrivilege	4640	chrome.exe
Token: SeShutdownPrivilege	4640	chrome.exe
Token: SeCreatePagefilePrivilege	4640	chrome.exe
Token: SeShutdownPrivilege	4640	chrome.exe
Token: SeCreatePagefilePrivilege	4640	chrome.exe
Token: SeShutdownPrivilege	4640	chrome.exe
Token: SeCreatePagefilePrivilege	4640	chrome.exe
Token: SeShutdownPrivilege	4640	chrome.exe
Token: SeCreatePagefilePrivilege	4640	chrome.exe
Token: SeShutdownPrivilege	4640	chrome.exe
Token: SeCreatePagefilePrivilege	4640	chrome.exe
Token: SeShutdownPrivilege	4640	chrome.exe
Token: SeCreatePagefilePrivilege	4640	chrome.exe
Token: SeShutdownPrivilege	4640	chrome.exe
Token: SeCreatePagefilePrivilege	4640	chrome.exe
Token: SeShutdownPrivilege	4640	chrome.exe
Token: SeCreatePagefilePrivilege	4640	chrome.exe
Token: SeShutdownPrivilege	4640	chrome.exe
Token: SeCreatePagefilePrivilege	4640	chrome.exe
Token: SeShutdownPrivilege	4640	chrome.exe
Token: SeCreatePagefilePrivilege	4640	chrome.exe
Token: SeShutdownPrivilege	4640	chrome.exe
Token: SeCreatePagefilePrivilege	4640	chrome.exe
Token: SeShutdownPrivilege	4640	chrome.exe
Token: SeCreatePagefilePrivilege	4640	chrome.exe
Token: SeShutdownPrivilege	4640	chrome.exe
Token: SeCreatePagefilePrivilege	4640	chrome.exe
Token: SeShutdownPrivilege	4640	chrome.exe
Token: SeCreatePagefilePrivilege	4640	chrome.exe
Token: SeShutdownPrivilege	4640	chrome.exe
Token: SeCreatePagefilePrivilege	4640	chrome.exe
Token: SeShutdownPrivilege	4640	chrome.exe
Token: SeCreatePagefilePrivilege	4640	chrome.exe
Token: SeShutdownPrivilege	4640	chrome.exe
Token: SeCreatePagefilePrivilege	4640	chrome.exe
Token: SeShutdownPrivilege	4640	chrome.exe
Token: SeCreatePagefilePrivilege	4640	chrome.exe
Token: SeShutdownPrivilege	4640	chrome.exe
Token: SeCreatePagefilePrivilege	4640	chrome.exe
Token: SeShutdownPrivilege	4640	chrome.exe
Token: SeCreatePagefilePrivilege	4640	chrome.exe
Token: SeShutdownPrivilege	4640	chrome.exe
Token: SeCreatePagefilePrivilege	4640	chrome.exe
Token: SeShutdownPrivilege	4640	chrome.exe
Token: SeCreatePagefilePrivilege	4640	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4640 wrote to memory of 316	4640	chrome.exe	56
PID 4640 wrote to memory of 316	4640	chrome.exe	56
PID 4640 wrote to memory of 4464	4640	chrome.exe	86
PID 4640 wrote to memory of 4464	4640	chrome.exe	86
PID 4640 wrote to memory of 4464	4640	chrome.exe	86
PID 4640 wrote to memory of 4464	4640	chrome.exe	86
PID 4640 wrote to memory of 4464	4640	chrome.exe	86
PID 4640 wrote to memory of 4464	4640	chrome.exe	86
PID 4640 wrote to memory of 4464	4640	chrome.exe	86
PID 4640 wrote to memory of 4464	4640	chrome.exe	86
PID 4640 wrote to memory of 4464	4640	chrome.exe	86
PID 4640 wrote to memory of 4464	4640	chrome.exe	86
PID 4640 wrote to memory of 4464	4640	chrome.exe	86
PID 4640 wrote to memory of 4464	4640	chrome.exe	86
PID 4640 wrote to memory of 4464	4640	chrome.exe	86
PID 4640 wrote to memory of 4464	4640	chrome.exe	86
PID 4640 wrote to memory of 4464	4640	chrome.exe	86
PID 4640 wrote to memory of 4464	4640	chrome.exe	86
PID 4640 wrote to memory of 4464	4640	chrome.exe	86
PID 4640 wrote to memory of 4464	4640	chrome.exe	86
PID 4640 wrote to memory of 4464	4640	chrome.exe	86
PID 4640 wrote to memory of 4464	4640	chrome.exe	86
PID 4640 wrote to memory of 4464	4640	chrome.exe	86
PID 4640 wrote to memory of 4464	4640	chrome.exe	86
PID 4640 wrote to memory of 4464	4640	chrome.exe	86
PID 4640 wrote to memory of 4464	4640	chrome.exe	86
PID 4640 wrote to memory of 4464	4640	chrome.exe	86
PID 4640 wrote to memory of 4464	4640	chrome.exe	86
PID 4640 wrote to memory of 4464	4640	chrome.exe	86
PID 4640 wrote to memory of 4464	4640	chrome.exe	86
PID 4640 wrote to memory of 4464	4640	chrome.exe	86
PID 4640 wrote to memory of 4464	4640	chrome.exe	86
PID 4640 wrote to memory of 4464	4640	chrome.exe	86
PID 4640 wrote to memory of 4464	4640	chrome.exe	86
PID 4640 wrote to memory of 4464	4640	chrome.exe	86
PID 4640 wrote to memory of 4464	4640	chrome.exe	86
PID 4640 wrote to memory of 4464	4640	chrome.exe	86
PID 4640 wrote to memory of 4464	4640	chrome.exe	86
PID 4640 wrote to memory of 4464	4640	chrome.exe	86
PID 4640 wrote to memory of 4464	4640	chrome.exe	86
PID 4640 wrote to memory of 4576	4640	chrome.exe	87
PID 4640 wrote to memory of 4576	4640	chrome.exe	87
PID 4640 wrote to memory of 2808	4640	chrome.exe	88
PID 4640 wrote to memory of 2808	4640	chrome.exe	88
PID 4640 wrote to memory of 2808	4640	chrome.exe	88
PID 4640 wrote to memory of 2808	4640	chrome.exe	88
PID 4640 wrote to memory of 2808	4640	chrome.exe	88
PID 4640 wrote to memory of 2808	4640	chrome.exe	88
PID 4640 wrote to memory of 2808	4640	chrome.exe	88
PID 4640 wrote to memory of 2808	4640	chrome.exe	88
PID 4640 wrote to memory of 2808	4640	chrome.exe	88
PID 4640 wrote to memory of 2808	4640	chrome.exe	88
PID 4640 wrote to memory of 2808	4640	chrome.exe	88
PID 4640 wrote to memory of 2808	4640	chrome.exe	88
PID 4640 wrote to memory of 2808	4640	chrome.exe	88
PID 4640 wrote to memory of 2808	4640	chrome.exe	88
PID 4640 wrote to memory of 2808	4640	chrome.exe	88
PID 4640 wrote to memory of 2808	4640	chrome.exe	88
PID 4640 wrote to memory of 2808	4640	chrome.exe	88
PID 4640 wrote to memory of 2808	4640	chrome.exe	88
PID 4640 wrote to memory of 2808	4640	chrome.exe	88
PID 4640 wrote to memory of 2808	4640	chrome.exe	88
PID 4640 wrote to memory of 2808	4640	chrome.exe	88
PID 4640 wrote to memory of 2808	4640	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://www.torproject.org
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8ae039758,0x7ff8ae039768,0x7ff8ae039778
  2⤵
  PID:316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1640 --field-trial-handle=1840,i,12561397385026132407,17889489362690742298,131072 /prefetch:2
  2⤵
  PID:4464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1840,i,12561397385026132407,17889489362690742298,131072 /prefetch:8
  2⤵
  PID:4576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1840,i,12561397385026132407,17889489362690742298,131072 /prefetch:8
  2⤵
  PID:2808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2996 --field-trial-handle=1840,i,12561397385026132407,17889489362690742298,131072 /prefetch:1
  2⤵
  PID:3960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2988 --field-trial-handle=1840,i,12561397385026132407,17889489362690742298,131072 /prefetch:1
  2⤵
  PID:756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4824 --field-trial-handle=1840,i,12561397385026132407,17889489362690742298,131072 /prefetch:1
  2⤵
  PID:4424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 --field-trial-handle=1840,i,12561397385026132407,17889489362690742298,131072 /prefetch:8
  2⤵
  PID:4412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 --field-trial-handle=1840,i,12561397385026132407,17889489362690742298,131072 /prefetch:8
  2⤵
  PID:1328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2528 --field-trial-handle=1840,i,12561397385026132407,17889489362690742298,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:452

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
7cc361239792f4f7497d52d1c8f7ab44

SHA1
5999860ee77a13d3c4b5a77865ee6cc6b587a838

SHA256
67cb64912f803cd9d52a25dc528c6bdeb650afd55d00ccc9bf68e9db6c036a19

SHA512
7cec36a9297f95f19be5b4aab6840424d79b720f66dc4aa4241c11a2185b885900d44fc204c19f376354c982110b78c5861956f08217981c10cf8dd8fe3b5c82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
535B

MD5
4e1145dfb2ba30a6bd66a54793c427a0

SHA1
57ac2270c054935e8a6db8eff0e5caca58d03efd

SHA256
37a6fe3472c4810a6add17710251d0e5d08600ac05ad1a93b7b6d3fc36922113

SHA512
5e3e0258f0c3c69d41f5f2f93d4fe92ec97b4c19e0adf3d9a0e9f92604fa0abbb4df5769cf4ae1dc9a029274a97293ef9262efe788f17cd09e8c7e5102cf75dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
d7ba30f0854c1163d4c381028b197335

SHA1
1d1148c8987e613b7ff6f7319020b9f4259c2f2f

SHA256
812f76854f1e27d3c69e04884615815f56d5ec0a5d08bcdd66eec112f4f7b648

SHA512
0fce1bb3f9406aab28f3fc6fdf5dc6b38a0c1f842f204cb22ab73b6f2ea0c27030885bb5858e3c1315e60dddeae4c320d1ab7a8967c800fc28771ee21ef02248

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
cc1e962a37acb1ce38a100ee0cb98793

SHA1
b84de328649ae89e66684410f5e1b00231a4bdf1

SHA256
7e8cc368f57fe5a4fbac20ab87cbd2c3ae446862903e874ff496629387a93e57

SHA512
9b00d1d55debb3f324ae3975e3ae1f877aaedc638fb8a93ea59d9bf17351629ca820ead8e65c5c97ea477c358349541ff2ead185cc52b1f370e518eedbc4e8dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
ba55ca91727588e65774bbb3e40fbad3

SHA1
ef82f8ccc93a5c28d93e36350ba325f489f80cb4

SHA256
8b3535ee6e7422e75a64d80ff16f7f4b0dfe6acf05c990cb977f468f2ecfa6e3

SHA512
94b22f4f91b93d46b3a15bcb0caca15d8d26d82bfaeab5a26629e150bee8e4ae147fb92fe1f3ffc6577abe2133732db4bc308aca0bb2d77b4e1507e8068ac378

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
109KB

MD5
1be770132375c02860323c45066cbc9c

SHA1
a3fa8c34436748242739b46058215816cc86d86a

SHA256
289333b8cb6362525ac4bcb8bd8643b2374d58b98efea76c6e4c09488f21d7b4

SHA512
9593196d65d5e6a3a4835979887f10b541f9470ab943aa6dc2237c1f12fffe84ec9e6243bf97b2e0c10e4b1db956e373b308ad7981d7ef899600c3980947ce8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit