hxxps://we[.]tl/t-1GOYNt8ace

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12/01/2024, 18:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://we.tl/t-1GOYNt8ace

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133495569921769295"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
848	chrome.exe
848	chrome.exe
3584	chrome.exe
3584	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
848	chrome.exe
848	chrome.exe
848	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	848	chrome.exe
Token: SeCreatePagefilePrivilege	848	chrome.exe
Token: SeShutdownPrivilege	848	chrome.exe
Token: SeCreatePagefilePrivilege	848	chrome.exe
Token: SeShutdownPrivilege	848	chrome.exe
Token: SeCreatePagefilePrivilege	848	chrome.exe
Token: SeShutdownPrivilege	848	chrome.exe
Token: SeCreatePagefilePrivilege	848	chrome.exe
Token: SeShutdownPrivilege	848	chrome.exe
Token: SeCreatePagefilePrivilege	848	chrome.exe
Token: SeShutdownPrivilege	848	chrome.exe
Token: SeCreatePagefilePrivilege	848	chrome.exe
Token: SeShutdownPrivilege	848	chrome.exe
Token: SeCreatePagefilePrivilege	848	chrome.exe
Token: SeShutdownPrivilege	848	chrome.exe
Token: SeCreatePagefilePrivilege	848	chrome.exe
Token: SeShutdownPrivilege	848	chrome.exe
Token: SeCreatePagefilePrivilege	848	chrome.exe
Token: SeShutdownPrivilege	848	chrome.exe
Token: SeCreatePagefilePrivilege	848	chrome.exe
Token: SeShutdownPrivilege	848	chrome.exe
Token: SeCreatePagefilePrivilege	848	chrome.exe
Token: SeShutdownPrivilege	848	chrome.exe
Token: SeCreatePagefilePrivilege	848	chrome.exe
Token: SeShutdownPrivilege	848	chrome.exe
Token: SeCreatePagefilePrivilege	848	chrome.exe
Token: SeShutdownPrivilege	848	chrome.exe
Token: SeCreatePagefilePrivilege	848	chrome.exe
Token: SeShutdownPrivilege	848	chrome.exe
Token: SeCreatePagefilePrivilege	848	chrome.exe
Token: SeShutdownPrivilege	848	chrome.exe
Token: SeCreatePagefilePrivilege	848	chrome.exe
Token: SeShutdownPrivilege	848	chrome.exe
Token: SeCreatePagefilePrivilege	848	chrome.exe
Token: SeShutdownPrivilege	848	chrome.exe
Token: SeCreatePagefilePrivilege	848	chrome.exe
Token: SeShutdownPrivilege	848	chrome.exe
Token: SeCreatePagefilePrivilege	848	chrome.exe
Token: SeShutdownPrivilege	848	chrome.exe
Token: SeCreatePagefilePrivilege	848	chrome.exe
Token: SeShutdownPrivilege	848	chrome.exe
Token: SeCreatePagefilePrivilege	848	chrome.exe
Token: SeShutdownPrivilege	848	chrome.exe
Token: SeCreatePagefilePrivilege	848	chrome.exe
Token: SeShutdownPrivilege	848	chrome.exe
Token: SeCreatePagefilePrivilege	848	chrome.exe
Token: SeShutdownPrivilege	848	chrome.exe
Token: SeCreatePagefilePrivilege	848	chrome.exe
Token: SeShutdownPrivilege	848	chrome.exe
Token: SeCreatePagefilePrivilege	848	chrome.exe
Token: SeShutdownPrivilege	848	chrome.exe
Token: SeCreatePagefilePrivilege	848	chrome.exe
Token: SeShutdownPrivilege	848	chrome.exe
Token: SeCreatePagefilePrivilege	848	chrome.exe
Token: SeShutdownPrivilege	848	chrome.exe
Token: SeCreatePagefilePrivilege	848	chrome.exe
Token: SeShutdownPrivilege	848	chrome.exe
Token: SeCreatePagefilePrivilege	848	chrome.exe
Token: SeShutdownPrivilege	848	chrome.exe
Token: SeCreatePagefilePrivilege	848	chrome.exe
Token: SeShutdownPrivilege	848	chrome.exe
Token: SeCreatePagefilePrivilege	848	chrome.exe
Token: SeShutdownPrivilege	848	chrome.exe
Token: SeCreatePagefilePrivilege	848	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
848	chrome.exe
848	chrome.exe
848	chrome.exe
848	chrome.exe
848	chrome.exe
848	chrome.exe
848	chrome.exe
848	chrome.exe
848	chrome.exe
848	chrome.exe
848	chrome.exe
848	chrome.exe
848	chrome.exe
848	chrome.exe
848	chrome.exe
848	chrome.exe
848	chrome.exe
848	chrome.exe
848	chrome.exe
848	chrome.exe
848	chrome.exe
848	chrome.exe
848	chrome.exe
848	chrome.exe
848	chrome.exe
848	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
848	chrome.exe
848	chrome.exe
848	chrome.exe
848	chrome.exe
848	chrome.exe
848	chrome.exe
848	chrome.exe
848	chrome.exe
848	chrome.exe
848	chrome.exe
848	chrome.exe
848	chrome.exe
848	chrome.exe
848	chrome.exe
848	chrome.exe
848	chrome.exe
848	chrome.exe
848	chrome.exe
848	chrome.exe
848	chrome.exe
848	chrome.exe
848	chrome.exe
848	chrome.exe
848	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 848 wrote to memory of 4596	848	chrome.exe	88
PID 848 wrote to memory of 4596	848	chrome.exe	88
PID 848 wrote to memory of 3552	848	chrome.exe	90
PID 848 wrote to memory of 3552	848	chrome.exe	90
PID 848 wrote to memory of 3552	848	chrome.exe	90
PID 848 wrote to memory of 3552	848	chrome.exe	90
PID 848 wrote to memory of 3552	848	chrome.exe	90
PID 848 wrote to memory of 3552	848	chrome.exe	90
PID 848 wrote to memory of 3552	848	chrome.exe	90
PID 848 wrote to memory of 3552	848	chrome.exe	90
PID 848 wrote to memory of 3552	848	chrome.exe	90
PID 848 wrote to memory of 3552	848	chrome.exe	90
PID 848 wrote to memory of 3552	848	chrome.exe	90
PID 848 wrote to memory of 3552	848	chrome.exe	90
PID 848 wrote to memory of 3552	848	chrome.exe	90
PID 848 wrote to memory of 3552	848	chrome.exe	90
PID 848 wrote to memory of 3552	848	chrome.exe	90
PID 848 wrote to memory of 3552	848	chrome.exe	90
PID 848 wrote to memory of 3552	848	chrome.exe	90
PID 848 wrote to memory of 3552	848	chrome.exe	90
PID 848 wrote to memory of 3552	848	chrome.exe	90
PID 848 wrote to memory of 3552	848	chrome.exe	90
PID 848 wrote to memory of 3552	848	chrome.exe	90
PID 848 wrote to memory of 3552	848	chrome.exe	90
PID 848 wrote to memory of 3552	848	chrome.exe	90
PID 848 wrote to memory of 3552	848	chrome.exe	90
PID 848 wrote to memory of 3552	848	chrome.exe	90
PID 848 wrote to memory of 3552	848	chrome.exe	90
PID 848 wrote to memory of 3552	848	chrome.exe	90
PID 848 wrote to memory of 3552	848	chrome.exe	90
PID 848 wrote to memory of 3552	848	chrome.exe	90
PID 848 wrote to memory of 3552	848	chrome.exe	90
PID 848 wrote to memory of 3552	848	chrome.exe	90
PID 848 wrote to memory of 3552	848	chrome.exe	90
PID 848 wrote to memory of 3552	848	chrome.exe	90
PID 848 wrote to memory of 3552	848	chrome.exe	90
PID 848 wrote to memory of 3552	848	chrome.exe	90
PID 848 wrote to memory of 3552	848	chrome.exe	90
PID 848 wrote to memory of 3552	848	chrome.exe	90
PID 848 wrote to memory of 3552	848	chrome.exe	90
PID 848 wrote to memory of 4716	848	chrome.exe	91
PID 848 wrote to memory of 4716	848	chrome.exe	91
PID 848 wrote to memory of 4268	848	chrome.exe	92
PID 848 wrote to memory of 4268	848	chrome.exe	92
PID 848 wrote to memory of 4268	848	chrome.exe	92
PID 848 wrote to memory of 4268	848	chrome.exe	92
PID 848 wrote to memory of 4268	848	chrome.exe	92
PID 848 wrote to memory of 4268	848	chrome.exe	92
PID 848 wrote to memory of 4268	848	chrome.exe	92
PID 848 wrote to memory of 4268	848	chrome.exe	92
PID 848 wrote to memory of 4268	848	chrome.exe	92
PID 848 wrote to memory of 4268	848	chrome.exe	92
PID 848 wrote to memory of 4268	848	chrome.exe	92
PID 848 wrote to memory of 4268	848	chrome.exe	92
PID 848 wrote to memory of 4268	848	chrome.exe	92
PID 848 wrote to memory of 4268	848	chrome.exe	92
PID 848 wrote to memory of 4268	848	chrome.exe	92
PID 848 wrote to memory of 4268	848	chrome.exe	92
PID 848 wrote to memory of 4268	848	chrome.exe	92
PID 848 wrote to memory of 4268	848	chrome.exe	92
PID 848 wrote to memory of 4268	848	chrome.exe	92
PID 848 wrote to memory of 4268	848	chrome.exe	92
PID 848 wrote to memory of 4268	848	chrome.exe	92
PID 848 wrote to memory of 4268	848	chrome.exe	92

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://we.tl/t-1GOYNt8ace
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbf7749758,0x7ffbf7749768,0x7ffbf7749778
  2⤵
  PID:4596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1724 --field-trial-handle=1876,i,4635097636951006119,566246472356057694,131072 /prefetch:2
  2⤵
  PID:3552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=1876,i,4635097636951006119,566246472356057694,131072 /prefetch:8
  2⤵
  PID:4716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2212 --field-trial-handle=1876,i,4635097636951006119,566246472356057694,131072 /prefetch:8
  2⤵
  PID:4268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3096 --field-trial-handle=1876,i,4635097636951006119,566246472356057694,131072 /prefetch:1
  2⤵
  PID:2928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3084 --field-trial-handle=1876,i,4635097636951006119,566246472356057694,131072 /prefetch:1
  2⤵
  PID:2712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4528 --field-trial-handle=1876,i,4635097636951006119,566246472356057694,131072 /prefetch:1
  2⤵
  PID:3648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5276 --field-trial-handle=1876,i,4635097636951006119,566246472356057694,131072 /prefetch:8
  2⤵
  PID:1196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 --field-trial-handle=1876,i,4635097636951006119,566246472356057694,131072 /prefetch:8
  2⤵
  PID:2064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1592 --field-trial-handle=1876,i,4635097636951006119,566246472356057694,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3584

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
672B

MD5
efca1250e64c8797dc5f0e63313a43a8

SHA1
32ac6cd54e599178a970ec3648f1303f170d9e4d

SHA256
d3e1f112c956185e145d461d4249121ca6bd7512306dea8799ac3aaf6b512eac

SHA512
3a18d0d0e60cb37ef2cedba51d404c4706d40948979b6ceca58fe7d0fd9e187a8eccc0bcb2f81752c44147fe2226660cb6962a098136124dac9b96287cea14fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
4df83739caeb401efc9e29792478b85e

SHA1
f9de61332d3e4b96ee7d75a56ac1efbb13c71564

SHA256
2962fd889bfe153fb6aefd92de1539b28a38db1615cb192c6dd2f1dd4ea25db2

SHA512
ff164ea5adf27a6a7f950cd64af357fe3298a0f2f9878608ef7a2e2d7178cd2e86978a0a74ef179a51d20e4735d2b3272dcaaad01a2353f8bb6482205fa37aab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
9d84de7723d58caa7fb517295b36b6f8

SHA1
97a9317c06ecc16cb11f1f25d09c74c7a4125358

SHA256
b3db91d5dd3e69137d2a117ee26cb25ef7a5c36f24d5d16a08ac1875fad5f62d

SHA512
7557e73b889b14a9e1d8d24a23b20a9bb7606c3be4247be089a1fc3c24d4dbad4b2f4d2761c32cfb2eb2d740d644f0494078b8bd6459e013a13208e1fea1f5d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
fa51cdafb8d047abbc928365a5d6b7cb

SHA1
5da96c3d437a20cfe4ccc04124fe2c946b3160b4

SHA256
228d1a2867a703e70214b03d73472edb2cded297ab4f55ff7f3cac4760610226

SHA512
81ca5b335f28e4c05435b076157126e381590f193bf833ef4c87e65804df79350118b66c26ec853b2e5942a10f7d3b231247bcd8e24c08f8494791cf30efef00

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
742edcd2e3dff73f751a70ecca526792

SHA1
f3f640d52ea871302f558b84d730508be1f7d25d

SHA256
3cf763e951882eb25ca9629e09c803ef24164db9fa48091362a9597f9b8d6d6d

SHA512
528d6ac26f7cd2e5c57fa6fec65027c83ed407391b5b1b493beca90d245285e429b28ad3fb4a7e6e0c5ea2812ded8d763273652ab271e051ab9849023a2c2e3b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
5c19ce2fe0788e75f75ef6958c6e7172

SHA1
5fcab3278657b149b1b9b50c3f73667030694439

SHA256
80e492ecbd8d7ec88c5e22c9cfb3cb2a40f448dcead748ba3fc8bc26b2e50fa6

SHA512
a2edcae82ab92008b86e8d588a0c5cb20245d1ccec7130721090f68d2e987ce47113aaaf289b94279c30886418b3246f91d03f4e4c864bd1962cff4259c8e67f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
75bcec753097b81644b038c49287a657

SHA1
976ff3f83b6abdd40088f09a5374a14b92424802

SHA256
10eb18550c455afb32b239d51cde720c8f25b4feece16b8d6da61d938f64b039

SHA512
c22733b9b13012ac3d46664919a7a8cb9319db4e1205345aeef54d77a6ca0b64dcd802d4f80e50db68755212fdda63f1acf1cddfc4be9d012f25977da9e7d842

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
e7216a76182bc09f09303d1ee524c29a

SHA1
2c0e5a158fffa1e6448679a734fccdcd825e5485

SHA256
e7c8077c7c340776a84449e2638a6274f24f12cef3f19c0502aee53a739b706a

SHA512
de841279cfe2579072d7464a41549f48a9b3fd609b52df1945d63d3b9da1fac54203916992df2d090c9ce20ba3d1028de604686023a258fe426b1d4e1039b59e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
f032ff2d551fd991f57d022c84e81bca

SHA1
e37d18fd5b6f159a50a3272a997fb7ab11c5a234

SHA256
eb7d5ee0824857e0c632bde1aad0170e0ffcb5c988eaf8bc619e1fc52ad2b40e

SHA512
0adab648d2be4dea6213885fb99e3217fefae01aeb3ff885bb524b07aa9c2134ee8b57f5401503483965ba80754d660a4175818d51198e6ff07919385345e2df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit