Analysis
-
max time kernel
150s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
27/11/2023, 18:36
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://pay.izettle.com/?32Ds5M_ZHV
Resource
win10v2004-20231020-en
General
-
Target
https://pay.izettle.com/?32Ds5M_ZHV
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133455838410590111" chrome.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3952 chrome.exe 3952 chrome.exe 2292 chrome.exe 2292 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 3952 chrome.exe 3952 chrome.exe 3952 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3952 chrome.exe Token: SeCreatePagefilePrivilege 3952 chrome.exe Token: SeShutdownPrivilege 3952 chrome.exe Token: SeCreatePagefilePrivilege 3952 chrome.exe Token: SeShutdownPrivilege 3952 chrome.exe Token: SeCreatePagefilePrivilege 3952 chrome.exe Token: SeShutdownPrivilege 3952 chrome.exe Token: SeCreatePagefilePrivilege 3952 chrome.exe Token: SeShutdownPrivilege 3952 chrome.exe Token: SeCreatePagefilePrivilege 3952 chrome.exe Token: SeShutdownPrivilege 3952 chrome.exe Token: SeCreatePagefilePrivilege 3952 chrome.exe Token: SeShutdownPrivilege 3952 chrome.exe Token: SeCreatePagefilePrivilege 3952 chrome.exe Token: SeShutdownPrivilege 3952 chrome.exe Token: SeCreatePagefilePrivilege 3952 chrome.exe Token: SeShutdownPrivilege 3952 chrome.exe Token: SeCreatePagefilePrivilege 3952 chrome.exe Token: SeShutdownPrivilege 3952 chrome.exe Token: SeCreatePagefilePrivilege 3952 chrome.exe Token: SeShutdownPrivilege 3952 chrome.exe Token: SeCreatePagefilePrivilege 3952 chrome.exe Token: SeShutdownPrivilege 3952 chrome.exe Token: SeCreatePagefilePrivilege 3952 chrome.exe Token: SeShutdownPrivilege 3952 chrome.exe Token: SeCreatePagefilePrivilege 3952 chrome.exe Token: SeShutdownPrivilege 3952 chrome.exe Token: SeCreatePagefilePrivilege 3952 chrome.exe Token: SeShutdownPrivilege 3952 chrome.exe Token: SeCreatePagefilePrivilege 3952 chrome.exe Token: SeShutdownPrivilege 3952 chrome.exe Token: SeCreatePagefilePrivilege 3952 chrome.exe Token: SeShutdownPrivilege 3952 chrome.exe Token: SeCreatePagefilePrivilege 3952 chrome.exe Token: SeShutdownPrivilege 3952 chrome.exe Token: SeCreatePagefilePrivilege 3952 chrome.exe Token: SeShutdownPrivilege 3952 chrome.exe Token: SeCreatePagefilePrivilege 3952 chrome.exe Token: SeShutdownPrivilege 3952 chrome.exe Token: SeCreatePagefilePrivilege 3952 chrome.exe Token: SeShutdownPrivilege 3952 chrome.exe Token: SeCreatePagefilePrivilege 3952 chrome.exe Token: SeShutdownPrivilege 3952 chrome.exe Token: SeCreatePagefilePrivilege 3952 chrome.exe Token: SeShutdownPrivilege 3952 chrome.exe Token: SeCreatePagefilePrivilege 3952 chrome.exe Token: SeShutdownPrivilege 3952 chrome.exe Token: SeCreatePagefilePrivilege 3952 chrome.exe Token: SeShutdownPrivilege 3952 chrome.exe Token: SeCreatePagefilePrivilege 3952 chrome.exe Token: SeShutdownPrivilege 3952 chrome.exe Token: SeCreatePagefilePrivilege 3952 chrome.exe Token: SeShutdownPrivilege 3952 chrome.exe Token: SeCreatePagefilePrivilege 3952 chrome.exe Token: SeShutdownPrivilege 3952 chrome.exe Token: SeCreatePagefilePrivilege 3952 chrome.exe Token: SeShutdownPrivilege 3952 chrome.exe Token: SeCreatePagefilePrivilege 3952 chrome.exe Token: SeShutdownPrivilege 3952 chrome.exe Token: SeCreatePagefilePrivilege 3952 chrome.exe Token: SeShutdownPrivilege 3952 chrome.exe Token: SeCreatePagefilePrivilege 3952 chrome.exe Token: SeShutdownPrivilege 3952 chrome.exe Token: SeCreatePagefilePrivilege 3952 chrome.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 3952 chrome.exe 3952 chrome.exe 3952 chrome.exe 3952 chrome.exe 3952 chrome.exe 3952 chrome.exe 3952 chrome.exe 3952 chrome.exe 3952 chrome.exe 3952 chrome.exe 3952 chrome.exe 3952 chrome.exe 3952 chrome.exe 3952 chrome.exe 3952 chrome.exe 3952 chrome.exe 3952 chrome.exe 3952 chrome.exe 3952 chrome.exe 3952 chrome.exe 3952 chrome.exe 3952 chrome.exe 3952 chrome.exe 3952 chrome.exe 3952 chrome.exe 3952 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3952 chrome.exe 3952 chrome.exe 3952 chrome.exe 3952 chrome.exe 3952 chrome.exe 3952 chrome.exe 3952 chrome.exe 3952 chrome.exe 3952 chrome.exe 3952 chrome.exe 3952 chrome.exe 3952 chrome.exe 3952 chrome.exe 3952 chrome.exe 3952 chrome.exe 3952 chrome.exe 3952 chrome.exe 3952 chrome.exe 3952 chrome.exe 3952 chrome.exe 3952 chrome.exe 3952 chrome.exe 3952 chrome.exe 3952 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3952 wrote to memory of 4372 3952 chrome.exe 83 PID 3952 wrote to memory of 4372 3952 chrome.exe 83 PID 3952 wrote to memory of 2944 3952 chrome.exe 86 PID 3952 wrote to memory of 2944 3952 chrome.exe 86 PID 3952 wrote to memory of 2944 3952 chrome.exe 86 PID 3952 wrote to memory of 2944 3952 chrome.exe 86 PID 3952 wrote to memory of 2944 3952 chrome.exe 86 PID 3952 wrote to memory of 2944 3952 chrome.exe 86 PID 3952 wrote to memory of 2944 3952 chrome.exe 86 PID 3952 wrote to memory of 2944 3952 chrome.exe 86 PID 3952 wrote to memory of 2944 3952 chrome.exe 86 PID 3952 wrote to memory of 2944 3952 chrome.exe 86 PID 3952 wrote to memory of 2944 3952 chrome.exe 86 PID 3952 wrote to memory of 2944 3952 chrome.exe 86 PID 3952 wrote to memory of 2944 3952 chrome.exe 86 PID 3952 wrote to memory of 2944 3952 chrome.exe 86 PID 3952 wrote to memory of 2944 3952 chrome.exe 86 PID 3952 wrote to memory of 2944 3952 chrome.exe 86 PID 3952 wrote to memory of 2944 3952 chrome.exe 86 PID 3952 wrote to memory of 2944 3952 chrome.exe 86 PID 3952 wrote to memory of 2944 3952 chrome.exe 86 PID 3952 wrote to memory of 2944 3952 chrome.exe 86 PID 3952 wrote to memory of 2944 3952 chrome.exe 86 PID 3952 wrote to memory of 2944 3952 chrome.exe 86 PID 3952 wrote to memory of 2944 3952 chrome.exe 86 PID 3952 wrote to memory of 2944 3952 chrome.exe 86 PID 3952 wrote to memory of 2944 3952 chrome.exe 86 PID 3952 wrote to memory of 2944 3952 chrome.exe 86 PID 3952 wrote to memory of 2944 3952 chrome.exe 86 PID 3952 wrote to memory of 2944 3952 chrome.exe 86 PID 3952 wrote to memory of 2944 3952 chrome.exe 86 PID 3952 wrote to memory of 2944 3952 chrome.exe 86 PID 3952 wrote to memory of 2944 3952 chrome.exe 86 PID 3952 wrote to memory of 2944 3952 chrome.exe 86 PID 3952 wrote to memory of 2944 3952 chrome.exe 86 PID 3952 wrote to memory of 2944 3952 chrome.exe 86 PID 3952 wrote to memory of 2944 3952 chrome.exe 86 PID 3952 wrote to memory of 2944 3952 chrome.exe 86 PID 3952 wrote to memory of 2944 3952 chrome.exe 86 PID 3952 wrote to memory of 2944 3952 chrome.exe 86 PID 3952 wrote to memory of 1032 3952 chrome.exe 88 PID 3952 wrote to memory of 1032 3952 chrome.exe 88 PID 3952 wrote to memory of 4748 3952 chrome.exe 87 PID 3952 wrote to memory of 4748 3952 chrome.exe 87 PID 3952 wrote to memory of 4748 3952 chrome.exe 87 PID 3952 wrote to memory of 4748 3952 chrome.exe 87 PID 3952 wrote to memory of 4748 3952 chrome.exe 87 PID 3952 wrote to memory of 4748 3952 chrome.exe 87 PID 3952 wrote to memory of 4748 3952 chrome.exe 87 PID 3952 wrote to memory of 4748 3952 chrome.exe 87 PID 3952 wrote to memory of 4748 3952 chrome.exe 87 PID 3952 wrote to memory of 4748 3952 chrome.exe 87 PID 3952 wrote to memory of 4748 3952 chrome.exe 87 PID 3952 wrote to memory of 4748 3952 chrome.exe 87 PID 3952 wrote to memory of 4748 3952 chrome.exe 87 PID 3952 wrote to memory of 4748 3952 chrome.exe 87 PID 3952 wrote to memory of 4748 3952 chrome.exe 87 PID 3952 wrote to memory of 4748 3952 chrome.exe 87 PID 3952 wrote to memory of 4748 3952 chrome.exe 87 PID 3952 wrote to memory of 4748 3952 chrome.exe 87 PID 3952 wrote to memory of 4748 3952 chrome.exe 87 PID 3952 wrote to memory of 4748 3952 chrome.exe 87 PID 3952 wrote to memory of 4748 3952 chrome.exe 87 PID 3952 wrote to memory of 4748 3952 chrome.exe 87
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://pay.izettle.com/?32Ds5M_ZHV1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdf2799758,0x7ffdf2799768,0x7ffdf27997782⤵PID:4372
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1696 --field-trial-handle=1868,i,9250136221765029960,6003711770344731919,131072 /prefetch:22⤵PID:2944
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2200 --field-trial-handle=1868,i,9250136221765029960,6003711770344731919,131072 /prefetch:82⤵PID:4748
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1868,i,9250136221765029960,6003711770344731919,131072 /prefetch:82⤵PID:1032
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3016 --field-trial-handle=1868,i,9250136221765029960,6003711770344731919,131072 /prefetch:12⤵PID:4308
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3008 --field-trial-handle=1868,i,9250136221765029960,6003711770344731919,131072 /prefetch:12⤵PID:2448
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 --field-trial-handle=1868,i,9250136221765029960,6003711770344731919,131072 /prefetch:82⤵PID:4304
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5444 --field-trial-handle=1868,i,9250136221765029960,6003711770344731919,131072 /prefetch:82⤵PID:1324
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4828 --field-trial-handle=1868,i,9250136221765029960,6003711770344731919,131072 /prefetch:12⤵PID:488
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3508 --field-trial-handle=1868,i,9250136221765029960,6003711770344731919,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2292
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:4812
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96B
MD5f7d4043d4be2a40b2b36e87d3b99d471
SHA1b2ddde4bc56d23930b251e27cab167955c8cdccd
SHA25682ee4123c07c70b7337c5e6a2937ebd78654263bbd5c1c7ac1e32324573bd140
SHA512e4109e04fb4b59359c158632988f198f27b67bb78b3be18bcfb83d5f6e4d5a35c64e2f05cd199a771a1b98f7b8a8332817e392fa77f5b415728d278124b4d8ac
-
Filesize
1KB
MD5440ea6f5786043843c216b290584d9e1
SHA18497e302ae8d9484453e8feb194bd8510cfc24be
SHA2565f8b941972d916da45b923c09b0861207941769b6f56399450eec89b2b9a90f0
SHA512ed5b4e9d907da2d5313ee57126bc05428e98db59bba27fede9c1b2f241d58f52f0272e7cb0ea7f989dbd7fde99b6e4b84bb2f47dd2013ef114bbfb9a98fa474e
-
Filesize
872B
MD51490f49df653a9c306585124596e5a94
SHA1dcf2b3bf0256c656b94506c1bb598dfaaf551321
SHA2568b762b045ce8f3078770d0fd9a6c51c2c072794a8a89f6a41e2e25eee1fb7b0b
SHA5120e2e9b3fc9b95e5321c12b6670cd00bcde33837cab4a3d25d653cc74c93964f361893092b9cbac61598879e999f9e7c0cbe9515631d34a6019d586cd0b8f1d3e
-
Filesize
1KB
MD5998bbfdae2e1a0335381909d7ed45526
SHA1c93493c9a2b36de6d669e5122a70e82e7b8d8a89
SHA256b3c51d6c3ceea393e0d1a9692509f1fcd18db5fa2dff275a770546a95e0dda23
SHA5123af49a425880ff015a718b5f3dbd8adf462775d4e310ff3f671b4c3d82b79362048d7f822c5c7e71738735a5aa95d8bdc950869cf38cd4f72449cec29650a004
-
Filesize
6KB
MD54d1e6c5c2685f9e5fbb35c27a44132e1
SHA1ca7208591aa587d6abdc8e1c1b6f2272d0d8f3ac
SHA256f2c855134e1dc6b6b5dc47d97fe7585da8b38d31561ee55c01a20eebd0c11c87
SHA512281dd3a9f3d0189876b395b77fc6d4500910f4853a0558d4e1eb73a31101dda842de66fb7db68e570a20cc99e6a73574f276cadac2c8d9a32e1b0d6392280b69
-
Filesize
6KB
MD55d029593c5d9ed809d98562285e0e9de
SHA1908df63bf0df273fd10acd882c3c693cc405633d
SHA2561b5f1bb690bb4e31d27d7d71e2f122f06cb62be5a008f96a2ef2df43718676ab
SHA5122a80c3d31d92563782747bf52dd1c7fec5b503bd48c6779ffd3a84dddadf10add0c66a3998d8ad1e81273caf9fd3d89e9d5b3ca373351ba95816b57ad489dcf5
-
Filesize
109KB
MD5add8205c6da326f54954b976e1feaf23
SHA192f75113351642e97dcdb19ccbabc9d41e605e49
SHA256a7de3614111fbf59a90afe6e50c17e741a75f39a1bb5a429d02563b183ade052
SHA5127991790772b00a71f84bf9fee866382027280d14ff2140cdc24832718399bc87afe0164d5fc4ecde6ba61e857a43a083b40aff5bc26c67655b1a4e1b01cc76cc
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd