a065920df8cc4016d67c3a464be90099c9d28ffe7c9e6ee3a18f257efc58cbd7

Analysis

max time kernel
149s
max time network
125s
platform
windows11-21h2_x64
resource
win11-20231129-en
resource tags

arch:x64arch:x86image:win11-20231129-enlocale:en-usos:windows11-21h2-x64system
submitted
05/12/2023, 14:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

XVm1oVUswaHliRVZKWVZJdlRteHZkSFZ6YkdSSmMxWjFNRGRKVFdGelVIVkNlalJtWVhWSWJqbG1UR3Q2VFRSRVFVSldTRzlUZER.gif
Size

43B
MD5

07fff40b5dd495aca2ac4e1c3fbc60aa
SHA1

e8ac224ba9ee97e87670ed6f3a2f0128b7af9fe4
SHA256

a065920df8cc4016d67c3a464be90099c9d28ffe7c9e6ee3a18f257efc58cbd7
SHA512

49b8daf1f5ba868bc8c6b224c787a75025ca36513ef8633d1d8f34e48ee0b578f466fcc104a7bed553404ddc5f9faff3fef5f894b31cd57f32245e550fad656a

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133462613998388774"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1480	chrome.exe
1480	chrome.exe
5100	chrome.exe
5100	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1480	chrome.exe
1480	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 3416	1480	chrome.exe	62
PID 1480 wrote to memory of 3416	1480	chrome.exe	62
PID 1480 wrote to memory of 4480	1480	chrome.exe	83
PID 1480 wrote to memory of 4480	1480	chrome.exe	83
PID 1480 wrote to memory of 4480	1480	chrome.exe	83
PID 1480 wrote to memory of 4480	1480	chrome.exe	83
PID 1480 wrote to memory of 4480	1480	chrome.exe	83
PID 1480 wrote to memory of 4480	1480	chrome.exe	83
PID 1480 wrote to memory of 4480	1480	chrome.exe	83
PID 1480 wrote to memory of 4480	1480	chrome.exe	83
PID 1480 wrote to memory of 4480	1480	chrome.exe	83
PID 1480 wrote to memory of 4480	1480	chrome.exe	83
PID 1480 wrote to memory of 4480	1480	chrome.exe	83
PID 1480 wrote to memory of 4480	1480	chrome.exe	83
PID 1480 wrote to memory of 4480	1480	chrome.exe	83
PID 1480 wrote to memory of 4480	1480	chrome.exe	83
PID 1480 wrote to memory of 4480	1480	chrome.exe	83
PID 1480 wrote to memory of 4480	1480	chrome.exe	83
PID 1480 wrote to memory of 4480	1480	chrome.exe	83
PID 1480 wrote to memory of 4480	1480	chrome.exe	83
PID 1480 wrote to memory of 4480	1480	chrome.exe	83
PID 1480 wrote to memory of 4480	1480	chrome.exe	83
PID 1480 wrote to memory of 4480	1480	chrome.exe	83
PID 1480 wrote to memory of 4480	1480	chrome.exe	83
PID 1480 wrote to memory of 4480	1480	chrome.exe	83
PID 1480 wrote to memory of 4480	1480	chrome.exe	83
PID 1480 wrote to memory of 4480	1480	chrome.exe	83
PID 1480 wrote to memory of 4480	1480	chrome.exe	83
PID 1480 wrote to memory of 4480	1480	chrome.exe	83
PID 1480 wrote to memory of 4480	1480	chrome.exe	83
PID 1480 wrote to memory of 4480	1480	chrome.exe	83
PID 1480 wrote to memory of 4480	1480	chrome.exe	83
PID 1480 wrote to memory of 4480	1480	chrome.exe	83
PID 1480 wrote to memory of 4480	1480	chrome.exe	83
PID 1480 wrote to memory of 4480	1480	chrome.exe	83
PID 1480 wrote to memory of 4480	1480	chrome.exe	83
PID 1480 wrote to memory of 4480	1480	chrome.exe	83
PID 1480 wrote to memory of 4480	1480	chrome.exe	83
PID 1480 wrote to memory of 4480	1480	chrome.exe	83
PID 1480 wrote to memory of 4480	1480	chrome.exe	83
PID 1480 wrote to memory of 4312	1480	chrome.exe	84
PID 1480 wrote to memory of 4312	1480	chrome.exe	84
PID 1480 wrote to memory of 4964	1480	chrome.exe	85
PID 1480 wrote to memory of 4964	1480	chrome.exe	85
PID 1480 wrote to memory of 4964	1480	chrome.exe	85
PID 1480 wrote to memory of 4964	1480	chrome.exe	85
PID 1480 wrote to memory of 4964	1480	chrome.exe	85
PID 1480 wrote to memory of 4964	1480	chrome.exe	85
PID 1480 wrote to memory of 4964	1480	chrome.exe	85
PID 1480 wrote to memory of 4964	1480	chrome.exe	85
PID 1480 wrote to memory of 4964	1480	chrome.exe	85
PID 1480 wrote to memory of 4964	1480	chrome.exe	85
PID 1480 wrote to memory of 4964	1480	chrome.exe	85
PID 1480 wrote to memory of 4964	1480	chrome.exe	85
PID 1480 wrote to memory of 4964	1480	chrome.exe	85
PID 1480 wrote to memory of 4964	1480	chrome.exe	85
PID 1480 wrote to memory of 4964	1480	chrome.exe	85
PID 1480 wrote to memory of 4964	1480	chrome.exe	85
PID 1480 wrote to memory of 4964	1480	chrome.exe	85
PID 1480 wrote to memory of 4964	1480	chrome.exe	85
PID 1480 wrote to memory of 4964	1480	chrome.exe	85
PID 1480 wrote to memory of 4964	1480	chrome.exe	85
PID 1480 wrote to memory of 4964	1480	chrome.exe	85
PID 1480 wrote to memory of 4964	1480	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\XVm1oVUswaHliRVZKWVZJdlRteHZkSFZ6YkdSSmMxWjFNRGRKVFdGelVIVkNlalJtWVhWSWJqbG1UR3Q2VFRSRVFVSldTRzlUZER.gif
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffea8f09758,0x7ffea8f09768,0x7ffea8f09778
  2⤵
  PID:3416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1560 --field-trial-handle=1772,i,6095485912569977535,9194568336837873118,131072 /prefetch:2
  2⤵
  PID:4480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 --field-trial-handle=1772,i,6095485912569977535,9194568336837873118,131072 /prefetch:8
  2⤵
  PID:4312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2168 --field-trial-handle=1772,i,6095485912569977535,9194568336837873118,131072 /prefetch:8
  2⤵
  PID:4964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2924 --field-trial-handle=1772,i,6095485912569977535,9194568336837873118,131072 /prefetch:1
  2⤵
  PID:4784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2916 --field-trial-handle=1772,i,6095485912569977535,9194568336837873118,131072 /prefetch:1
  2⤵
  PID:1976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4264 --field-trial-handle=1772,i,6095485912569977535,9194568336837873118,131072 /prefetch:8
  2⤵
  PID:948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4368 --field-trial-handle=1772,i,6095485912569977535,9194568336837873118,131072 /prefetch:8
  2⤵
  PID:3304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 --field-trial-handle=1772,i,6095485912569977535,9194568336837873118,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5100

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
cd26d4e8ed7c4293bcbb914191ae68e5

SHA1
68c76459848e09892d88cc5ed08089ae215949ff

SHA256
a5ad6f2cc695394c7a3887ac2996133fce6b876f7ec3d60a20b3b06624aa7512

SHA512
1dc6fc0b0d4b5bf196abede054f98a42b23d3323dbd302ccc5cffff0a35aecd66960e7f425b8fa414a239f6ce80fc8e7bcb04cd344f56e51fab2bfef3db0f8bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
dd69ffb1fed094a8d109a69a0088bbfe

SHA1
324130ebd6af614e68478cfab9d6bb7a662bd822

SHA256
103cce969b963eebc922726f3e9814a25659fbdf10c5702d7edcaf78c7cc1dde

SHA512
de5d96cbc67486a17382d7f70cad751db8a64055bdf514a632680e1d814bf30c0c36e0b68da9cee88b4a3ca9a354036d6c6da6b7a290c96bed6e1e7436b78a33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
c29ceeb45f5dbb9199ae251643ed3c14

SHA1
b3242e01c4ff4f08838abbe47de5ebbe29cac527

SHA256
48a4e559ce8c25904bc7ac01e46705b125b31bd15f80dcbab412d68d4ba940de

SHA512
13232d12686a88d5113f2f878bc6d94b022876a5851a6ce84b86e2deaec9223e8a031ddcb5e28d5a3bea0cceb27efbedca7c3a45a9d7c3a2fcb57b3c6cc5c8e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
3KB

MD5
c951532bec29c32ca8ec3b909f2cde9c

SHA1
9bebb0c41095807d4f2b6bc6077bde10fd0d0a10

SHA256
125f4a9d05f5aeb59ed1afff27e685000f7b36ea09a80d2b10b91a4cfffc0d50

SHA512
8424fe0308d1244243cfc2da86ebdc57faa55bf5776724b505715fd563795cdf8d689636f72a4c00018bc6482b6d3ff8bf9bab18afa5b8862dc050bb65bd1f56

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit