hxxp://game[.]com

Analysis

max time kernel
1800s
max time network
1690s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
15/11/2023, 14:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://game.com

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133445340598433651"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
936	chrome.exe
936	chrome.exe
4400	chrome.exe
4400	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
936	chrome.exe
936	chrome.exe
936	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	936	chrome.exe
Token: SeCreatePagefilePrivilege	936	chrome.exe
Token: SeShutdownPrivilege	936	chrome.exe
Token: SeCreatePagefilePrivilege	936	chrome.exe
Token: SeShutdownPrivilege	936	chrome.exe
Token: SeCreatePagefilePrivilege	936	chrome.exe
Token: SeShutdownPrivilege	936	chrome.exe
Token: SeCreatePagefilePrivilege	936	chrome.exe
Token: SeShutdownPrivilege	936	chrome.exe
Token: SeCreatePagefilePrivilege	936	chrome.exe
Token: SeShutdownPrivilege	936	chrome.exe
Token: SeCreatePagefilePrivilege	936	chrome.exe
Token: SeShutdownPrivilege	936	chrome.exe
Token: SeCreatePagefilePrivilege	936	chrome.exe
Token: SeShutdownPrivilege	936	chrome.exe
Token: SeCreatePagefilePrivilege	936	chrome.exe
Token: SeShutdownPrivilege	936	chrome.exe
Token: SeCreatePagefilePrivilege	936	chrome.exe
Token: SeShutdownPrivilege	936	chrome.exe
Token: SeCreatePagefilePrivilege	936	chrome.exe
Token: SeShutdownPrivilege	936	chrome.exe
Token: SeCreatePagefilePrivilege	936	chrome.exe
Token: SeShutdownPrivilege	936	chrome.exe
Token: SeCreatePagefilePrivilege	936	chrome.exe
Token: SeShutdownPrivilege	936	chrome.exe
Token: SeCreatePagefilePrivilege	936	chrome.exe
Token: SeShutdownPrivilege	936	chrome.exe
Token: SeCreatePagefilePrivilege	936	chrome.exe
Token: SeShutdownPrivilege	936	chrome.exe
Token: SeCreatePagefilePrivilege	936	chrome.exe
Token: SeShutdownPrivilege	936	chrome.exe
Token: SeCreatePagefilePrivilege	936	chrome.exe
Token: SeShutdownPrivilege	936	chrome.exe
Token: SeCreatePagefilePrivilege	936	chrome.exe
Token: SeShutdownPrivilege	936	chrome.exe
Token: SeCreatePagefilePrivilege	936	chrome.exe
Token: SeShutdownPrivilege	936	chrome.exe
Token: SeCreatePagefilePrivilege	936	chrome.exe
Token: SeShutdownPrivilege	936	chrome.exe
Token: SeCreatePagefilePrivilege	936	chrome.exe
Token: SeShutdownPrivilege	936	chrome.exe
Token: SeCreatePagefilePrivilege	936	chrome.exe
Token: SeShutdownPrivilege	936	chrome.exe
Token: SeCreatePagefilePrivilege	936	chrome.exe
Token: SeShutdownPrivilege	936	chrome.exe
Token: SeCreatePagefilePrivilege	936	chrome.exe
Token: SeShutdownPrivilege	936	chrome.exe
Token: SeCreatePagefilePrivilege	936	chrome.exe
Token: SeShutdownPrivilege	936	chrome.exe
Token: SeCreatePagefilePrivilege	936	chrome.exe
Token: SeShutdownPrivilege	936	chrome.exe
Token: SeCreatePagefilePrivilege	936	chrome.exe
Token: SeShutdownPrivilege	936	chrome.exe
Token: SeCreatePagefilePrivilege	936	chrome.exe
Token: SeShutdownPrivilege	936	chrome.exe
Token: SeCreatePagefilePrivilege	936	chrome.exe
Token: SeShutdownPrivilege	936	chrome.exe
Token: SeCreatePagefilePrivilege	936	chrome.exe
Token: SeShutdownPrivilege	936	chrome.exe
Token: SeCreatePagefilePrivilege	936	chrome.exe
Token: SeShutdownPrivilege	936	chrome.exe
Token: SeCreatePagefilePrivilege	936	chrome.exe
Token: SeShutdownPrivilege	936	chrome.exe
Token: SeCreatePagefilePrivilege	936	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
936	chrome.exe
936	chrome.exe
936	chrome.exe
936	chrome.exe
936	chrome.exe
936	chrome.exe
936	chrome.exe
936	chrome.exe
936	chrome.exe
936	chrome.exe
936	chrome.exe
936	chrome.exe
936	chrome.exe
936	chrome.exe
936	chrome.exe
936	chrome.exe
936	chrome.exe
936	chrome.exe
936	chrome.exe
936	chrome.exe
936	chrome.exe
936	chrome.exe
936	chrome.exe
936	chrome.exe
936	chrome.exe
936	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
936	chrome.exe
936	chrome.exe
936	chrome.exe
936	chrome.exe
936	chrome.exe
936	chrome.exe
936	chrome.exe
936	chrome.exe
936	chrome.exe
936	chrome.exe
936	chrome.exe
936	chrome.exe
936	chrome.exe
936	chrome.exe
936	chrome.exe
936	chrome.exe
936	chrome.exe
936	chrome.exe
936	chrome.exe
936	chrome.exe
936	chrome.exe
936	chrome.exe
936	chrome.exe
936	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 936 wrote to memory of 376	936	chrome.exe	83
PID 936 wrote to memory of 376	936	chrome.exe	83
PID 936 wrote to memory of 3564	936	chrome.exe	87
PID 936 wrote to memory of 3564	936	chrome.exe	87
PID 936 wrote to memory of 3564	936	chrome.exe	87
PID 936 wrote to memory of 3564	936	chrome.exe	87
PID 936 wrote to memory of 3564	936	chrome.exe	87
PID 936 wrote to memory of 3564	936	chrome.exe	87
PID 936 wrote to memory of 3564	936	chrome.exe	87
PID 936 wrote to memory of 3564	936	chrome.exe	87
PID 936 wrote to memory of 3564	936	chrome.exe	87
PID 936 wrote to memory of 3564	936	chrome.exe	87
PID 936 wrote to memory of 3564	936	chrome.exe	87
PID 936 wrote to memory of 3564	936	chrome.exe	87
PID 936 wrote to memory of 3564	936	chrome.exe	87
PID 936 wrote to memory of 3564	936	chrome.exe	87
PID 936 wrote to memory of 3564	936	chrome.exe	87
PID 936 wrote to memory of 3564	936	chrome.exe	87
PID 936 wrote to memory of 3564	936	chrome.exe	87
PID 936 wrote to memory of 3564	936	chrome.exe	87
PID 936 wrote to memory of 3564	936	chrome.exe	87
PID 936 wrote to memory of 3564	936	chrome.exe	87
PID 936 wrote to memory of 3564	936	chrome.exe	87
PID 936 wrote to memory of 3564	936	chrome.exe	87
PID 936 wrote to memory of 3564	936	chrome.exe	87
PID 936 wrote to memory of 3564	936	chrome.exe	87
PID 936 wrote to memory of 3564	936	chrome.exe	87
PID 936 wrote to memory of 3564	936	chrome.exe	87
PID 936 wrote to memory of 3564	936	chrome.exe	87
PID 936 wrote to memory of 3564	936	chrome.exe	87
PID 936 wrote to memory of 3564	936	chrome.exe	87
PID 936 wrote to memory of 3564	936	chrome.exe	87
PID 936 wrote to memory of 3564	936	chrome.exe	87
PID 936 wrote to memory of 3564	936	chrome.exe	87
PID 936 wrote to memory of 3564	936	chrome.exe	87
PID 936 wrote to memory of 3564	936	chrome.exe	87
PID 936 wrote to memory of 3564	936	chrome.exe	87
PID 936 wrote to memory of 3564	936	chrome.exe	87
PID 936 wrote to memory of 3564	936	chrome.exe	87
PID 936 wrote to memory of 3564	936	chrome.exe	87
PID 936 wrote to memory of 3440	936	chrome.exe	88
PID 936 wrote to memory of 3440	936	chrome.exe	88
PID 936 wrote to memory of 1508	936	chrome.exe	89
PID 936 wrote to memory of 1508	936	chrome.exe	89
PID 936 wrote to memory of 1508	936	chrome.exe	89
PID 936 wrote to memory of 1508	936	chrome.exe	89
PID 936 wrote to memory of 1508	936	chrome.exe	89
PID 936 wrote to memory of 1508	936	chrome.exe	89
PID 936 wrote to memory of 1508	936	chrome.exe	89
PID 936 wrote to memory of 1508	936	chrome.exe	89
PID 936 wrote to memory of 1508	936	chrome.exe	89
PID 936 wrote to memory of 1508	936	chrome.exe	89
PID 936 wrote to memory of 1508	936	chrome.exe	89
PID 936 wrote to memory of 1508	936	chrome.exe	89
PID 936 wrote to memory of 1508	936	chrome.exe	89
PID 936 wrote to memory of 1508	936	chrome.exe	89
PID 936 wrote to memory of 1508	936	chrome.exe	89
PID 936 wrote to memory of 1508	936	chrome.exe	89
PID 936 wrote to memory of 1508	936	chrome.exe	89
PID 936 wrote to memory of 1508	936	chrome.exe	89
PID 936 wrote to memory of 1508	936	chrome.exe	89
PID 936 wrote to memory of 1508	936	chrome.exe	89
PID 936 wrote to memory of 1508	936	chrome.exe	89
PID 936 wrote to memory of 1508	936	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://game.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd96fa9758,0x7ffd96fa9768,0x7ffd96fa9778
  2⤵
  PID:376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1700 --field-trial-handle=1860,i,5041850798225343320,8386598637573497464,131072 /prefetch:2
  2⤵
  PID:3564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 --field-trial-handle=1860,i,5041850798225343320,8386598637573497464,131072 /prefetch:8
  2⤵
  PID:3440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2208 --field-trial-handle=1860,i,5041850798225343320,8386598637573497464,131072 /prefetch:8
  2⤵
  PID:1508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2888 --field-trial-handle=1860,i,5041850798225343320,8386598637573497464,131072 /prefetch:1
  2⤵
  PID:4392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2896 --field-trial-handle=1860,i,5041850798225343320,8386598637573497464,131072 /prefetch:1
  2⤵
  PID:4112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4560 --field-trial-handle=1860,i,5041850798225343320,8386598637573497464,131072 /prefetch:1
  2⤵
  PID:1064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 --field-trial-handle=1860,i,5041850798225343320,8386598637573497464,131072 /prefetch:8
  2⤵
  PID:4256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4552 --field-trial-handle=1860,i,5041850798225343320,8386598637573497464,131072 /prefetch:8
  2⤵
  PID:4416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5052 --field-trial-handle=1860,i,5041850798225343320,8386598637573497464,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4400

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
50f51c04d76e1bd3898128fddc5bd8ac

SHA1
4c01ee811da5410346de590fc01f7aa1dc500a83

SHA256
c86e1b47438074cdf1c1f4305b85e6a6a28810b7fabd0644385c52b72ada50f8

SHA512
a3fb844b64bf456e635fa9c7efdca5d02489f4efdfcf88913d29be0d5105914fb31e502af9bfa430bd4eac8adebd562872916c40060940c059b7667a7e2d046f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
74c6a67cbbb48b7ffd6daaa0d9537454

SHA1
a2d75daaefd87e4e2440a842c6e0acccc4bc23db

SHA256
e2d21f5e9f8fb5fea10b5463ed6ce1ba5376b54bcc0d664794f5ca3a39885172

SHA512
344b271c4493652e54d1218e457b39494ba3fc57f841f8291b7f72b1186a164f9f59e240d91b1532e261e7fae5044c078dccc8340a54618e93c1e70409062629

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
8d83b0c8b9f4f881f327f72deb79c408

SHA1
5afd77267b52fcd7db678a9c6388ffeef29f2418

SHA256
3b7d256870382da1785c34060e0ad93f5cd54ea6d09543d72291f854626fed44

SHA512
39657a60fc25ff6108d1a224d8b1fa0580fe63423535c61ed150c9f9f10a987e17948d832b3c6b345c0778cc3e6130434d8644c274ebb455e5e4ea106be1dac2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
1f5867403395a34ba86fa5be78fa6067

SHA1
2bdaf324801dc52d69fbafdc079f1f4d9a1fab02

SHA256
74e2b95da55e837da7d71757ae5f655629db956aed9a0fa324d6191f5c78fadc

SHA512
7bc4414b31c62808c2c6a8eb9e54ef90d0d795e4c09cd1d46e20e42477a15959c710e897c59bde0af11b820eb23d5f89ee761245c4ed71548af6ce8ffb9b5ecd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
109KB

MD5
a1f077c8d0e34620876734111b0a277a

SHA1
01b77771ab61b5ac51397e740b458a47cd9b2391

SHA256
ff00c688fcddf5ca56d57bf25e05b5f22d4ad4aaf8ba324584c8e16d729eaf85

SHA512
fe7a9cbe161af650abe5239772b69857264a84765cf4464cda7e341cd20c2137f321ff78723cb6ccb0de62bd2cf53e9d4097c6d941318e288bc51309f47c3ca6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit