hxxp://DELINIA[.]KZ

Analysis

max time kernel
295s
max time network
194s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
09/01/2024, 07:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

http://DELINIA.KZ

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133492593751756199"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5072	chrome.exe
5072	chrome.exe
4472	chrome.exe
4472	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
5072	chrome.exe
5072	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5072 wrote to memory of 4924	5072	chrome.exe	14
PID 5072 wrote to memory of 4924	5072	chrome.exe	14
PID 5072 wrote to memory of 2196	5072	chrome.exe	27
PID 5072 wrote to memory of 2196	5072	chrome.exe	27
PID 5072 wrote to memory of 2196	5072	chrome.exe	27
PID 5072 wrote to memory of 2196	5072	chrome.exe	27
PID 5072 wrote to memory of 2196	5072	chrome.exe	27
PID 5072 wrote to memory of 2196	5072	chrome.exe	27
PID 5072 wrote to memory of 2196	5072	chrome.exe	27
PID 5072 wrote to memory of 2196	5072	chrome.exe	27
PID 5072 wrote to memory of 2196	5072	chrome.exe	27
PID 5072 wrote to memory of 2196	5072	chrome.exe	27
PID 5072 wrote to memory of 2196	5072	chrome.exe	27
PID 5072 wrote to memory of 2196	5072	chrome.exe	27
PID 5072 wrote to memory of 2196	5072	chrome.exe	27
PID 5072 wrote to memory of 2196	5072	chrome.exe	27
PID 5072 wrote to memory of 2196	5072	chrome.exe	27
PID 5072 wrote to memory of 2196	5072	chrome.exe	27
PID 5072 wrote to memory of 2196	5072	chrome.exe	27
PID 5072 wrote to memory of 2196	5072	chrome.exe	27
PID 5072 wrote to memory of 2196	5072	chrome.exe	27
PID 5072 wrote to memory of 2196	5072	chrome.exe	27
PID 5072 wrote to memory of 2196	5072	chrome.exe	27
PID 5072 wrote to memory of 2196	5072	chrome.exe	27
PID 5072 wrote to memory of 2196	5072	chrome.exe	27
PID 5072 wrote to memory of 2196	5072	chrome.exe	27
PID 5072 wrote to memory of 2196	5072	chrome.exe	27
PID 5072 wrote to memory of 2196	5072	chrome.exe	27
PID 5072 wrote to memory of 2196	5072	chrome.exe	27
PID 5072 wrote to memory of 2196	5072	chrome.exe	27
PID 5072 wrote to memory of 2196	5072	chrome.exe	27
PID 5072 wrote to memory of 2196	5072	chrome.exe	27
PID 5072 wrote to memory of 2196	5072	chrome.exe	27
PID 5072 wrote to memory of 2196	5072	chrome.exe	27
PID 5072 wrote to memory of 2196	5072	chrome.exe	27
PID 5072 wrote to memory of 2196	5072	chrome.exe	27
PID 5072 wrote to memory of 2196	5072	chrome.exe	27
PID 5072 wrote to memory of 2196	5072	chrome.exe	27
PID 5072 wrote to memory of 2196	5072	chrome.exe	27
PID 5072 wrote to memory of 2196	5072	chrome.exe	27
PID 5072 wrote to memory of 4560	5072	chrome.exe	26
PID 5072 wrote to memory of 4560	5072	chrome.exe	26
PID 5072 wrote to memory of 1212	5072	chrome.exe	21
PID 5072 wrote to memory of 1212	5072	chrome.exe	21
PID 5072 wrote to memory of 1212	5072	chrome.exe	21
PID 5072 wrote to memory of 1212	5072	chrome.exe	21
PID 5072 wrote to memory of 1212	5072	chrome.exe	21
PID 5072 wrote to memory of 1212	5072	chrome.exe	21
PID 5072 wrote to memory of 1212	5072	chrome.exe	21
PID 5072 wrote to memory of 1212	5072	chrome.exe	21
PID 5072 wrote to memory of 1212	5072	chrome.exe	21
PID 5072 wrote to memory of 1212	5072	chrome.exe	21
PID 5072 wrote to memory of 1212	5072	chrome.exe	21
PID 5072 wrote to memory of 1212	5072	chrome.exe	21
PID 5072 wrote to memory of 1212	5072	chrome.exe	21
PID 5072 wrote to memory of 1212	5072	chrome.exe	21
PID 5072 wrote to memory of 1212	5072	chrome.exe	21
PID 5072 wrote to memory of 1212	5072	chrome.exe	21
PID 5072 wrote to memory of 1212	5072	chrome.exe	21
PID 5072 wrote to memory of 1212	5072	chrome.exe	21
PID 5072 wrote to memory of 1212	5072	chrome.exe	21
PID 5072 wrote to memory of 1212	5072	chrome.exe	21
PID 5072 wrote to memory of 1212	5072	chrome.exe	21
PID 5072 wrote to memory of 1212	5072	chrome.exe	21

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff826b99758,0x7ff826b99768,0x7ff826b99778
1⤵
PID:4924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://DELINIA.KZ
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 --field-trial-handle=1900,i,2748872759440117163,12220697659219887175,131072 /prefetch:8
  2⤵
  PID:1212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2932 --field-trial-handle=1900,i,2748872759440117163,12220697659219887175,131072 /prefetch:1
  2⤵
  PID:2240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2924 --field-trial-handle=1900,i,2748872759440117163,12220697659219887175,131072 /prefetch:1
  2⤵
  PID:3496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1900,i,2748872759440117163,12220697659219887175,131072 /prefetch:8
  2⤵
  PID:4560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1780 --field-trial-handle=1900,i,2748872759440117163,12220697659219887175,131072 /prefetch:2
  2⤵
  PID:2196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4824 --field-trial-handle=1900,i,2748872759440117163,12220697659219887175,131072 /prefetch:8
  2⤵
  PID:400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4940 --field-trial-handle=1900,i,2748872759440117163,12220697659219887175,131072 /prefetch:8
  2⤵
  PID:1584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3044 --field-trial-handle=1900,i,2748872759440117163,12220697659219887175,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4472

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\7d62dcb0-f012-4c3b-9da6-9b395deb3183.tmp

Filesize
6KB

MD5
e15df2bcc7f5e3ee316fc753051c4359

SHA1
a99b737bd0d414e7114da75d5c4b04995ce97091

SHA256
bbfa8d1ced9b0fea3dcb8bb805279756a385e9fe6577f003403e271313de5864

SHA512
210c776ef4d3cd6ea16e9737685385e013a83b3ba04417a8de4c9c0d3d1599ec6c276192436e4664f20b1a22419a233a2ad00d03d0722b86b5b2f054f42341f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
1KB

MD5
b888406c09409582af8ad4d0ca797aa7

SHA1
ed47d6f999f841517da7d1e57980118d9f3e0e75

SHA256
123c0449d980ca8b586aa23c7f022cb7649a9d37c3780ca9ff1da794bf823b53

SHA512
1c927cef6b0fa7c159d609fdec425a1bd2ba64671dad87a510ba4cf4b20dadf6c0215b680665825e91e240d5bfb9c1c144250e792c1229bf4eaaca06a9700a4d

Download Submit