socelars | 78c8a40690556bd5f469c65bdaec36cfd580f828280dfef18fe9cc433708c17a

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2023 21:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a68f0c695abaae3d0d9edda28e2ae749.exe
Size

1.4MB
MD5

a68f0c695abaae3d0d9edda28e2ae749
SHA1

2b510c20e54356ef589ac143950c31551377b24e
SHA256

78c8a40690556bd5f469c65bdaec36cfd580f828280dfef18fe9cc433708c17a
SHA512

63a1d4c85e152f6501d0cc6ef07e515ece9637e1f9607535135c192bceb0f8ab2d13b37327371caa078ab80472731b985640b1abcb9528adc6dc10e71bbf4ef4
SSDEEP

24576:ZRp2fYlh5hJYrsWSlTeTmvL26IZX8W6jO2okW1negMdwpVXN:rp1v1ji5jtF1nQeptN

Score

10^/10

socelars spyware stealer

Malware Config

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json	a68f0c695abaae3d0d9edda28e2ae749.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1040	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133475619931087054"	chrome.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	a68f0c695abaae3d0d9edda28e2ae749.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	a68f0c695abaae3d0d9edda28e2ae749.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\151682F5218C0A511C28F4060A73B9CA78CE9A53	a68f0c695abaae3d0d9edda28e2ae749.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\151682F5218C0A511C28F4060A73B9CA78CE9A53\Blob = 030000000100000014000000151682f5218c0a511c28f4060a73b9ca78ce9a531400000001000000140000007c4296aede4b483bfa92f89e8ccf6d8ba972379504000000010000001000000029f1c1b26d92e893b6e6852ab708cce10f00000001000000200000005aef843ffcf2ec7055f504a162f229f8391c370ff3a6163d2db3f3d604d622be19000000010000001000000070d4f0bec2078234214bd651643b02405c0000000100000004000000800100001800000001000000100000002fe1f70bb05d7c92335bc5e05b984da62000000001000000640400003082046030820248a0030201020210079e492886376fd40848c23fc631e463300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f742058323076301006072a8648ce3d020106052b8104002203620004cd9bd59f80830aec094af3164a3e5ccf77acde67050d1d07b6dc16fb5a8b14dbe27160c4ba459511898eea06dff72a161ca4b9c5c532e003e01e8218388bd745d80a6a6ee60077fb02517d22d80a6e9a5b77dff0fa41ec39dc75ca68070c1feaa381e53081e2300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604147c4296aede4b483bfa92f89e8ccf6d8ba9723795301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b050003820201001b7f252b907a0876007718e1c32e8a364c417ebf174be330d75b0c7e9c96986f7bb068c02444cce2f2fcd1eadbd29f01f9174d0c9d55fda5ad6dd22f3f4b72c02eae73c7251657c23e15ade031d10a84846c6278423122461aed7a40bf9716814477ca6c7b5d215c07f2119121bfe12fc2ef6efd0520e4b4f779f32dbb372af0c6b1acac51f51fb35a1e66ce580718387f71a93c83bad7bc829e9a760f9eb029fdcbf38907481bfeab932e14210d5faf8eb754ab5d0ed45b4c71d092ea3da3369b7c1fe03b55b9d85353cc8366bb4adc810600188bf4b3d748b11341b9c4b69ecf2c778e42200b807e9fc5ab48dbbc6f048d6c4629020d708a1df11273b64624429e2a1718e3acc798c272cc6d2d766ddd2c2b2696a5cf21081be5da2fcbef9f7393aef8365f478f9728ceabe29826988bfdee28322229ed4c9509c420fa07e1862c44f68147c0e46232ed1dd83c488896c35e91b6af7b59a4eee3869cc78858ca282a66559b8580b91dd8402bc91c133ca9ebde99c21640f6f5a4ae2a256c52bac7044cb432bbfc385ca00c617b57ec774e50cfaf06a20f378ce10ed2d32f1abd9c713ecce1f8d1a8a3bd04f619c0f986aff50e1aaa956befca47714b631c4d96db55230a9d0f8175a0e640f56446036ecefa6a7d06eca4340674da53d8b9b8c6237da9f82a2da482a62e2d11cae6cd31587985e6721ca79fd34cd066d0a7bb	a68f0c695abaae3d0d9edda28e2ae749.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	a68f0c695abaae3d0d9edda28e2ae749.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
3756	chrome.exe
3756	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	5084	a68f0c695abaae3d0d9edda28e2ae749.exe
Token: SeAssignPrimaryTokenPrivilege	5084	a68f0c695abaae3d0d9edda28e2ae749.exe
Token: SeLockMemoryPrivilege	5084	a68f0c695abaae3d0d9edda28e2ae749.exe
Token: SeIncreaseQuotaPrivilege	5084	a68f0c695abaae3d0d9edda28e2ae749.exe
Token: SeMachineAccountPrivilege	5084	a68f0c695abaae3d0d9edda28e2ae749.exe
Token: SeTcbPrivilege	5084	a68f0c695abaae3d0d9edda28e2ae749.exe
Token: SeSecurityPrivilege	5084	a68f0c695abaae3d0d9edda28e2ae749.exe
Token: SeTakeOwnershipPrivilege	5084	a68f0c695abaae3d0d9edda28e2ae749.exe
Token: SeLoadDriverPrivilege	5084	a68f0c695abaae3d0d9edda28e2ae749.exe
Token: SeSystemProfilePrivilege	5084	a68f0c695abaae3d0d9edda28e2ae749.exe
Token: SeSystemtimePrivilege	5084	a68f0c695abaae3d0d9edda28e2ae749.exe
Token: SeProfSingleProcessPrivilege	5084	a68f0c695abaae3d0d9edda28e2ae749.exe
Token: SeIncBasePriorityPrivilege	5084	a68f0c695abaae3d0d9edda28e2ae749.exe
Token: SeCreatePagefilePrivilege	5084	a68f0c695abaae3d0d9edda28e2ae749.exe
Token: SeCreatePermanentPrivilege	5084	a68f0c695abaae3d0d9edda28e2ae749.exe
Token: SeBackupPrivilege	5084	a68f0c695abaae3d0d9edda28e2ae749.exe
Token: SeRestorePrivilege	5084	a68f0c695abaae3d0d9edda28e2ae749.exe
Token: SeShutdownPrivilege	5084	a68f0c695abaae3d0d9edda28e2ae749.exe
Token: SeDebugPrivilege	5084	a68f0c695abaae3d0d9edda28e2ae749.exe
Token: SeAuditPrivilege	5084	a68f0c695abaae3d0d9edda28e2ae749.exe
Token: SeSystemEnvironmentPrivilege	5084	a68f0c695abaae3d0d9edda28e2ae749.exe
Token: SeChangeNotifyPrivilege	5084	a68f0c695abaae3d0d9edda28e2ae749.exe
Token: SeRemoteShutdownPrivilege	5084	a68f0c695abaae3d0d9edda28e2ae749.exe
Token: SeUndockPrivilege	5084	a68f0c695abaae3d0d9edda28e2ae749.exe
Token: SeSyncAgentPrivilege	5084	a68f0c695abaae3d0d9edda28e2ae749.exe
Token: SeEnableDelegationPrivilege	5084	a68f0c695abaae3d0d9edda28e2ae749.exe
Token: SeManageVolumePrivilege	5084	a68f0c695abaae3d0d9edda28e2ae749.exe
Token: SeImpersonatePrivilege	5084	a68f0c695abaae3d0d9edda28e2ae749.exe
Token: SeCreateGlobalPrivilege	5084	a68f0c695abaae3d0d9edda28e2ae749.exe
Token: 31	5084	a68f0c695abaae3d0d9edda28e2ae749.exe
Token: 32	5084	a68f0c695abaae3d0d9edda28e2ae749.exe
Token: 33	5084	a68f0c695abaae3d0d9edda28e2ae749.exe
Token: 34	5084	a68f0c695abaae3d0d9edda28e2ae749.exe
Token: 35	5084	a68f0c695abaae3d0d9edda28e2ae749.exe
Token: SeDebugPrivilege	1040	taskkill.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5084 wrote to memory of 452	5084	a68f0c695abaae3d0d9edda28e2ae749.exe	91
PID 5084 wrote to memory of 452	5084	a68f0c695abaae3d0d9edda28e2ae749.exe	91
PID 5084 wrote to memory of 452	5084	a68f0c695abaae3d0d9edda28e2ae749.exe	91
PID 452 wrote to memory of 1040	452	cmd.exe	93
PID 452 wrote to memory of 1040	452	cmd.exe	93
PID 452 wrote to memory of 1040	452	cmd.exe	93
PID 5084 wrote to memory of 1448	5084	a68f0c695abaae3d0d9edda28e2ae749.exe	97
PID 5084 wrote to memory of 1448	5084	a68f0c695abaae3d0d9edda28e2ae749.exe	97
PID 1448 wrote to memory of 3676	1448	chrome.exe	98
PID 1448 wrote to memory of 3676	1448	chrome.exe	98
PID 1448 wrote to memory of 1396	1448	chrome.exe	99
PID 1448 wrote to memory of 1396	1448	chrome.exe	99
PID 1448 wrote to memory of 1396	1448	chrome.exe	99
PID 1448 wrote to memory of 1396	1448	chrome.exe	99
PID 1448 wrote to memory of 1396	1448	chrome.exe	99
PID 1448 wrote to memory of 1396	1448	chrome.exe	99
PID 1448 wrote to memory of 1396	1448	chrome.exe	99
PID 1448 wrote to memory of 1396	1448	chrome.exe	99
PID 1448 wrote to memory of 1396	1448	chrome.exe	99
PID 1448 wrote to memory of 1396	1448	chrome.exe	99
PID 1448 wrote to memory of 1396	1448	chrome.exe	99
PID 1448 wrote to memory of 1396	1448	chrome.exe	99
PID 1448 wrote to memory of 1396	1448	chrome.exe	99
PID 1448 wrote to memory of 1396	1448	chrome.exe	99
PID 1448 wrote to memory of 1396	1448	chrome.exe	99
PID 1448 wrote to memory of 1396	1448	chrome.exe	99
PID 1448 wrote to memory of 1396	1448	chrome.exe	99
PID 1448 wrote to memory of 1396	1448	chrome.exe	99
PID 1448 wrote to memory of 1396	1448	chrome.exe	99
PID 1448 wrote to memory of 1396	1448	chrome.exe	99
PID 1448 wrote to memory of 1396	1448	chrome.exe	99
PID 1448 wrote to memory of 1396	1448	chrome.exe	99
PID 1448 wrote to memory of 1396	1448	chrome.exe	99
PID 1448 wrote to memory of 1396	1448	chrome.exe	99
PID 1448 wrote to memory of 1396	1448	chrome.exe	99
PID 1448 wrote to memory of 1396	1448	chrome.exe	99
PID 1448 wrote to memory of 1396	1448	chrome.exe	99
PID 1448 wrote to memory of 1396	1448	chrome.exe	99
PID 1448 wrote to memory of 1396	1448	chrome.exe	99
PID 1448 wrote to memory of 1396	1448	chrome.exe	99
PID 1448 wrote to memory of 1396	1448	chrome.exe	99
PID 1448 wrote to memory of 1396	1448	chrome.exe	99
PID 1448 wrote to memory of 1396	1448	chrome.exe	99
PID 1448 wrote to memory of 1396	1448	chrome.exe	99
PID 1448 wrote to memory of 1396	1448	chrome.exe	99
PID 1448 wrote to memory of 1396	1448	chrome.exe	99
PID 1448 wrote to memory of 1396	1448	chrome.exe	99
PID 1448 wrote to memory of 1396	1448	chrome.exe	99
PID 1448 wrote to memory of 3608	1448	chrome.exe	100
PID 1448 wrote to memory of 3608	1448	chrome.exe	100
PID 1448 wrote to memory of 964	1448	chrome.exe	103
PID 1448 wrote to memory of 964	1448	chrome.exe	103
PID 1448 wrote to memory of 964	1448	chrome.exe	103
PID 1448 wrote to memory of 964	1448	chrome.exe	103
PID 1448 wrote to memory of 964	1448	chrome.exe	103
PID 1448 wrote to memory of 964	1448	chrome.exe	103
PID 1448 wrote to memory of 964	1448	chrome.exe	103
PID 1448 wrote to memory of 964	1448	chrome.exe	103
PID 1448 wrote to memory of 964	1448	chrome.exe	103
PID 1448 wrote to memory of 964	1448	chrome.exe	103
PID 1448 wrote to memory of 964	1448	chrome.exe	103
PID 1448 wrote to memory of 964	1448	chrome.exe	103
PID 1448 wrote to memory of 964	1448	chrome.exe	103
PID 1448 wrote to memory of 964	1448	chrome.exe	103

C:\Users\Admin\AppData\Local\Temp\a68f0c695abaae3d0d9edda28e2ae749.exe
"C:\Users\Admin\AppData\Local\Temp\a68f0c695abaae3d0d9edda28e2ae749.exe"
1⤵
- Drops Chrome extension
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5084
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:452
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1448
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff7db39758,0x7fff7db39768,0x7fff7db39778
    3⤵
    PID:3676
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1664 --field-trial-handle=1980,i,5973034144396605374,7554307808529640755,131072 /prefetch:2
    3⤵
    PID:1396
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1904 --field-trial-handle=1980,i,5973034144396605374,7554307808529640755,131072 /prefetch:8
    3⤵
    PID:3608
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2992 --field-trial-handle=1980,i,5973034144396605374,7554307808529640755,131072 /prefetch:1
    3⤵
    PID:3584
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3004 --field-trial-handle=1980,i,5973034144396605374,7554307808529640755,131072 /prefetch:1
    3⤵
    PID:4668
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2244 --field-trial-handle=1980,i,5973034144396605374,7554307808529640755,131072 /prefetch:8
    3⤵
    PID:964
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4580 --field-trial-handle=1980,i,5973034144396605374,7554307808529640755,131072 /prefetch:8
    3⤵
    PID:2276
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4776 --field-trial-handle=1980,i,5973034144396605374,7554307808529640755,131072 /prefetch:1
    3⤵
    PID:1864
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4904 --field-trial-handle=1980,i,5973034144396605374,7554307808529640755,131072 /prefetch:8
    3⤵
    PID:1416
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4564 --field-trial-handle=1980,i,5973034144396605374,7554307808529640755,131072 /prefetch:8
    3⤵
    PID:3716
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4560 --field-trial-handle=1980,i,5973034144396605374,7554307808529640755,131072 /prefetch:8
    3⤵
    PID:4548
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 --field-trial-handle=1980,i,5973034144396605374,7554307808529640755,131072 /prefetch:8
    3⤵
    PID:1040
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5248 --field-trial-handle=1980,i,5973034144396605374,7554307808529640755,131072 /prefetch:8
    3⤵
    PID:4212
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 --field-trial-handle=1980,i,5973034144396605374,7554307808529640755,131072 /prefetch:8
    3⤵
    PID:4740
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 --field-trial-handle=1980,i,5973034144396605374,7554307808529640755,131072 /prefetch:8
    3⤵
    PID:1104
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 --field-trial-handle=1980,i,5973034144396605374,7554307808529640755,131072 /prefetch:8
    3⤵
    PID:4852
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3776 --field-trial-handle=1980,i,5973034144396605374,7554307808529640755,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3756

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
6b3cddad04e62496c43b447abd6aa4bd

SHA1
7fad9032384efa9ea60921fe1a5c8611aa6f1937

SHA256
57823d994b06a469a939b6f4aa91e76d3307eca6031a0e0ff15a3b65f95cf5bc

SHA512
979fd2850677a31c7f7f1b7b5a5a90863ee4ac124e1f28b64f84836bccd88ba124b8ec3b6be63b75149c8cc4a37f78217618f9926efd9e5c7adb8fc4011041b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
b654be6bf6098d212b67012413c2aa06

SHA1
6891b31d80919c4610db907919818511b0b3fc56

SHA256
2fdfa793b6e10c10a1afb80eb3b84ef62a08ebdedebf7f11c0bae91bcffba35e

SHA512
a0095ad7cfd75abbd130c68da6b160060411a89fb504d00ccc0f429ca714fee98316d218188265e032213209283c73c19207782bf43eaf1d191a44d3067328d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
57574dbdf998bdeafba138d37e9902ed

SHA1
aa62e4bc007e1771b1e02b29da22b4bcb81305ac

SHA256
eb119b4d46e2fb6c2dfcbfd6feccfef7ae93ea11d9fb72d8433c4d90078d33bc

SHA512
8ce4b03ccfe06af76e217b44bfc930fd0e1ec1b34d78854f127969ce92a8beb163eb12e47a8b9c369d81fc96a7172b2f7f23526341d186ac03f1f93a7bae6ae4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f45368ba010246114c55033540f19db0

SHA1
bdc66e87a9f2170bc8369eff3f75a09c323cb866

SHA256
c788cc9731c072d0bd4e72edbda462c1ba27f0c730a6adbd532e0157c529717c

SHA512
e83a214bad99fe1d596649928957c0bbc62ef333315b92bf39421aa057f6e9bdf92d92451c37790f38cb72c3da73b911b785ef1b8f9a677f8b622e182c892765

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
18KB

MD5
af8046dad8114e5def7f4ccb545b5791

SHA1
bac42f42b4ce089d63a38f6c10e435b6f4ca1767

SHA256
d84d7b16ce4a1e8689f3d24aa44452016b19d3608f9ae7caa3eebcc5af814fbd

SHA512
a4c54f0e699008525d9bed8447a10505eac4dedfb98923d4ea31dbe65e92447930cb1fe5180e84cdc825dc9f0b34db45dbe284b3386cb98b2fd321859027f143

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
18KB

MD5
d6e4431a1d19152b1baf99174865464d

SHA1
0e04b524e8b691ff26269184046beaa7ba89d6e1

SHA256
e4fea379e37744a5f3efc0a4891e3c38fac2a9c3521911f53b747054977dbbf1

SHA512
79b24cd9ee628aab3e5f0f91ed2fe7095888f1c83473b668c6e1f8f94c95c7f257db6551682fcbabcc738943d467ad7591f5f30d2bea057d80a959adf4924a7f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
226KB

MD5
219a77121f10fbe72a015524325636ba

SHA1
c47d4fe18c1e10b7f04ee0b767c1b3b3dfe15443

SHA256
8c59309a93b1ccd1e77f6d69bf8f5c941756ffeef1d4f1ce762a529845c4eb5a

SHA512
d5e3428bfb812f67e266510ca65139eb96fef0bd57ff4f445085ff58b6d3dbacce612612a178d0c62235365f3c47e38907616190fc2fc591d971a9f68b3213c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
226KB

MD5
c29404ab186741aca6919b8f436d42c7

SHA1
da26a12d17aa6e8fc14535490817297a55ae656f

SHA256
d03c03e4aa1d67f92275a1107d124abea7a11178e9c2c7bfcc905dab30236cf7

SHA512
be3fa7444564b1100582e74c315566098aadf150f5128f7ef42077b05f49e7c77c1e7c13b394fe0da852868956de255f7af6b1615daea47afa62d9d9172475e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
115KB

MD5
df5c10ceff95035d3a22a9d113abe11a

SHA1
9600c32a2bfe4acf3ddb5e62af10e01d98cccc52

SHA256
b93c515db08097c4780d0dd9c41fadea04f411d240589d5991b2bd3e65b3ce5a

SHA512
a2422226a800e6240010440c0ee9a1374eb88839e35c12d383df89f87fc503cef8ee46892e22a94b06d038bf5c54b60912ff75e8fe8efbdb59e4bd32d74ecf7c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
245KB

MD5
c9bf0b3c535d1a6439ead1162034a0cc

SHA1
2a07cd15f318b0392cdad8704c4c45ce7701c7cc

SHA256
27c2bcf36ef0a8f339e7c9cccd12fed75f08dc16c8e32b3b393ffd43d3e25cfb

SHA512
09024fc1d5226f25710d6fa8d4732d54bbcb0595ff822f226a30e32f93574d3062f904cf415031d76822c80cc785c4a89faae069c3f55020d5a010514bc28308

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit