hxxp://ip-api[.]com/csv

Analysis

max time kernel
599s
max time network
490s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
17/11/2023, 14:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://ip-api.com/csv

Score

6^/10

Malware Config

Signatures

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com
9	ip-api.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133447045436158412"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1060	chrome.exe
1060	chrome.exe
1228	chrome.exe
1228	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1060	chrome.exe
1060	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1060	chrome.exe
Token: SeCreatePagefilePrivilege	1060	chrome.exe
Token: SeShutdownPrivilege	1060	chrome.exe
Token: SeCreatePagefilePrivilege	1060	chrome.exe
Token: SeShutdownPrivilege	1060	chrome.exe
Token: SeCreatePagefilePrivilege	1060	chrome.exe
Token: SeShutdownPrivilege	1060	chrome.exe
Token: SeCreatePagefilePrivilege	1060	chrome.exe
Token: SeShutdownPrivilege	1060	chrome.exe
Token: SeCreatePagefilePrivilege	1060	chrome.exe
Token: SeShutdownPrivilege	1060	chrome.exe
Token: SeCreatePagefilePrivilege	1060	chrome.exe
Token: SeShutdownPrivilege	1060	chrome.exe
Token: SeCreatePagefilePrivilege	1060	chrome.exe
Token: SeShutdownPrivilege	1060	chrome.exe
Token: SeCreatePagefilePrivilege	1060	chrome.exe
Token: SeShutdownPrivilege	1060	chrome.exe
Token: SeCreatePagefilePrivilege	1060	chrome.exe
Token: SeShutdownPrivilege	1060	chrome.exe
Token: SeCreatePagefilePrivilege	1060	chrome.exe
Token: SeShutdownPrivilege	1060	chrome.exe
Token: SeCreatePagefilePrivilege	1060	chrome.exe
Token: SeShutdownPrivilege	1060	chrome.exe
Token: SeCreatePagefilePrivilege	1060	chrome.exe
Token: SeShutdownPrivilege	1060	chrome.exe
Token: SeCreatePagefilePrivilege	1060	chrome.exe
Token: SeShutdownPrivilege	1060	chrome.exe
Token: SeCreatePagefilePrivilege	1060	chrome.exe
Token: SeShutdownPrivilege	1060	chrome.exe
Token: SeCreatePagefilePrivilege	1060	chrome.exe
Token: SeShutdownPrivilege	1060	chrome.exe
Token: SeCreatePagefilePrivilege	1060	chrome.exe
Token: SeShutdownPrivilege	1060	chrome.exe
Token: SeCreatePagefilePrivilege	1060	chrome.exe
Token: SeShutdownPrivilege	1060	chrome.exe
Token: SeCreatePagefilePrivilege	1060	chrome.exe
Token: SeShutdownPrivilege	1060	chrome.exe
Token: SeCreatePagefilePrivilege	1060	chrome.exe
Token: SeShutdownPrivilege	1060	chrome.exe
Token: SeCreatePagefilePrivilege	1060	chrome.exe
Token: SeShutdownPrivilege	1060	chrome.exe
Token: SeCreatePagefilePrivilege	1060	chrome.exe
Token: SeShutdownPrivilege	1060	chrome.exe
Token: SeCreatePagefilePrivilege	1060	chrome.exe
Token: SeShutdownPrivilege	1060	chrome.exe
Token: SeCreatePagefilePrivilege	1060	chrome.exe
Token: SeShutdownPrivilege	1060	chrome.exe
Token: SeCreatePagefilePrivilege	1060	chrome.exe
Token: SeShutdownPrivilege	1060	chrome.exe
Token: SeCreatePagefilePrivilege	1060	chrome.exe
Token: SeShutdownPrivilege	1060	chrome.exe
Token: SeCreatePagefilePrivilege	1060	chrome.exe
Token: SeShutdownPrivilege	1060	chrome.exe
Token: SeCreatePagefilePrivilege	1060	chrome.exe
Token: SeShutdownPrivilege	1060	chrome.exe
Token: SeCreatePagefilePrivilege	1060	chrome.exe
Token: SeShutdownPrivilege	1060	chrome.exe
Token: SeCreatePagefilePrivilege	1060	chrome.exe
Token: SeShutdownPrivilege	1060	chrome.exe
Token: SeCreatePagefilePrivilege	1060	chrome.exe
Token: SeShutdownPrivilege	1060	chrome.exe
Token: SeCreatePagefilePrivilege	1060	chrome.exe
Token: SeShutdownPrivilege	1060	chrome.exe
Token: SeCreatePagefilePrivilege	1060	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1060 wrote to memory of 3112	1060	chrome.exe	74
PID 1060 wrote to memory of 3112	1060	chrome.exe	74
PID 1060 wrote to memory of 4412	1060	chrome.exe	87
PID 1060 wrote to memory of 4412	1060	chrome.exe	87
PID 1060 wrote to memory of 4412	1060	chrome.exe	87
PID 1060 wrote to memory of 4412	1060	chrome.exe	87
PID 1060 wrote to memory of 4412	1060	chrome.exe	87
PID 1060 wrote to memory of 4412	1060	chrome.exe	87
PID 1060 wrote to memory of 4412	1060	chrome.exe	87
PID 1060 wrote to memory of 4412	1060	chrome.exe	87
PID 1060 wrote to memory of 4412	1060	chrome.exe	87
PID 1060 wrote to memory of 4412	1060	chrome.exe	87
PID 1060 wrote to memory of 4412	1060	chrome.exe	87
PID 1060 wrote to memory of 4412	1060	chrome.exe	87
PID 1060 wrote to memory of 4412	1060	chrome.exe	87
PID 1060 wrote to memory of 4412	1060	chrome.exe	87
PID 1060 wrote to memory of 4412	1060	chrome.exe	87
PID 1060 wrote to memory of 4412	1060	chrome.exe	87
PID 1060 wrote to memory of 4412	1060	chrome.exe	87
PID 1060 wrote to memory of 4412	1060	chrome.exe	87
PID 1060 wrote to memory of 4412	1060	chrome.exe	87
PID 1060 wrote to memory of 4412	1060	chrome.exe	87
PID 1060 wrote to memory of 4412	1060	chrome.exe	87
PID 1060 wrote to memory of 4412	1060	chrome.exe	87
PID 1060 wrote to memory of 4412	1060	chrome.exe	87
PID 1060 wrote to memory of 4412	1060	chrome.exe	87
PID 1060 wrote to memory of 4412	1060	chrome.exe	87
PID 1060 wrote to memory of 4412	1060	chrome.exe	87
PID 1060 wrote to memory of 4412	1060	chrome.exe	87
PID 1060 wrote to memory of 4412	1060	chrome.exe	87
PID 1060 wrote to memory of 4412	1060	chrome.exe	87
PID 1060 wrote to memory of 4412	1060	chrome.exe	87
PID 1060 wrote to memory of 4412	1060	chrome.exe	87
PID 1060 wrote to memory of 4412	1060	chrome.exe	87
PID 1060 wrote to memory of 4412	1060	chrome.exe	87
PID 1060 wrote to memory of 4412	1060	chrome.exe	87
PID 1060 wrote to memory of 4412	1060	chrome.exe	87
PID 1060 wrote to memory of 4412	1060	chrome.exe	87
PID 1060 wrote to memory of 4412	1060	chrome.exe	87
PID 1060 wrote to memory of 4412	1060	chrome.exe	87
PID 1060 wrote to memory of 3524	1060	chrome.exe	86
PID 1060 wrote to memory of 3524	1060	chrome.exe	86
PID 1060 wrote to memory of 3780	1060	chrome.exe	88
PID 1060 wrote to memory of 3780	1060	chrome.exe	88
PID 1060 wrote to memory of 3780	1060	chrome.exe	88
PID 1060 wrote to memory of 3780	1060	chrome.exe	88
PID 1060 wrote to memory of 3780	1060	chrome.exe	88
PID 1060 wrote to memory of 3780	1060	chrome.exe	88
PID 1060 wrote to memory of 3780	1060	chrome.exe	88
PID 1060 wrote to memory of 3780	1060	chrome.exe	88
PID 1060 wrote to memory of 3780	1060	chrome.exe	88
PID 1060 wrote to memory of 3780	1060	chrome.exe	88
PID 1060 wrote to memory of 3780	1060	chrome.exe	88
PID 1060 wrote to memory of 3780	1060	chrome.exe	88
PID 1060 wrote to memory of 3780	1060	chrome.exe	88
PID 1060 wrote to memory of 3780	1060	chrome.exe	88
PID 1060 wrote to memory of 3780	1060	chrome.exe	88
PID 1060 wrote to memory of 3780	1060	chrome.exe	88
PID 1060 wrote to memory of 3780	1060	chrome.exe	88
PID 1060 wrote to memory of 3780	1060	chrome.exe	88
PID 1060 wrote to memory of 3780	1060	chrome.exe	88
PID 1060 wrote to memory of 3780	1060	chrome.exe	88
PID 1060 wrote to memory of 3780	1060	chrome.exe	88
PID 1060 wrote to memory of 3780	1060	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://ip-api.com/csv
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcd3ce9758,0x7ffcd3ce9768,0x7ffcd3ce9778
  2⤵
  PID:3112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1824 --field-trial-handle=1800,i,14572900722145978521,10339756270050427739,131072 /prefetch:8
  2⤵
  PID:3524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1724 --field-trial-handle=1800,i,14572900722145978521,10339756270050427739,131072 /prefetch:2
  2⤵
  PID:4412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1800,i,14572900722145978521,10339756270050427739,131072 /prefetch:8
  2⤵
  PID:3780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3000 --field-trial-handle=1800,i,14572900722145978521,10339756270050427739,131072 /prefetch:1
  2⤵
  PID:4004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2956 --field-trial-handle=1800,i,14572900722145978521,10339756270050427739,131072 /prefetch:1
  2⤵
  PID:3992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5036 --field-trial-handle=1800,i,14572900722145978521,10339756270050427739,131072 /prefetch:8
  2⤵
  PID:4672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 --field-trial-handle=1800,i,14572900722145978521,10339756270050427739,131072 /prefetch:8
  2⤵
  PID:3784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1720 --field-trial-handle=1800,i,14572900722145978521,10339756270050427739,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1228

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
938ee7042cdd67bef68dbb466d4a4dc0

SHA1
2da5c0c008b78c537d77aecf14ed1b4872167cc2

SHA256
02c3b066cf55a2b8a2ab8490d1eda035e91e2c558f34a313b946d4878620b5ba

SHA512
a683804132c6ba5907fb5e0842a15c9b7a1969f1df361f94dba706ee1f328a5ae6d29369d62580cf9e310036750cc7b4113be70c9d7929ae00e09022c08a3991

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
c1229f29da80d87f27cbe1468eb0c90b

SHA1
1355b9522687a2b32b41ec1b8f0e2da6d90958cc

SHA256
3e08a4b102a8f82e14a18f580b285722e9444052c293fa2a3948deb64d02942b

SHA512
43e871c9069b7121df6e01725c705a07f8b1004009d42def9d018b53fce2445b3723d3c71bce058e9f26efde7d0fe8c3a99c1a5860e71ec80ffcddcab9911aa4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
01729524fdb3d3034d04878b8498c1cf

SHA1
78b8426313c8193d995d3733f6ce27916d66d56e

SHA256
bbbe66297ea3a9f4a87579d09ddbf401b8d4a46a2666c7c15449f3953978eb94

SHA512
1d439c176297063574af1e97d0c90fd29dcd445faf482c0affe19a50b6ae23c844e0316abb296e1c3e05c225eafd6b9b81e6a67cf1633971e364c48f540893be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
109KB

MD5
4e34e0610af06983259d60ea7a5280d1

SHA1
c10f00831e8f99f86e2cda17078c91e90ef14f30

SHA256
25c4476fd0b784de794942685a2dd1dfb04c6798f43139f4742877f0a926615c

SHA512
66cb4719493b56b389679e8f39b692dbba7389a0859e4a19478ccee1cc36f2a1d914a4b2846bd35a9b32c6a606319dad6549af23b8a9fbb48477393f1ba1c88a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit