d5a89e26beae0bc03ad18a0b0d1d3d75f87c32047879d25da11970cb5c4662a3

Analysis

max time kernel
19s
max time network
23s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2023, 18:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

secureimg.html
Size

315B
MD5

a34ac19f4afae63adc5d2f7bc970c07f
SHA1

a82190fc530c265aa40a045c21770d967f4767b8
SHA256

d5a89e26beae0bc03ad18a0b0d1d3d75f87c32047879d25da11970cb5c4662a3
SHA512

42e53d96e5961e95b7a984d9c9778a1d3bd8ee0c87b8b3b515fa31f67c2d073c8565afc2f4b962c43668c4efa1e478da9bb0ecffa79479c7e880731bc4c55765

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133449794897275236"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1396	chrome.exe
1396	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1396	chrome.exe
1396	chrome.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1396	chrome.exe
Token: SeCreatePagefilePrivilege	1396	chrome.exe
Token: SeShutdownPrivilege	1396	chrome.exe
Token: SeCreatePagefilePrivilege	1396	chrome.exe
Token: SeShutdownPrivilege	1396	chrome.exe
Token: SeCreatePagefilePrivilege	1396	chrome.exe
Token: SeShutdownPrivilege	1396	chrome.exe
Token: SeCreatePagefilePrivilege	1396	chrome.exe
Token: SeShutdownPrivilege	1396	chrome.exe
Token: SeCreatePagefilePrivilege	1396	chrome.exe
Token: SeShutdownPrivilege	1396	chrome.exe
Token: SeCreatePagefilePrivilege	1396	chrome.exe
Token: SeShutdownPrivilege	1396	chrome.exe
Token: SeCreatePagefilePrivilege	1396	chrome.exe
Token: SeShutdownPrivilege	1396	chrome.exe
Token: SeCreatePagefilePrivilege	1396	chrome.exe
Token: SeShutdownPrivilege	1396	chrome.exe
Token: SeCreatePagefilePrivilege	1396	chrome.exe
Token: SeShutdownPrivilege	1396	chrome.exe
Token: SeCreatePagefilePrivilege	1396	chrome.exe
Token: SeShutdownPrivilege	1396	chrome.exe
Token: SeCreatePagefilePrivilege	1396	chrome.exe
Token: SeShutdownPrivilege	1396	chrome.exe
Token: SeCreatePagefilePrivilege	1396	chrome.exe
Token: SeShutdownPrivilege	1396	chrome.exe
Token: SeCreatePagefilePrivilege	1396	chrome.exe
Token: SeShutdownPrivilege	1396	chrome.exe
Token: SeCreatePagefilePrivilege	1396	chrome.exe
Token: SeShutdownPrivilege	1396	chrome.exe
Token: SeCreatePagefilePrivilege	1396	chrome.exe
Token: SeShutdownPrivilege	1396	chrome.exe
Token: SeCreatePagefilePrivilege	1396	chrome.exe
Token: SeShutdownPrivilege	1396	chrome.exe
Token: SeCreatePagefilePrivilege	1396	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1396 wrote to memory of 4756	1396	chrome.exe	67
PID 1396 wrote to memory of 4756	1396	chrome.exe	67
PID 1396 wrote to memory of 3680	1396	chrome.exe	87
PID 1396 wrote to memory of 3680	1396	chrome.exe	87
PID 1396 wrote to memory of 3680	1396	chrome.exe	87
PID 1396 wrote to memory of 3680	1396	chrome.exe	87
PID 1396 wrote to memory of 3680	1396	chrome.exe	87
PID 1396 wrote to memory of 3680	1396	chrome.exe	87
PID 1396 wrote to memory of 3680	1396	chrome.exe	87
PID 1396 wrote to memory of 3680	1396	chrome.exe	87
PID 1396 wrote to memory of 3680	1396	chrome.exe	87
PID 1396 wrote to memory of 3680	1396	chrome.exe	87
PID 1396 wrote to memory of 3680	1396	chrome.exe	87
PID 1396 wrote to memory of 3680	1396	chrome.exe	87
PID 1396 wrote to memory of 3680	1396	chrome.exe	87
PID 1396 wrote to memory of 3680	1396	chrome.exe	87
PID 1396 wrote to memory of 3680	1396	chrome.exe	87
PID 1396 wrote to memory of 3680	1396	chrome.exe	87
PID 1396 wrote to memory of 3680	1396	chrome.exe	87
PID 1396 wrote to memory of 3680	1396	chrome.exe	87
PID 1396 wrote to memory of 3680	1396	chrome.exe	87
PID 1396 wrote to memory of 3680	1396	chrome.exe	87
PID 1396 wrote to memory of 3680	1396	chrome.exe	87
PID 1396 wrote to memory of 3680	1396	chrome.exe	87
PID 1396 wrote to memory of 3680	1396	chrome.exe	87
PID 1396 wrote to memory of 3680	1396	chrome.exe	87
PID 1396 wrote to memory of 3680	1396	chrome.exe	87
PID 1396 wrote to memory of 3680	1396	chrome.exe	87
PID 1396 wrote to memory of 3680	1396	chrome.exe	87
PID 1396 wrote to memory of 3680	1396	chrome.exe	87
PID 1396 wrote to memory of 3680	1396	chrome.exe	87
PID 1396 wrote to memory of 3680	1396	chrome.exe	87
PID 1396 wrote to memory of 3680	1396	chrome.exe	87
PID 1396 wrote to memory of 3680	1396	chrome.exe	87
PID 1396 wrote to memory of 3680	1396	chrome.exe	87
PID 1396 wrote to memory of 3680	1396	chrome.exe	87
PID 1396 wrote to memory of 3680	1396	chrome.exe	87
PID 1396 wrote to memory of 3680	1396	chrome.exe	87
PID 1396 wrote to memory of 3680	1396	chrome.exe	87
PID 1396 wrote to memory of 3680	1396	chrome.exe	87
PID 1396 wrote to memory of 3940	1396	chrome.exe	89
PID 1396 wrote to memory of 3940	1396	chrome.exe	89
PID 1396 wrote to memory of 3140	1396	chrome.exe	88
PID 1396 wrote to memory of 3140	1396	chrome.exe	88
PID 1396 wrote to memory of 3140	1396	chrome.exe	88
PID 1396 wrote to memory of 3140	1396	chrome.exe	88
PID 1396 wrote to memory of 3140	1396	chrome.exe	88
PID 1396 wrote to memory of 3140	1396	chrome.exe	88
PID 1396 wrote to memory of 3140	1396	chrome.exe	88
PID 1396 wrote to memory of 3140	1396	chrome.exe	88
PID 1396 wrote to memory of 3140	1396	chrome.exe	88
PID 1396 wrote to memory of 3140	1396	chrome.exe	88
PID 1396 wrote to memory of 3140	1396	chrome.exe	88
PID 1396 wrote to memory of 3140	1396	chrome.exe	88
PID 1396 wrote to memory of 3140	1396	chrome.exe	88
PID 1396 wrote to memory of 3140	1396	chrome.exe	88
PID 1396 wrote to memory of 3140	1396	chrome.exe	88
PID 1396 wrote to memory of 3140	1396	chrome.exe	88
PID 1396 wrote to memory of 3140	1396	chrome.exe	88
PID 1396 wrote to memory of 3140	1396	chrome.exe	88
PID 1396 wrote to memory of 3140	1396	chrome.exe	88
PID 1396 wrote to memory of 3140	1396	chrome.exe	88
PID 1396 wrote to memory of 3140	1396	chrome.exe	88
PID 1396 wrote to memory of 3140	1396	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\secureimg.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff946199758,0x7ff946199768,0x7ff946199778
  2⤵
  PID:4756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1728 --field-trial-handle=1880,i,12639530551244458556,12506851722256155362,131072 /prefetch:2
  2⤵
  PID:3680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2216 --field-trial-handle=1880,i,12639530551244458556,12506851722256155362,131072 /prefetch:8
  2⤵
  PID:3140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1880,i,12639530551244458556,12506851722256155362,131072 /prefetch:8
  2⤵
  PID:3940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2960 --field-trial-handle=1880,i,12639530551244458556,12506851722256155362,131072 /prefetch:1
  2⤵
  PID:3520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2952 --field-trial-handle=1880,i,12639530551244458556,12506851722256155362,131072 /prefetch:1
  2⤵
  PID:2752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4832 --field-trial-handle=1880,i,12639530551244458556,12506851722256155362,131072 /prefetch:8
  2⤵
  PID:3600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4912 --field-trial-handle=1880,i,12639530551244458556,12506851722256155362,131072 /prefetch:8
  2⤵
  PID:3272

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
6d30ff8419479619c31b4d685c7809cb

SHA1
8a4de3406484fc862d43ba6ba6b070e241fe39a1

SHA256
b88e8a5e2a86041916eee8a69848f4db1493a55924476bcdb87c00172267893c

SHA512
0c52fafc2123edc33f0742b3209f2c52b0c276f5b9397395a378b1ea6f266a4df833c965d597bcf2152b68c382b88fb81e5178f5c70ea303e4e194d10752d2c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
109KB

MD5
656a458efaa561bcafbf41d78bdd3c86

SHA1
c91ef73ce0be6e6dffa5af3b5d0204a999f06ed8

SHA256
87353824ec9c4c634bce02f10c9c94aa1dfb5a209242a3a5e60fec216b902b49

SHA512
c17cb96f69c92408d77a931209c0bab246e2896a56a300d19f9af4b4f4ad11f756140f13c1e546e95866c5b68632feb8d46c3964c898c0fd3a046bc24bbdcf28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit