hxxps://dev-nosequeseaperobien[.]pantheonsite[.]io/

Resubmissions

03-01-2024 19:08

240103-xtkaxsghhn 1

03-01-2024 18:41

240103-xbzb5aghdk 10

03-01-2024 18:37

240103-w9ws8aghcp 10

Analysis

max time kernel
299s
max time network
301s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
03-01-2024 18:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://dev-nosequeseaperobien.pantheonsite.io/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133487809203415299"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2640	chrome.exe
2640	chrome.exe
4564	chrome.exe
4564	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2640	chrome.exe
2640	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2640	chrome.exe
Token: SeCreatePagefilePrivilege	2640	chrome.exe
Token: SeShutdownPrivilege	2640	chrome.exe
Token: SeCreatePagefilePrivilege	2640	chrome.exe
Token: SeShutdownPrivilege	2640	chrome.exe
Token: SeCreatePagefilePrivilege	2640	chrome.exe
Token: SeShutdownPrivilege	2640	chrome.exe
Token: SeCreatePagefilePrivilege	2640	chrome.exe
Token: SeShutdownPrivilege	2640	chrome.exe
Token: SeCreatePagefilePrivilege	2640	chrome.exe
Token: SeShutdownPrivilege	2640	chrome.exe
Token: SeCreatePagefilePrivilege	2640	chrome.exe
Token: SeShutdownPrivilege	2640	chrome.exe
Token: SeCreatePagefilePrivilege	2640	chrome.exe
Token: SeShutdownPrivilege	2640	chrome.exe
Token: SeCreatePagefilePrivilege	2640	chrome.exe
Token: SeShutdownPrivilege	2640	chrome.exe
Token: SeCreatePagefilePrivilege	2640	chrome.exe
Token: SeShutdownPrivilege	2640	chrome.exe
Token: SeCreatePagefilePrivilege	2640	chrome.exe
Token: SeShutdownPrivilege	2640	chrome.exe
Token: SeCreatePagefilePrivilege	2640	chrome.exe
Token: SeShutdownPrivilege	2640	chrome.exe
Token: SeCreatePagefilePrivilege	2640	chrome.exe
Token: SeShutdownPrivilege	2640	chrome.exe
Token: SeCreatePagefilePrivilege	2640	chrome.exe
Token: SeShutdownPrivilege	2640	chrome.exe
Token: SeCreatePagefilePrivilege	2640	chrome.exe
Token: SeShutdownPrivilege	2640	chrome.exe
Token: SeCreatePagefilePrivilege	2640	chrome.exe
Token: SeShutdownPrivilege	2640	chrome.exe
Token: SeCreatePagefilePrivilege	2640	chrome.exe
Token: SeShutdownPrivilege	2640	chrome.exe
Token: SeCreatePagefilePrivilege	2640	chrome.exe
Token: SeShutdownPrivilege	2640	chrome.exe
Token: SeCreatePagefilePrivilege	2640	chrome.exe
Token: SeShutdownPrivilege	2640	chrome.exe
Token: SeCreatePagefilePrivilege	2640	chrome.exe
Token: SeShutdownPrivilege	2640	chrome.exe
Token: SeCreatePagefilePrivilege	2640	chrome.exe
Token: SeShutdownPrivilege	2640	chrome.exe
Token: SeCreatePagefilePrivilege	2640	chrome.exe
Token: SeShutdownPrivilege	2640	chrome.exe
Token: SeCreatePagefilePrivilege	2640	chrome.exe
Token: SeShutdownPrivilege	2640	chrome.exe
Token: SeCreatePagefilePrivilege	2640	chrome.exe
Token: SeShutdownPrivilege	2640	chrome.exe
Token: SeCreatePagefilePrivilege	2640	chrome.exe
Token: SeShutdownPrivilege	2640	chrome.exe
Token: SeCreatePagefilePrivilege	2640	chrome.exe
Token: SeShutdownPrivilege	2640	chrome.exe
Token: SeCreatePagefilePrivilege	2640	chrome.exe
Token: SeShutdownPrivilege	2640	chrome.exe
Token: SeCreatePagefilePrivilege	2640	chrome.exe
Token: SeShutdownPrivilege	2640	chrome.exe
Token: SeCreatePagefilePrivilege	2640	chrome.exe
Token: SeShutdownPrivilege	2640	chrome.exe
Token: SeCreatePagefilePrivilege	2640	chrome.exe
Token: SeShutdownPrivilege	2640	chrome.exe
Token: SeCreatePagefilePrivilege	2640	chrome.exe
Token: SeShutdownPrivilege	2640	chrome.exe
Token: SeCreatePagefilePrivilege	2640	chrome.exe
Token: SeShutdownPrivilege	2640	chrome.exe
Token: SeCreatePagefilePrivilege	2640	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 4696	2640	chrome.exe	64
PID 2640 wrote to memory of 4696	2640	chrome.exe	64
PID 2640 wrote to memory of 2492	2640	chrome.exe	91
PID 2640 wrote to memory of 2492	2640	chrome.exe	91
PID 2640 wrote to memory of 2492	2640	chrome.exe	91
PID 2640 wrote to memory of 2492	2640	chrome.exe	91
PID 2640 wrote to memory of 2492	2640	chrome.exe	91
PID 2640 wrote to memory of 2492	2640	chrome.exe	91
PID 2640 wrote to memory of 2492	2640	chrome.exe	91
PID 2640 wrote to memory of 2492	2640	chrome.exe	91
PID 2640 wrote to memory of 2492	2640	chrome.exe	91
PID 2640 wrote to memory of 2492	2640	chrome.exe	91
PID 2640 wrote to memory of 2492	2640	chrome.exe	91
PID 2640 wrote to memory of 2492	2640	chrome.exe	91
PID 2640 wrote to memory of 2492	2640	chrome.exe	91
PID 2640 wrote to memory of 2492	2640	chrome.exe	91
PID 2640 wrote to memory of 2492	2640	chrome.exe	91
PID 2640 wrote to memory of 2492	2640	chrome.exe	91
PID 2640 wrote to memory of 2492	2640	chrome.exe	91
PID 2640 wrote to memory of 2492	2640	chrome.exe	91
PID 2640 wrote to memory of 2492	2640	chrome.exe	91
PID 2640 wrote to memory of 2492	2640	chrome.exe	91
PID 2640 wrote to memory of 2492	2640	chrome.exe	91
PID 2640 wrote to memory of 2492	2640	chrome.exe	91
PID 2640 wrote to memory of 2492	2640	chrome.exe	91
PID 2640 wrote to memory of 2492	2640	chrome.exe	91
PID 2640 wrote to memory of 2492	2640	chrome.exe	91
PID 2640 wrote to memory of 2492	2640	chrome.exe	91
PID 2640 wrote to memory of 2492	2640	chrome.exe	91
PID 2640 wrote to memory of 2492	2640	chrome.exe	91
PID 2640 wrote to memory of 2492	2640	chrome.exe	91
PID 2640 wrote to memory of 2492	2640	chrome.exe	91
PID 2640 wrote to memory of 2492	2640	chrome.exe	91
PID 2640 wrote to memory of 2492	2640	chrome.exe	91
PID 2640 wrote to memory of 2492	2640	chrome.exe	91
PID 2640 wrote to memory of 2492	2640	chrome.exe	91
PID 2640 wrote to memory of 2492	2640	chrome.exe	91
PID 2640 wrote to memory of 2492	2640	chrome.exe	91
PID 2640 wrote to memory of 2492	2640	chrome.exe	91
PID 2640 wrote to memory of 2492	2640	chrome.exe	91
PID 2640 wrote to memory of 3292	2640	chrome.exe	92
PID 2640 wrote to memory of 3292	2640	chrome.exe	92
PID 2640 wrote to memory of 624	2640	chrome.exe	93
PID 2640 wrote to memory of 624	2640	chrome.exe	93
PID 2640 wrote to memory of 624	2640	chrome.exe	93
PID 2640 wrote to memory of 624	2640	chrome.exe	93
PID 2640 wrote to memory of 624	2640	chrome.exe	93
PID 2640 wrote to memory of 624	2640	chrome.exe	93
PID 2640 wrote to memory of 624	2640	chrome.exe	93
PID 2640 wrote to memory of 624	2640	chrome.exe	93
PID 2640 wrote to memory of 624	2640	chrome.exe	93
PID 2640 wrote to memory of 624	2640	chrome.exe	93
PID 2640 wrote to memory of 624	2640	chrome.exe	93
PID 2640 wrote to memory of 624	2640	chrome.exe	93
PID 2640 wrote to memory of 624	2640	chrome.exe	93
PID 2640 wrote to memory of 624	2640	chrome.exe	93
PID 2640 wrote to memory of 624	2640	chrome.exe	93
PID 2640 wrote to memory of 624	2640	chrome.exe	93
PID 2640 wrote to memory of 624	2640	chrome.exe	93
PID 2640 wrote to memory of 624	2640	chrome.exe	93
PID 2640 wrote to memory of 624	2640	chrome.exe	93
PID 2640 wrote to memory of 624	2640	chrome.exe	93
PID 2640 wrote to memory of 624	2640	chrome.exe	93
PID 2640 wrote to memory of 624	2640	chrome.exe	93

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://dev-nosequeseaperobien.pantheonsite.io/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8c6bf9758,0x7ff8c6bf9768,0x7ff8c6bf9778
  2⤵
  PID:4696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1640 --field-trial-handle=1864,i,17459682045877127065,3344333603461122229,131072 /prefetch:2
  2⤵
  PID:2492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=1864,i,17459682045877127065,3344333603461122229,131072 /prefetch:8
  2⤵
  PID:3292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2208 --field-trial-handle=1864,i,17459682045877127065,3344333603461122229,131072 /prefetch:8
  2⤵
  PID:624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2964 --field-trial-handle=1864,i,17459682045877127065,3344333603461122229,131072 /prefetch:1
  2⤵
  PID:1004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2972 --field-trial-handle=1864,i,17459682045877127065,3344333603461122229,131072 /prefetch:1
  2⤵
  PID:2980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 --field-trial-handle=1864,i,17459682045877127065,3344333603461122229,131072 /prefetch:8
  2⤵
  PID:1424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 --field-trial-handle=1864,i,17459682045877127065,3344333603461122229,131072 /prefetch:8
  2⤵
  PID:1740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1012 --field-trial-handle=1864,i,17459682045877127065,3344333603461122229,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4564

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
5f73359829c7687803f4105821f8e67e

SHA1
4648939e67f5a2ce6addf6cd2f622cf214af6d46

SHA256
55e2416b1d114d633cdcfa27d368073e2fb95f6291596e27127427cae74fb65e

SHA512
0150d78acde7ed2a072520963bf42d84423b9c8614861a3c067e093a197325bbd4dc209d0747d5656c8cac5cba4392c3fbfb66009c3ed1bd17c36241aade28d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
ea2e2a5468f242d2fb7ea5ff8a4361df

SHA1
655c30660aa7c953120ecb8f3a16c39bb07a4abb

SHA256
5d3f55a1d2eaa0f66a9c0a38cce3592da7db304381d45a3bc770629ecb59605b

SHA512
3d33ef0d727400f8493e744ad71884ed263c178d94281414ba097617c4b303663e952a82b4cac098af892845f10ecc437ce2f39edbc0e0181f8049c908a89e75

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
c1323124292c6b23e8c8fe28ca0302da

SHA1
4ca5bbd4204082a09bee10adb22975036f634518

SHA256
ffbe2503121f98ea8d978dc6db8fe364056c5284587065c0c606b49784c32221

SHA512
c241a3868b9ee024bd734e1f7a95c1f83e98e78c1ec5a384a0373a8f697b9a8d0f63bf84ea1d5a54ead8c61e38d25f5769d5a85cf211ceb4146741364ac27334

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
874B

MD5
209992e8f436ff837d2b369dd5263554

SHA1
f6004fb94767c26e1d2f73b8e9f0eda907ac49ad

SHA256
f35c8420729777178de41c567642ea5a25ee5556902123d4e861c09880723c3a

SHA512
aa6146bc9a780afae92b0e2f291be850b189707308231b2eb3cbaf785d590b7872ec15b48c9be778db8ff07e70d87dad8f8b5ea705ee4836b7cc0c1289999b02

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
670768b8008d4696f1a50be8cda6092b

SHA1
d43c7aa23eefea088f8091fac3c03c959b3135bc

SHA256
82d46b93cc3a2ef4cd56f6226d96def1964b48eb79609bb96b9525e03b529b1a

SHA512
577824fa523f06494dc8a618a8eab580405a774374d4a694aeab6aef1e103bfbfbcba433f572840abd8a002e0e5cc750f9b179b21f9109054dd0cef3d59aaf64

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
03369a3207cb1993ec6170329ad9a0d6

SHA1
747cbc94201b85564a183f486661f6425ecf9009

SHA256
3628cbf1dd257972ce5bc1da255fd5fa00b34b1a71aa06fc6982279df853cfbb

SHA512
bf340a16c1a18dfa82835b94258dbfc30801d24446ab69245d65ce599fde286c7991debf2a7f32fe3341f1703b5a433622e9937902faa811ea72623a100c3d23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit