hxxps://www2[.]prevedere[.]com/u/NjI2LUhNSi0wNTgAAAGPlzsPLehj1_2kQQPtzKgq-KX8MQMxod3qlbIm67bkZb_QNGFWruXsHxR6lsJPjn30BMlMG1s=

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2023 17:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www2.prevedere.com/u/NjI2LUhNSi0wNTgAAAGPlzsPLehj1_2kQQPtzKgq-KX8MQMxod3qlbIm67bkZb_QNGFWruXsHxR6lsJPjn30BMlMG1s=

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133454951875112947"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
564	chrome.exe
564	chrome.exe
1412	chrome.exe
1412	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
564	chrome.exe
564	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 564 wrote to memory of 2904	564	chrome.exe	56
PID 564 wrote to memory of 2904	564	chrome.exe	56
PID 564 wrote to memory of 3580	564	chrome.exe	87
PID 564 wrote to memory of 3580	564	chrome.exe	87
PID 564 wrote to memory of 3580	564	chrome.exe	87
PID 564 wrote to memory of 3580	564	chrome.exe	87
PID 564 wrote to memory of 3580	564	chrome.exe	87
PID 564 wrote to memory of 3580	564	chrome.exe	87
PID 564 wrote to memory of 3580	564	chrome.exe	87
PID 564 wrote to memory of 3580	564	chrome.exe	87
PID 564 wrote to memory of 3580	564	chrome.exe	87
PID 564 wrote to memory of 3580	564	chrome.exe	87
PID 564 wrote to memory of 3580	564	chrome.exe	87
PID 564 wrote to memory of 3580	564	chrome.exe	87
PID 564 wrote to memory of 3580	564	chrome.exe	87
PID 564 wrote to memory of 3580	564	chrome.exe	87
PID 564 wrote to memory of 3580	564	chrome.exe	87
PID 564 wrote to memory of 3580	564	chrome.exe	87
PID 564 wrote to memory of 3580	564	chrome.exe	87
PID 564 wrote to memory of 3580	564	chrome.exe	87
PID 564 wrote to memory of 3580	564	chrome.exe	87
PID 564 wrote to memory of 3580	564	chrome.exe	87
PID 564 wrote to memory of 3580	564	chrome.exe	87
PID 564 wrote to memory of 3580	564	chrome.exe	87
PID 564 wrote to memory of 3580	564	chrome.exe	87
PID 564 wrote to memory of 3580	564	chrome.exe	87
PID 564 wrote to memory of 3580	564	chrome.exe	87
PID 564 wrote to memory of 3580	564	chrome.exe	87
PID 564 wrote to memory of 3580	564	chrome.exe	87
PID 564 wrote to memory of 3580	564	chrome.exe	87
PID 564 wrote to memory of 3580	564	chrome.exe	87
PID 564 wrote to memory of 3580	564	chrome.exe	87
PID 564 wrote to memory of 3580	564	chrome.exe	87
PID 564 wrote to memory of 3580	564	chrome.exe	87
PID 564 wrote to memory of 3580	564	chrome.exe	87
PID 564 wrote to memory of 3580	564	chrome.exe	87
PID 564 wrote to memory of 3580	564	chrome.exe	87
PID 564 wrote to memory of 3580	564	chrome.exe	87
PID 564 wrote to memory of 3580	564	chrome.exe	87
PID 564 wrote to memory of 3580	564	chrome.exe	87
PID 564 wrote to memory of 1308	564	chrome.exe	89
PID 564 wrote to memory of 1308	564	chrome.exe	89
PID 564 wrote to memory of 2100	564	chrome.exe	88
PID 564 wrote to memory of 2100	564	chrome.exe	88
PID 564 wrote to memory of 2100	564	chrome.exe	88
PID 564 wrote to memory of 2100	564	chrome.exe	88
PID 564 wrote to memory of 2100	564	chrome.exe	88
PID 564 wrote to memory of 2100	564	chrome.exe	88
PID 564 wrote to memory of 2100	564	chrome.exe	88
PID 564 wrote to memory of 2100	564	chrome.exe	88
PID 564 wrote to memory of 2100	564	chrome.exe	88
PID 564 wrote to memory of 2100	564	chrome.exe	88
PID 564 wrote to memory of 2100	564	chrome.exe	88
PID 564 wrote to memory of 2100	564	chrome.exe	88
PID 564 wrote to memory of 2100	564	chrome.exe	88
PID 564 wrote to memory of 2100	564	chrome.exe	88
PID 564 wrote to memory of 2100	564	chrome.exe	88
PID 564 wrote to memory of 2100	564	chrome.exe	88
PID 564 wrote to memory of 2100	564	chrome.exe	88
PID 564 wrote to memory of 2100	564	chrome.exe	88
PID 564 wrote to memory of 2100	564	chrome.exe	88
PID 564 wrote to memory of 2100	564	chrome.exe	88
PID 564 wrote to memory of 2100	564	chrome.exe	88
PID 564 wrote to memory of 2100	564	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www2.prevedere.com/u/NjI2LUhNSi0wNTgAAAGPlzsPLehj1_2kQQPtzKgq-KX8MQMxod3qlbIm67bkZb_QNGFWruXsHxR6lsJPjn30BMlMG1s=
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe0d6a9758,0x7ffe0d6a9768,0x7ffe0d6a9778
  2⤵
  PID:2904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=368 --field-trial-handle=1880,i,7578655691856955066,3670129898847626572,131072 /prefetch:2
  2⤵
  PID:3580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2212 --field-trial-handle=1880,i,7578655691856955066,3670129898847626572,131072 /prefetch:8
  2⤵
  PID:2100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1880,i,7578655691856955066,3670129898847626572,131072 /prefetch:8
  2⤵
  PID:1308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3020 --field-trial-handle=1880,i,7578655691856955066,3670129898847626572,131072 /prefetch:1
  2⤵
  PID:3628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3000 --field-trial-handle=1880,i,7578655691856955066,3670129898847626572,131072 /prefetch:1
  2⤵
  PID:4384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5084 --field-trial-handle=1880,i,7578655691856955066,3670129898847626572,131072 /prefetch:8
  2⤵
  PID:3164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 --field-trial-handle=1880,i,7578655691856955066,3670129898847626572,131072 /prefetch:8
  2⤵
  PID:1684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3992 --field-trial-handle=1880,i,7578655691856955066,3670129898847626572,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1412

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
388237f2bb4f36bad5c9d9c2d53cdf86

SHA1
18f6cb085796e2e1d15973e9c4a0c6e23441c443

SHA256
ff91ef27f08d4c7bf4d0b6e466c6e59ed347b2f49cc967dd57344cfff1dae0e7

SHA512
d84d0605b06f20e293f3a67c887c3b79647d6b27f70c8d3d141e8a1704aa3ab33dee5457cbb4624e791fbdb1272b610c6c83758ea3fd25ffedc47d96a0595b42

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
62e0036c713858381e31912b5c2cee72

SHA1
35d207b56b73396fab5ee716e2f8e1c7c4c4cfea

SHA256
37c8338a034824246f65cdf9470ba7631eb71bded8e246d57af25089a0efa099

SHA512
89b80bc0e4c109921c4799f078e55d90e2e31e5b587a787495525229b1ed775ef33254eb512335a1b46e93074b7b77d396f565010e603fc902310c3a29b5d200

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\a880d7cc-1f08-46ec-ae0e-1b4e3e7f9087.tmp

Filesize
706B

MD5
6e7cf17f5865c7c31fd945c859b9c297

SHA1
3183ca4ea7698defc6dbcffc8c849f8843c4b81e

SHA256
96b2a7d1ea93314b6c0eedfa8a9a3cf620ae287ac6b5e6b8d81d8eda2b3efa92

SHA512
6670f1bdfce1a0ef489e0ad21b3d32acc96f6d92591e52c5377c0ece488eabc2b33a595de264411f6982eb78691a5c3f330ade7dc2d0f60540373319756ad36f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
2fa9c77c7eea15defb299b6d30c7e5ee

SHA1
0558541bc65c8888a6e047a478090479c424963d

SHA256
7fa62494c41927a44e652c509539778a7ad904c1d770536d249390bf84d66b3d

SHA512
132763f6d9e89561294b9289a3a8293720afe3993e5f0854030b04bb93e2ca24fa15497f4f415457171e300c26cb31b318c0bfccf48805697212cb64469041cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
965bd126aeb5243f60c8d3901b850aa7

SHA1
9c162050ce45902745521cfddd8529957087b184

SHA256
0403bbac11da001a3fc78ffd9bb557a909b856453f0ff8fd9a0a2100c175586a

SHA512
b98c28dd4fb0a93405248b8c924eeadae4474690d948220794f4da9443fe10bb0320e5ffa9cdedb156a92ad800d815eb073aa3d55c8f21edc8e412eb8efab8b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
109KB

MD5
7fc99bbc5c252f1e98486321cbc81e46

SHA1
12fe36fae8cd58179a6d8f183db0d28d75daf639

SHA256
ae7adff7ccf935da46c027249df8fdf4c5796d7f3612c3137615b65839008fb4

SHA512
62ce2be92e71fbc9b3c53b421e5f9c72d5b097125ec12ae68556f0d44a43ff5259e3c540218da677ee8d98c2a0c432389de94393fa7be73a4b1a8aa3824b012c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit