hxxps://risu[.]io/DGGBh

Analysis

max time kernel
300s
max time network
315s
platform
windows10-2004_x64
resource
win10v2004-20231215-es
resource tags

arch:x64arch:x86image:win10v2004-20231215-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
08/01/2024, 17:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://risu.io/DGGBh

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133492092797768374"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2580	chrome.exe
2580	chrome.exe
2744	chrome.exe
2744	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2580 wrote to memory of 2928	2580	chrome.exe	14
PID 2580 wrote to memory of 2928	2580	chrome.exe	14
PID 2580 wrote to memory of 224	2580	chrome.exe	26
PID 2580 wrote to memory of 224	2580	chrome.exe	26
PID 2580 wrote to memory of 224	2580	chrome.exe	26
PID 2580 wrote to memory of 224	2580	chrome.exe	26
PID 2580 wrote to memory of 224	2580	chrome.exe	26
PID 2580 wrote to memory of 224	2580	chrome.exe	26
PID 2580 wrote to memory of 224	2580	chrome.exe	26
PID 2580 wrote to memory of 224	2580	chrome.exe	26
PID 2580 wrote to memory of 224	2580	chrome.exe	26
PID 2580 wrote to memory of 224	2580	chrome.exe	26
PID 2580 wrote to memory of 224	2580	chrome.exe	26
PID 2580 wrote to memory of 224	2580	chrome.exe	26
PID 2580 wrote to memory of 224	2580	chrome.exe	26
PID 2580 wrote to memory of 224	2580	chrome.exe	26
PID 2580 wrote to memory of 224	2580	chrome.exe	26
PID 2580 wrote to memory of 224	2580	chrome.exe	26
PID 2580 wrote to memory of 224	2580	chrome.exe	26
PID 2580 wrote to memory of 224	2580	chrome.exe	26
PID 2580 wrote to memory of 224	2580	chrome.exe	26
PID 2580 wrote to memory of 224	2580	chrome.exe	26
PID 2580 wrote to memory of 224	2580	chrome.exe	26
PID 2580 wrote to memory of 224	2580	chrome.exe	26
PID 2580 wrote to memory of 224	2580	chrome.exe	26
PID 2580 wrote to memory of 224	2580	chrome.exe	26
PID 2580 wrote to memory of 224	2580	chrome.exe	26
PID 2580 wrote to memory of 224	2580	chrome.exe	26
PID 2580 wrote to memory of 224	2580	chrome.exe	26
PID 2580 wrote to memory of 224	2580	chrome.exe	26
PID 2580 wrote to memory of 224	2580	chrome.exe	26
PID 2580 wrote to memory of 224	2580	chrome.exe	26
PID 2580 wrote to memory of 224	2580	chrome.exe	26
PID 2580 wrote to memory of 224	2580	chrome.exe	26
PID 2580 wrote to memory of 224	2580	chrome.exe	26
PID 2580 wrote to memory of 224	2580	chrome.exe	26
PID 2580 wrote to memory of 224	2580	chrome.exe	26
PID 2580 wrote to memory of 224	2580	chrome.exe	26
PID 2580 wrote to memory of 224	2580	chrome.exe	26
PID 2580 wrote to memory of 224	2580	chrome.exe	26
PID 2580 wrote to memory of 4532	2580	chrome.exe	31
PID 2580 wrote to memory of 4532	2580	chrome.exe	31
PID 2580 wrote to memory of 4356	2580	chrome.exe	27
PID 2580 wrote to memory of 4356	2580	chrome.exe	27
PID 2580 wrote to memory of 4356	2580	chrome.exe	27
PID 2580 wrote to memory of 4356	2580	chrome.exe	27
PID 2580 wrote to memory of 4356	2580	chrome.exe	27
PID 2580 wrote to memory of 4356	2580	chrome.exe	27
PID 2580 wrote to memory of 4356	2580	chrome.exe	27
PID 2580 wrote to memory of 4356	2580	chrome.exe	27
PID 2580 wrote to memory of 4356	2580	chrome.exe	27
PID 2580 wrote to memory of 4356	2580	chrome.exe	27
PID 2580 wrote to memory of 4356	2580	chrome.exe	27
PID 2580 wrote to memory of 4356	2580	chrome.exe	27
PID 2580 wrote to memory of 4356	2580	chrome.exe	27
PID 2580 wrote to memory of 4356	2580	chrome.exe	27
PID 2580 wrote to memory of 4356	2580	chrome.exe	27
PID 2580 wrote to memory of 4356	2580	chrome.exe	27
PID 2580 wrote to memory of 4356	2580	chrome.exe	27
PID 2580 wrote to memory of 4356	2580	chrome.exe	27
PID 2580 wrote to memory of 4356	2580	chrome.exe	27
PID 2580 wrote to memory of 4356	2580	chrome.exe	27
PID 2580 wrote to memory of 4356	2580	chrome.exe	27
PID 2580 wrote to memory of 4356	2580	chrome.exe	27

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa3c4a9758,0x7ffa3c4a9768,0x7ffa3c4a9778
1⤵
PID:2928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://risu.io/DGGBh
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1740 --field-trial-handle=1664,i,17611005857399741146,2445743427557577986,131072 /prefetch:2
  2⤵
  PID:224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2192 --field-trial-handle=1664,i,17611005857399741146,2445743427557577986,131072 /prefetch:8
  2⤵
  PID:4356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3180 --field-trial-handle=1664,i,17611005857399741146,2445743427557577986,131072 /prefetch:1
  2⤵
  PID:372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3176 --field-trial-handle=1664,i,17611005857399741146,2445743427557577986,131072 /prefetch:1
  2⤵
  PID:5112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1664,i,17611005857399741146,2445743427557577986,131072 /prefetch:8
  2⤵
  PID:4532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5040 --field-trial-handle=1664,i,17611005857399741146,2445743427557577986,131072 /prefetch:8
  2⤵
  PID:3052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4788 --field-trial-handle=1664,i,17611005857399741146,2445743427557577986,131072 /prefetch:8
  2⤵
  PID:1040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=5076 --field-trial-handle=1664,i,17611005857399741146,2445743427557577986,131072 /prefetch:1
  2⤵
  PID:704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4924 --field-trial-handle=1664,i,17611005857399741146,2445743427557577986,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2744

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
240B

MD5
667cde8f041527f64332c7b444b3d9ae

SHA1
a64ccf71ef5caac9a31fb89c243f8ee674117742

SHA256
c87232c0fde9b3f32e94b1e8e5f533f2ab4448efa8557f88cca2cfac35145af8

SHA512
d05a78b3a2682a048d6532bf53ce6e3c55d908f17fe37518b7620d077e7b682b385a9cd7afa48b43e7063af993d1396a91dd3c88a12eaec4d82b43458d61fcd6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
e97355f1ed536a5d10ab43541da13d93

SHA1
5cdb6343250cbdeed4445d952bd93939366f1e6b

SHA256
52576ff457284aaa5b07614cd3f3cde22987c718f6e20e036cb3197672c057fd

SHA512
575d01c1d21ca64e0a70db668939bd06ca54d5a1bb0cea368014e3511316043a8fee88cacfde9ffbd409f5c4d86f000d28a7d14850088ac21fa1ee3582649535

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
cd62ace2b76414a15de4c3216dc87476

SHA1
50ba801a95a9d685854888a7527314b27488ea91

SHA256
5ecf2ae3a92d7682c1ab42ce039f5c32b9e5432227adb34d71f4c4e89fb78216

SHA512
6747e83ca8885b242e2469ae1a04d7ceac3e55145df411ffeb323dbac966913b1f173a7dcada9135942638f836c916f90783253187a4c043fa9667f6c45904f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
eafa16de22008ca722869f6a724a9387

SHA1
ba28114260c0cfdd7ee92154994cd53cb36ec544

SHA256
4106b21068fcb476fd9832ebdd8a45c1b7a808b71d85bd4db3b4111c49f6c042

SHA512
85db8b4d3716b8347eb7f86682278c49741ca5a2d5487560c00d439178bc497d69edb5e17e1bcaf842fe232398e2fb6424402fbc36f57271459ef0073fb19a3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
873B

MD5
ad53b8f366fb7446cd98814e118a57d7

SHA1
b9a18ba5bba26eb1b13e6b8b5ecd979c7a332c13

SHA256
349d7c5c393974453d39682dd8e53a77bce263a4fa10259fd3ee704023254833

SHA512
401a515183f294453d6b559d3d5464a926f965d429044448af6cb0e9b42bbaed35fc580f1958de5a7b59488e3bc14655570ca7f97cd286c1e096939f9634e3de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
9860aaf823b66e208ea0107fe88b3965

SHA1
23f8437af93d1efe8df4a8e95785a46e711bc425

SHA256
5a998ac648605f0d179177de6c42b8cbd2ffe0970b0c77a5af135425216baab3

SHA512
337111d8c7fb6fec2edcc716a52d9e8ee3764fcd8d6a6eb8685e23b03b378a4df93b41e0640b7979dfa7bf88469bd4ff1b81a2d3406057befdb3abbdac9d8d91

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
801316ff1cd40f3203168be595649c1b

SHA1
55fc92d8f833cfbe08b608c129ae9644c982ce59

SHA256
8234694bfe2507098d936d0d3a3a15cd82e4a1806ce8beb7df85b63530ab09ef

SHA512
285dd7bc7aa2899907c0a5b76003499438fc75bd07b54719edd4cfe006bd0fbc9f2e4f82fd1c98495558308f5d2acf4b5109dc9a84bc87a7e6b9daa05c937388

Download Submit