hxxps://vgwshsw[.]blob[.]core[.]windows[.]net/bhedjnjjk/6551[.]html

Analysis

max time kernel
299s
max time network
292s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
08/01/2024, 22:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://vgwshsw.blob.core.windows.net/bhedjnjjk/6551.html

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133492279789516594"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4228	chrome.exe
4228	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4940	chrome.exe
4940	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4940	chrome.exe
Token: SeCreatePagefilePrivilege	4940	chrome.exe
Token: SeShutdownPrivilege	4940	chrome.exe
Token: SeCreatePagefilePrivilege	4940	chrome.exe
Token: SeShutdownPrivilege	4940	chrome.exe
Token: SeCreatePagefilePrivilege	4940	chrome.exe
Token: SeShutdownPrivilege	4940	chrome.exe
Token: SeCreatePagefilePrivilege	4940	chrome.exe
Token: SeShutdownPrivilege	4940	chrome.exe
Token: SeCreatePagefilePrivilege	4940	chrome.exe
Token: SeShutdownPrivilege	4940	chrome.exe
Token: SeCreatePagefilePrivilege	4940	chrome.exe
Token: SeShutdownPrivilege	4940	chrome.exe
Token: SeCreatePagefilePrivilege	4940	chrome.exe
Token: SeShutdownPrivilege	4940	chrome.exe
Token: SeCreatePagefilePrivilege	4940	chrome.exe
Token: SeShutdownPrivilege	4940	chrome.exe
Token: SeCreatePagefilePrivilege	4940	chrome.exe
Token: SeShutdownPrivilege	4940	chrome.exe
Token: SeCreatePagefilePrivilege	4940	chrome.exe
Token: SeShutdownPrivilege	4940	chrome.exe
Token: SeCreatePagefilePrivilege	4940	chrome.exe
Token: SeShutdownPrivilege	4940	chrome.exe
Token: SeCreatePagefilePrivilege	4940	chrome.exe
Token: SeShutdownPrivilege	4940	chrome.exe
Token: SeCreatePagefilePrivilege	4940	chrome.exe
Token: SeShutdownPrivilege	4940	chrome.exe
Token: SeCreatePagefilePrivilege	4940	chrome.exe
Token: SeShutdownPrivilege	4940	chrome.exe
Token: SeCreatePagefilePrivilege	4940	chrome.exe
Token: SeShutdownPrivilege	4940	chrome.exe
Token: SeCreatePagefilePrivilege	4940	chrome.exe
Token: SeShutdownPrivilege	4940	chrome.exe
Token: SeCreatePagefilePrivilege	4940	chrome.exe
Token: SeShutdownPrivilege	4940	chrome.exe
Token: SeCreatePagefilePrivilege	4940	chrome.exe
Token: SeShutdownPrivilege	4940	chrome.exe
Token: SeCreatePagefilePrivilege	4940	chrome.exe
Token: SeShutdownPrivilege	4940	chrome.exe
Token: SeCreatePagefilePrivilege	4940	chrome.exe
Token: SeShutdownPrivilege	4940	chrome.exe
Token: SeCreatePagefilePrivilege	4940	chrome.exe
Token: SeShutdownPrivilege	4940	chrome.exe
Token: SeCreatePagefilePrivilege	4940	chrome.exe
Token: SeShutdownPrivilege	4940	chrome.exe
Token: SeCreatePagefilePrivilege	4940	chrome.exe
Token: SeShutdownPrivilege	4940	chrome.exe
Token: SeCreatePagefilePrivilege	4940	chrome.exe
Token: SeShutdownPrivilege	4940	chrome.exe
Token: SeCreatePagefilePrivilege	4940	chrome.exe
Token: SeShutdownPrivilege	4940	chrome.exe
Token: SeCreatePagefilePrivilege	4940	chrome.exe
Token: SeShutdownPrivilege	4940	chrome.exe
Token: SeCreatePagefilePrivilege	4940	chrome.exe
Token: SeShutdownPrivilege	4940	chrome.exe
Token: SeCreatePagefilePrivilege	4940	chrome.exe
Token: SeShutdownPrivilege	4940	chrome.exe
Token: SeCreatePagefilePrivilege	4940	chrome.exe
Token: SeShutdownPrivilege	4940	chrome.exe
Token: SeCreatePagefilePrivilege	4940	chrome.exe
Token: SeShutdownPrivilege	4940	chrome.exe
Token: SeCreatePagefilePrivilege	4940	chrome.exe
Token: SeShutdownPrivilege	4940	chrome.exe
Token: SeCreatePagefilePrivilege	4940	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4940 wrote to memory of 4112	4940	chrome.exe	29
PID 4940 wrote to memory of 4112	4940	chrome.exe	29
PID 4940 wrote to memory of 1704	4940	chrome.exe	90
PID 4940 wrote to memory of 1704	4940	chrome.exe	90
PID 4940 wrote to memory of 1704	4940	chrome.exe	90
PID 4940 wrote to memory of 1704	4940	chrome.exe	90
PID 4940 wrote to memory of 1704	4940	chrome.exe	90
PID 4940 wrote to memory of 1704	4940	chrome.exe	90
PID 4940 wrote to memory of 1704	4940	chrome.exe	90
PID 4940 wrote to memory of 1704	4940	chrome.exe	90
PID 4940 wrote to memory of 1704	4940	chrome.exe	90
PID 4940 wrote to memory of 1704	4940	chrome.exe	90
PID 4940 wrote to memory of 1704	4940	chrome.exe	90
PID 4940 wrote to memory of 1704	4940	chrome.exe	90
PID 4940 wrote to memory of 1704	4940	chrome.exe	90
PID 4940 wrote to memory of 1704	4940	chrome.exe	90
PID 4940 wrote to memory of 1704	4940	chrome.exe	90
PID 4940 wrote to memory of 1704	4940	chrome.exe	90
PID 4940 wrote to memory of 1704	4940	chrome.exe	90
PID 4940 wrote to memory of 1704	4940	chrome.exe	90
PID 4940 wrote to memory of 1704	4940	chrome.exe	90
PID 4940 wrote to memory of 1704	4940	chrome.exe	90
PID 4940 wrote to memory of 1704	4940	chrome.exe	90
PID 4940 wrote to memory of 1704	4940	chrome.exe	90
PID 4940 wrote to memory of 1704	4940	chrome.exe	90
PID 4940 wrote to memory of 1704	4940	chrome.exe	90
PID 4940 wrote to memory of 1704	4940	chrome.exe	90
PID 4940 wrote to memory of 1704	4940	chrome.exe	90
PID 4940 wrote to memory of 1704	4940	chrome.exe	90
PID 4940 wrote to memory of 1704	4940	chrome.exe	90
PID 4940 wrote to memory of 1704	4940	chrome.exe	90
PID 4940 wrote to memory of 1704	4940	chrome.exe	90
PID 4940 wrote to memory of 1704	4940	chrome.exe	90
PID 4940 wrote to memory of 1704	4940	chrome.exe	90
PID 4940 wrote to memory of 1704	4940	chrome.exe	90
PID 4940 wrote to memory of 1704	4940	chrome.exe	90
PID 4940 wrote to memory of 1704	4940	chrome.exe	90
PID 4940 wrote to memory of 1704	4940	chrome.exe	90
PID 4940 wrote to memory of 1704	4940	chrome.exe	90
PID 4940 wrote to memory of 1704	4940	chrome.exe	90
PID 4940 wrote to memory of 3004	4940	chrome.exe	91
PID 4940 wrote to memory of 3004	4940	chrome.exe	91
PID 4940 wrote to memory of 4328	4940	chrome.exe	92
PID 4940 wrote to memory of 4328	4940	chrome.exe	92
PID 4940 wrote to memory of 4328	4940	chrome.exe	92
PID 4940 wrote to memory of 4328	4940	chrome.exe	92
PID 4940 wrote to memory of 4328	4940	chrome.exe	92
PID 4940 wrote to memory of 4328	4940	chrome.exe	92
PID 4940 wrote to memory of 4328	4940	chrome.exe	92
PID 4940 wrote to memory of 4328	4940	chrome.exe	92
PID 4940 wrote to memory of 4328	4940	chrome.exe	92
PID 4940 wrote to memory of 4328	4940	chrome.exe	92
PID 4940 wrote to memory of 4328	4940	chrome.exe	92
PID 4940 wrote to memory of 4328	4940	chrome.exe	92
PID 4940 wrote to memory of 4328	4940	chrome.exe	92
PID 4940 wrote to memory of 4328	4940	chrome.exe	92
PID 4940 wrote to memory of 4328	4940	chrome.exe	92
PID 4940 wrote to memory of 4328	4940	chrome.exe	92
PID 4940 wrote to memory of 4328	4940	chrome.exe	92
PID 4940 wrote to memory of 4328	4940	chrome.exe	92
PID 4940 wrote to memory of 4328	4940	chrome.exe	92
PID 4940 wrote to memory of 4328	4940	chrome.exe	92
PID 4940 wrote to memory of 4328	4940	chrome.exe	92
PID 4940 wrote to memory of 4328	4940	chrome.exe	92

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://vgwshsw.blob.core.windows.net/bhedjnjjk/6551.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc1a5c9758,0x7ffc1a5c9768,0x7ffc1a5c9778
  2⤵
  PID:4112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1664 --field-trial-handle=1892,i,9476345547256405058,13123335576313390582,131072 /prefetch:2
  2⤵
  PID:1704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1892,i,9476345547256405058,13123335576313390582,131072 /prefetch:8
  2⤵
  PID:3004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2260 --field-trial-handle=1892,i,9476345547256405058,13123335576313390582,131072 /prefetch:8
  2⤵
  PID:4328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3088 --field-trial-handle=1892,i,9476345547256405058,13123335576313390582,131072 /prefetch:1
  2⤵
  PID:4956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3080 --field-trial-handle=1892,i,9476345547256405058,13123335576313390582,131072 /prefetch:1
  2⤵
  PID:3896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 --field-trial-handle=1892,i,9476345547256405058,13123335576313390582,131072 /prefetch:8
  2⤵
  PID:4856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 --field-trial-handle=1892,i,9476345547256405058,13123335576313390582,131072 /prefetch:8
  2⤵
  PID:4332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 --field-trial-handle=1892,i,9476345547256405058,13123335576313390582,131072 /prefetch:8
  2⤵
  PID:2476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4916 --field-trial-handle=1892,i,9476345547256405058,13123335576313390582,131072 /prefetch:8
  2⤵
  PID:4536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3984 --field-trial-handle=1892,i,9476345547256405058,13123335576313390582,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4228

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
82e93fc54566aae1013f569c14653b13

SHA1
e286f35d238dfd9d51b1df4b17bb7fc4c367af9c

SHA256
af0f75eb201e8cf7c9db90e2f160be2588055d71213ae836811903dd27a3a17c

SHA512
87d89da592f4c76bc086537e1540d4e7c3ad3db7938ed3e6c20860e5d1b0bb86fd354079d715f062a29616bec45fd946bd5c7694dd9e8801f8c488f15738341b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
76cb0b4e6cd90de936140c1733d4be17

SHA1
894d293eeb5a7a6501f92c60cb9f5865f952db95

SHA256
5f82a4e402167628af5e99ed8fb08872755cd16b3716dc5890f9a64be2e3b766

SHA512
b37d8d84c85a004fd95fc407fde43e18c18d4095fcc0e50189d2dafc7d42158d07517af91eab70fc66f46e8ba27660669b9b59391b3cf4736dbb1f0255e3da8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
138KB

MD5
554e0a16bf2e3e65f9a7fb835a472fc4

SHA1
ade04a9336a23dc3c59d08c76773ce5ec7f21542

SHA256
6087674245a36d973247870c09b80fbc3665deb33035d7c7b4e77e13edaed4d7

SHA512
c27ca0bdb9380d1774f4d1376a179f61c75f0dfcf6db20af9e53869207b07ceda69bf5625c5b089aa3f825c2145409135f12e472fdb11040bc525df95b7fdb8f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
115KB

MD5
fb603dd8fde55c8bc825dacba6e255cd

SHA1
7291faa1c63d74961c8dd46f8d7b085c9581c1ac

SHA256
fbfe1c0796d61fb2d9e7e944e496dfba225bb84b536ceac5c016a3dc083e5ebd

SHA512
96080879e4b74dc5a3bf780f271a2d5966726a5c4ed26a047b5f48abbfb5820d8eba48fa08cf199d60ad8951b00624d34bd675fa8888231ea22e397347ecc523

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
6d6c660412a1bade01cd15745b0c57a6

SHA1
9705ea0255b6bb6d26b524f5bda0f1eded0bd35f

SHA256
e4fef12b4f20ee54ac34c489cab246b7123e78d5f11773cdc1b647619b3f29ae

SHA512
8dfd842992d268d610b6d67b87f27880a4cf17ef11ffe173e77082f0d0480015533cc38a853e8b06af6d6f2c0adda9c82894cb9ac0962faf2db09204de031258

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
115KB

MD5
b2a3d0cc8c845152a704bb7e80c6f14c

SHA1
6c50d6c2595f9a102f1db801452e2fa599e51ef2

SHA256
6819f57ec3f0a2b5104b04d32dc799159d184e1d01f7c2b6ac0b4bcd56a2f738

SHA512
72b75b223ae029fd947bdc795d5727ab4973692510aa41f62d3c60a9b25529b015e52b43297d2a6e525a41c0bb928c2ab2db9eecd789ec58ef382b89af4b4879

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit