hxxps://goo[.]gl/adyir?5CZE1VDI#bmNoZXJuQGZvcmVzaWRlLmNvbQ==

General

Target

https://goo.gl/adyir?5CZE1VDI#bmNoZXJuQGZvcmVzaWRlLmNvbQ==

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133467830129177292"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

3300 chrome.exe
3300 chrome.exe
1212 chrome.exe
1212 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

3300 chrome.exe
3300 chrome.exe
3300 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3300 wrote to memory of 2316	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 2316	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 3488	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 3488	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 3488	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 3488	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 3488	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 3488	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 3488	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 3488	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 3488	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 3488	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 3488	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 3488	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 3488	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 3488	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 3488	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 3488	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 3488	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 3488	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 3488	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 3488	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 3488	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 3488	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 3488	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 3488	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 3488	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 3488	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 3488	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 3488	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 3488	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 3488	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 3488	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 3488	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 3488	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 3488	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 3488	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 3488	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 3488	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 3488	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 2640	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 2640	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 3016	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 3016	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 3016	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 3016	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 3016	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 3016	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 3016	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 3016	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 3016	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 3016	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 3016	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 3016	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 3016	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 3016	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 3016	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 3016	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 3016	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 3016	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 3016	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 3016	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 3016	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 3016	3300	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://goo.gl/adyir?5CZE1VDI#bmNoZXJuQGZvcmVzaWRlLmNvbQ==
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ff881229758,0x7ff881229768,0x7ff881229778
2⤵
PID:2316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1876,i,11640504351635995671,11908557086996973551,131072 /prefetch:2
2⤵
PID:3488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2164 --field-trial-handle=1876,i,11640504351635995671,11908557086996973551,131072 /prefetch:8
2⤵
PID:3016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1876,i,11640504351635995671,11908557086996973551,131072 /prefetch:8
2⤵
PID:2640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3108 --field-trial-handle=1876,i,11640504351635995671,11908557086996973551,131072 /prefetch:1
2⤵
PID:920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3076 --field-trial-handle=1876,i,11640504351635995671,11908557086996973551,131072 /prefetch:1
2⤵
PID:4392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3892 --field-trial-handle=1876,i,11640504351635995671,11908557086996973551,131072 /prefetch:1
2⤵
PID:2608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 --field-trial-handle=1876,i,11640504351635995671,11908557086996973551,131072 /prefetch:8
2⤵
PID:1296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4988 --field-trial-handle=1876,i,11640504351635995671,11908557086996973551,131072 /prefetch:8
2⤵
PID:2172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 --field-trial-handle=1876,i,11640504351635995671,11908557086996973551,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1212

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4568

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
192B

MD5
7367776f3c8b22f6335bd3cea2f939bb

SHA1
4261731debad67f8d0ff82864480cda26b50120d

SHA256
2ac67258e38613c0038b4c45a6ff19378fb90ee4cfe99b257b677b7d57c7c88b

SHA512
4210597391b29c36488ac925e1eaeb5425bfcb7f29be226d6d4bfa3eb22834a4cac6be332741e1585c4e24460445ef53563376bf3796264a562b9e626e1a0bd2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
b444be5ba1197182a1e16de9d942c87a

SHA1
1ec06e73928cd6961c0e100903071ee10edd9664

SHA256
a7c4369b415f7d0fc3ea9f8328bdba72e3be8ecc36a17964fc4082b7206d936f

SHA512
829a9894babf58cf69f9b44f4c0521e60995f42333b2d854d30412e8b8c976a01eac44c0bf733426a1fd6b88b1d480aa6a126ca0fcba93131cb6358f880536f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
874B

MD5
a5e6eb197a5ca55902c558b1323b2588

SHA1
431f1c0218fea9a629fc36c58cfbe41a5eecd153

SHA256
8a87d1c9fed0d3ed65b6d32ac8d2faad88861bfc4981144b33b1862023f5f655

SHA512
f7df041136d2b63c71ebf459059d393cf148847f60651045f2e77d57b0dc686cfcddc08f9e47474213afc9fdb2fe556de8b1020e7bc13619e2a3cb4b2c940f88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
533604f31b945bc0a8e301403e220299

SHA1
496559b61d5896abb66718928fc7781f64d081be

SHA256
6f1aa6b07c683bc90464ad984839529b39b540bb98489364084781fa01ecf39e

SHA512
1998817008f144ac3939b4cfacd6a0e26e8ed30d87637b0c7cd68985c463672643d54014f3375c154c8c6e3ff8573673fdcd9371b584552faa1fadd711300104

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
115KB

MD5
ec00d4167c39f1ff5f8539c3a660e623

SHA1
263a049d163f581c42df603719c851514cfb9e3c

SHA256
bfac0e6ac3713562a5d896d333197702034d19e87736a6c91a1eba50dac2a718

SHA512
d86ca6bf85ce8f10c77353a01b3fbd359d78b7183f4fa6c66106a45746c059a1ed197c62a1173d70a37c4348cb1552e338360d2cacbeb6728105cab449c8e98e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
\??\pipe\crashpad_3300_OZKLTZFLUJMMDENO
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads