hxxp://get[.]support[.]oxygen[.]be

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
11/12/2023, 19:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

http://get.support.oxygen.be

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133467954172209422"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4756	chrome.exe
4756	chrome.exe
4732	chrome.exe
4732	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4756 wrote to memory of 4548	4756	chrome.exe	85
PID 4756 wrote to memory of 4548	4756	chrome.exe	85
PID 4756 wrote to memory of 4288	4756	chrome.exe	87
PID 4756 wrote to memory of 4288	4756	chrome.exe	87
PID 4756 wrote to memory of 4288	4756	chrome.exe	87
PID 4756 wrote to memory of 4288	4756	chrome.exe	87
PID 4756 wrote to memory of 4288	4756	chrome.exe	87
PID 4756 wrote to memory of 4288	4756	chrome.exe	87
PID 4756 wrote to memory of 4288	4756	chrome.exe	87
PID 4756 wrote to memory of 4288	4756	chrome.exe	87
PID 4756 wrote to memory of 4288	4756	chrome.exe	87
PID 4756 wrote to memory of 4288	4756	chrome.exe	87
PID 4756 wrote to memory of 4288	4756	chrome.exe	87
PID 4756 wrote to memory of 4288	4756	chrome.exe	87
PID 4756 wrote to memory of 4288	4756	chrome.exe	87
PID 4756 wrote to memory of 4288	4756	chrome.exe	87
PID 4756 wrote to memory of 4288	4756	chrome.exe	87
PID 4756 wrote to memory of 4288	4756	chrome.exe	87
PID 4756 wrote to memory of 4288	4756	chrome.exe	87
PID 4756 wrote to memory of 4288	4756	chrome.exe	87
PID 4756 wrote to memory of 4288	4756	chrome.exe	87
PID 4756 wrote to memory of 4288	4756	chrome.exe	87
PID 4756 wrote to memory of 4288	4756	chrome.exe	87
PID 4756 wrote to memory of 4288	4756	chrome.exe	87
PID 4756 wrote to memory of 4288	4756	chrome.exe	87
PID 4756 wrote to memory of 4288	4756	chrome.exe	87
PID 4756 wrote to memory of 4288	4756	chrome.exe	87
PID 4756 wrote to memory of 4288	4756	chrome.exe	87
PID 4756 wrote to memory of 4288	4756	chrome.exe	87
PID 4756 wrote to memory of 4288	4756	chrome.exe	87
PID 4756 wrote to memory of 4288	4756	chrome.exe	87
PID 4756 wrote to memory of 4288	4756	chrome.exe	87
PID 4756 wrote to memory of 4288	4756	chrome.exe	87
PID 4756 wrote to memory of 4288	4756	chrome.exe	87
PID 4756 wrote to memory of 4288	4756	chrome.exe	87
PID 4756 wrote to memory of 4288	4756	chrome.exe	87
PID 4756 wrote to memory of 4288	4756	chrome.exe	87
PID 4756 wrote to memory of 4288	4756	chrome.exe	87
PID 4756 wrote to memory of 4288	4756	chrome.exe	87
PID 4756 wrote to memory of 4288	4756	chrome.exe	87
PID 4756 wrote to memory of 3996	4756	chrome.exe	89
PID 4756 wrote to memory of 3996	4756	chrome.exe	89
PID 4756 wrote to memory of 2812	4756	chrome.exe	88
PID 4756 wrote to memory of 2812	4756	chrome.exe	88
PID 4756 wrote to memory of 2812	4756	chrome.exe	88
PID 4756 wrote to memory of 2812	4756	chrome.exe	88
PID 4756 wrote to memory of 2812	4756	chrome.exe	88
PID 4756 wrote to memory of 2812	4756	chrome.exe	88
PID 4756 wrote to memory of 2812	4756	chrome.exe	88
PID 4756 wrote to memory of 2812	4756	chrome.exe	88
PID 4756 wrote to memory of 2812	4756	chrome.exe	88
PID 4756 wrote to memory of 2812	4756	chrome.exe	88
PID 4756 wrote to memory of 2812	4756	chrome.exe	88
PID 4756 wrote to memory of 2812	4756	chrome.exe	88
PID 4756 wrote to memory of 2812	4756	chrome.exe	88
PID 4756 wrote to memory of 2812	4756	chrome.exe	88
PID 4756 wrote to memory of 2812	4756	chrome.exe	88
PID 4756 wrote to memory of 2812	4756	chrome.exe	88
PID 4756 wrote to memory of 2812	4756	chrome.exe	88
PID 4756 wrote to memory of 2812	4756	chrome.exe	88
PID 4756 wrote to memory of 2812	4756	chrome.exe	88
PID 4756 wrote to memory of 2812	4756	chrome.exe	88
PID 4756 wrote to memory of 2812	4756	chrome.exe	88
PID 4756 wrote to memory of 2812	4756	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://get.support.oxygen.be
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcd2879758,0x7ffcd2879768,0x7ffcd2879778
  2⤵
  PID:4548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1672 --field-trial-handle=1872,i,16729046727721976381,12036141313390904973,131072 /prefetch:2
  2⤵
  PID:4288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2184 --field-trial-handle=1872,i,16729046727721976381,12036141313390904973,131072 /prefetch:8
  2⤵
  PID:2812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=1872,i,16729046727721976381,12036141313390904973,131072 /prefetch:8
  2⤵
  PID:3996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2968 --field-trial-handle=1872,i,16729046727721976381,12036141313390904973,131072 /prefetch:1
  2⤵
  PID:4020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2956 --field-trial-handle=1872,i,16729046727721976381,12036141313390904973,131072 /prefetch:1
  2⤵
  PID:4024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3916 --field-trial-handle=1872,i,16729046727721976381,12036141313390904973,131072 /prefetch:1
  2⤵
  PID:2876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5296 --field-trial-handle=1872,i,16729046727721976381,12036141313390904973,131072 /prefetch:8
  2⤵
  PID:540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 --field-trial-handle=1872,i,16729046727721976381,12036141313390904973,131072 /prefetch:8
  2⤵
  PID:3188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3860 --field-trial-handle=1872,i,16729046727721976381,12036141313390904973,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4732

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
0facc3ed4ef12cfa40fb75f021e94e84

SHA1
deeaa90178399eefb3810e55c61ee1a0c1ee82b1

SHA256
e56daea391a0ae962902e43e5abc556a050725c6f1316538bfdb751381dee2bb

SHA512
55fe551ae2f0411d76164d3660b5c768488b9948a61bbc10b13694fcbbd2f19a52241b384413afaa361b4b420f146d3cf8c668c931eb95e352fa8cf47bb515ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
e1dd1cac4629ea904310eb649fc056fa

SHA1
621943f2c52376acf05d9ed67d3bde28148cdf87

SHA256
be981be59d6c685b60c9c28f77138acbfe566f0fbdb40868a11031aee5e2ca53

SHA512
d58c2f3a93ac0dde3ebee67d729394871fdb055e779dfdb437cb2d92d6626db0d3cf1b15bf8eca816c7744243b4a37a8a4b9f95847c5b6b15fee882af9405004

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
ee446dd00a8eb333684fab2bf0f2dfb3

SHA1
c58a43c659271196e07e45662888c6cdd9d80b58

SHA256
b66d21b6a7f08b724346e4f0dcd7e6088184d3f5b6a5ce14cfaa265e66bab38b

SHA512
537cec9297470fd1ed91099e57e732bb484f79decb095b74e1e4f511d42810d1be2baa170093cd0dd4366513ed58e385d4b6ab482555a102eb921919bdc17644

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f277ce19fb7d8d3ab694af08250c06b4

SHA1
41132b5a50a0022e1cef892fea3d75e584abb2e8

SHA256
2ac13b15d5470af585511b10da6eb0ee7a70436567a042420700a302f86af45d

SHA512
5e96961dd29b06f990c9aeeaabfe5a1cddea3a900e5a7731b615c9b4a205e86ec9ec5173ec5e1dc80a626a932902d2e1088d91233ae3d939232144f9cac85b28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
115KB

MD5
53651ee70a1d407bf9ff96a54bc9fc25

SHA1
5b451ab748debd201b05331be384b9a47a035cd0

SHA256
5d4281feaf0bbb1da59e645cf8ed05c6bb7c55c315d04e06202be49a1c6e0948

SHA512
46d04e7f6eec77e0e0d0c43c972b2f4a1b41d8680d32105029f02153096c7c20a601b7eb6b9059b476b1509fe628b4c1864beddacbb08f9b2be07a951aea0db3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit