hxxp://www[.]kaseya[.]com/jp/legal[.]aspx

Analysis

max time kernel
0s
max time network
149s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
09/01/2024, 10:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://www.kaseya.com/jp/legal.aspx

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Suspicious use of FindShellTrayWindow 17 IoCs

pid	Process
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 196	1764	chrome.exe	14
PID 1764 wrote to memory of 196	1764	chrome.exe	14
PID 1764 wrote to memory of 4024	1764	chrome.exe	22
PID 1764 wrote to memory of 4024	1764	chrome.exe	22
PID 1764 wrote to memory of 4024	1764	chrome.exe	22
PID 1764 wrote to memory of 4024	1764	chrome.exe	22
PID 1764 wrote to memory of 4024	1764	chrome.exe	22
PID 1764 wrote to memory of 4024	1764	chrome.exe	22
PID 1764 wrote to memory of 4024	1764	chrome.exe	22
PID 1764 wrote to memory of 4024	1764	chrome.exe	22
PID 1764 wrote to memory of 4024	1764	chrome.exe	22
PID 1764 wrote to memory of 4024	1764	chrome.exe	22
PID 1764 wrote to memory of 4024	1764	chrome.exe	22
PID 1764 wrote to memory of 4024	1764	chrome.exe	22
PID 1764 wrote to memory of 4024	1764	chrome.exe	22
PID 1764 wrote to memory of 4024	1764	chrome.exe	22
PID 1764 wrote to memory of 4024	1764	chrome.exe	22
PID 1764 wrote to memory of 4024	1764	chrome.exe	22
PID 1764 wrote to memory of 4024	1764	chrome.exe	22
PID 1764 wrote to memory of 4024	1764	chrome.exe	22
PID 1764 wrote to memory of 4024	1764	chrome.exe	22
PID 1764 wrote to memory of 4024	1764	chrome.exe	22
PID 1764 wrote to memory of 4024	1764	chrome.exe	22
PID 1764 wrote to memory of 4024	1764	chrome.exe	22
PID 1764 wrote to memory of 4024	1764	chrome.exe	22
PID 1764 wrote to memory of 4024	1764	chrome.exe	22
PID 1764 wrote to memory of 4024	1764	chrome.exe	22
PID 1764 wrote to memory of 4024	1764	chrome.exe	22
PID 1764 wrote to memory of 4024	1764	chrome.exe	22
PID 1764 wrote to memory of 4024	1764	chrome.exe	22
PID 1764 wrote to memory of 4024	1764	chrome.exe	22
PID 1764 wrote to memory of 4024	1764	chrome.exe	22
PID 1764 wrote to memory of 4024	1764	chrome.exe	22
PID 1764 wrote to memory of 4024	1764	chrome.exe	22
PID 1764 wrote to memory of 4024	1764	chrome.exe	22
PID 1764 wrote to memory of 4024	1764	chrome.exe	22
PID 1764 wrote to memory of 4024	1764	chrome.exe	22
PID 1764 wrote to memory of 4024	1764	chrome.exe	22
PID 1764 wrote to memory of 4024	1764	chrome.exe	22
PID 1764 wrote to memory of 4024	1764	chrome.exe	22
PID 1764 wrote to memory of 1392	1764	chrome.exe	21
PID 1764 wrote to memory of 1392	1764	chrome.exe	21
PID 1764 wrote to memory of 4936	1764	chrome.exe	20
PID 1764 wrote to memory of 4936	1764	chrome.exe	20
PID 1764 wrote to memory of 4936	1764	chrome.exe	20
PID 1764 wrote to memory of 4936	1764	chrome.exe	20
PID 1764 wrote to memory of 4936	1764	chrome.exe	20
PID 1764 wrote to memory of 4936	1764	chrome.exe	20
PID 1764 wrote to memory of 4936	1764	chrome.exe	20
PID 1764 wrote to memory of 4936	1764	chrome.exe	20
PID 1764 wrote to memory of 4936	1764	chrome.exe	20
PID 1764 wrote to memory of 4936	1764	chrome.exe	20
PID 1764 wrote to memory of 4936	1764	chrome.exe	20
PID 1764 wrote to memory of 4936	1764	chrome.exe	20
PID 1764 wrote to memory of 4936	1764	chrome.exe	20
PID 1764 wrote to memory of 4936	1764	chrome.exe	20
PID 1764 wrote to memory of 4936	1764	chrome.exe	20
PID 1764 wrote to memory of 4936	1764	chrome.exe	20
PID 1764 wrote to memory of 4936	1764	chrome.exe	20
PID 1764 wrote to memory of 4936	1764	chrome.exe	20
PID 1764 wrote to memory of 4936	1764	chrome.exe	20
PID 1764 wrote to memory of 4936	1764	chrome.exe	20
PID 1764 wrote to memory of 4936	1764	chrome.exe	20
PID 1764 wrote to memory of 4936	1764	chrome.exe	20

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffae6f19758,0x7ffae6f19768,0x7ffae6f19778
1⤵
PID:196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://www.kaseya.com/jp/legal.aspx
1⤵
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2576 --field-trial-handle=1804,i,16784548499841303654,14253628011411225979,131072 /prefetch:1
  2⤵
  PID:4056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2568 --field-trial-handle=1804,i,16784548499841303654,14253628011411225979,131072 /prefetch:1
  2⤵
  PID:3496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2076 --field-trial-handle=1804,i,16784548499841303654,14253628011411225979,131072 /prefetch:8
  2⤵
  PID:4936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1788 --field-trial-handle=1804,i,16784548499841303654,14253628011411225979,131072 /prefetch:8
  2⤵
  PID:1392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1520 --field-trial-handle=1804,i,16784548499841303654,14253628011411225979,131072 /prefetch:2
  2⤵
  PID:4024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4356 --field-trial-handle=1804,i,16784548499841303654,14253628011411225979,131072 /prefetch:1
  2⤵
  PID:796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5088 --field-trial-handle=1804,i,16784548499841303654,14253628011411225979,131072 /prefetch:8
  2⤵
  PID:4344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4884 --field-trial-handle=1804,i,16784548499841303654,14253628011411225979,131072 /prefetch:8
  2⤵
  PID:3036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4776 --field-trial-handle=1804,i,16784548499841303654,14253628011411225979,131072 /prefetch:2
  2⤵
  PID:748

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
792B

MD5
82f62350585f3b9ed94a9c5ab47e17b5

SHA1
76b482abc8961c56cf4c1af9b33f2db0336b6466

SHA256
ae5b6aac2de33227cc228f0113d68a943936b8ea3a24ebc8c7af2c1d29d8935b

SHA512
102ff07540e76a4949f22d3b4b007ab176efca6c39c9f83e7902dedbeb88c16667c5b1340cf146a6a4c1afbfdf08a04b7ded781993a3d185af8c649ea978a82f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\51b6ce3e-f518-4d77-9fa9-a185b64fcddb.tmp

Filesize
1KB

MD5
fa7c894ab2352c79edcdac69ebeef7b8

SHA1
1ca13dbf9990be5c36a1f6a78f5cf7f53efe1cf3

SHA256
6ad15da064beb68122a871e1bedb7c75e5e9e26a9516e875221e689b75bcd14a

SHA512
50dad8d9ede49f775819d6ef5010cc4e3319ee983368032c6f9b95361bb3904b013d44005384c9bc79b1eff36cd2167fb82b9515a6681ff5366ccc2208fea1a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
4KB

MD5
95582538efe18c3b1f802bf4844ddfd2

SHA1
9589f1f6eff62b16bccdf2c4b7f07e8c400cc848

SHA256
16276c751cf176ce6c61b41273ad303717f4ed435229812f8c7629c94c052874

SHA512
ce6c302c65635672c3121de8343c52c3e4fe7bd4510f05572c63344a88172a363b18505db23418b6c0676426bead8780611517f3d5dbe305f83eff0238b492d6

Download Submit