hxxps://w8q6[.]b01l9[.]com/pkP2Bk#a2VubmV0aC5mLndlaXNzZUBlaGkuY29t

Analysis

max time kernel
59s
max time network
57s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
14/01/2024, 12:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://w8q6.b01l9.com/pkP2Bk#a2VubmV0aC5mLndlaXNzZUBlaGkuY29t

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133497103194233814"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1792	chrome.exe
1792	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 1264	1792	chrome.exe	56
PID 1792 wrote to memory of 1264	1792	chrome.exe	56
PID 1792 wrote to memory of 596	1792	chrome.exe	76
PID 1792 wrote to memory of 596	1792	chrome.exe	76
PID 1792 wrote to memory of 596	1792	chrome.exe	76
PID 1792 wrote to memory of 596	1792	chrome.exe	76
PID 1792 wrote to memory of 596	1792	chrome.exe	76
PID 1792 wrote to memory of 596	1792	chrome.exe	76
PID 1792 wrote to memory of 596	1792	chrome.exe	76
PID 1792 wrote to memory of 596	1792	chrome.exe	76
PID 1792 wrote to memory of 596	1792	chrome.exe	76
PID 1792 wrote to memory of 596	1792	chrome.exe	76
PID 1792 wrote to memory of 596	1792	chrome.exe	76
PID 1792 wrote to memory of 596	1792	chrome.exe	76
PID 1792 wrote to memory of 596	1792	chrome.exe	76
PID 1792 wrote to memory of 596	1792	chrome.exe	76
PID 1792 wrote to memory of 596	1792	chrome.exe	76
PID 1792 wrote to memory of 596	1792	chrome.exe	76
PID 1792 wrote to memory of 596	1792	chrome.exe	76
PID 1792 wrote to memory of 596	1792	chrome.exe	76
PID 1792 wrote to memory of 596	1792	chrome.exe	76
PID 1792 wrote to memory of 596	1792	chrome.exe	76
PID 1792 wrote to memory of 596	1792	chrome.exe	76
PID 1792 wrote to memory of 596	1792	chrome.exe	76
PID 1792 wrote to memory of 596	1792	chrome.exe	76
PID 1792 wrote to memory of 596	1792	chrome.exe	76
PID 1792 wrote to memory of 596	1792	chrome.exe	76
PID 1792 wrote to memory of 596	1792	chrome.exe	76
PID 1792 wrote to memory of 596	1792	chrome.exe	76
PID 1792 wrote to memory of 596	1792	chrome.exe	76
PID 1792 wrote to memory of 596	1792	chrome.exe	76
PID 1792 wrote to memory of 596	1792	chrome.exe	76
PID 1792 wrote to memory of 596	1792	chrome.exe	76
PID 1792 wrote to memory of 596	1792	chrome.exe	76
PID 1792 wrote to memory of 596	1792	chrome.exe	76
PID 1792 wrote to memory of 596	1792	chrome.exe	76
PID 1792 wrote to memory of 596	1792	chrome.exe	76
PID 1792 wrote to memory of 596	1792	chrome.exe	76
PID 1792 wrote to memory of 596	1792	chrome.exe	76
PID 1792 wrote to memory of 596	1792	chrome.exe	76
PID 1792 wrote to memory of 1496	1792	chrome.exe	78
PID 1792 wrote to memory of 1496	1792	chrome.exe	78
PID 1792 wrote to memory of 1868	1792	chrome.exe	77
PID 1792 wrote to memory of 1868	1792	chrome.exe	77
PID 1792 wrote to memory of 1868	1792	chrome.exe	77
PID 1792 wrote to memory of 1868	1792	chrome.exe	77
PID 1792 wrote to memory of 1868	1792	chrome.exe	77
PID 1792 wrote to memory of 1868	1792	chrome.exe	77
PID 1792 wrote to memory of 1868	1792	chrome.exe	77
PID 1792 wrote to memory of 1868	1792	chrome.exe	77
PID 1792 wrote to memory of 1868	1792	chrome.exe	77
PID 1792 wrote to memory of 1868	1792	chrome.exe	77
PID 1792 wrote to memory of 1868	1792	chrome.exe	77
PID 1792 wrote to memory of 1868	1792	chrome.exe	77
PID 1792 wrote to memory of 1868	1792	chrome.exe	77
PID 1792 wrote to memory of 1868	1792	chrome.exe	77
PID 1792 wrote to memory of 1868	1792	chrome.exe	77
PID 1792 wrote to memory of 1868	1792	chrome.exe	77
PID 1792 wrote to memory of 1868	1792	chrome.exe	77
PID 1792 wrote to memory of 1868	1792	chrome.exe	77
PID 1792 wrote to memory of 1868	1792	chrome.exe	77
PID 1792 wrote to memory of 1868	1792	chrome.exe	77
PID 1792 wrote to memory of 1868	1792	chrome.exe	77
PID 1792 wrote to memory of 1868	1792	chrome.exe	77

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://w8q6.b01l9.com/pkP2Bk#a2VubmV0aC5mLndlaXNzZUBlaGkuY29t
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff9b1249758,0x7ff9b1249768,0x7ff9b1249778
  2⤵
  PID:1264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1528 --field-trial-handle=1840,i,14673611770665102745,5938239295587945767,131072 /prefetch:2
  2⤵
  PID:596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1976 --field-trial-handle=1840,i,14673611770665102745,5938239295587945767,131072 /prefetch:8
  2⤵
  PID:1868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1808 --field-trial-handle=1840,i,14673611770665102745,5938239295587945767,131072 /prefetch:8
  2⤵
  PID:1496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2896 --field-trial-handle=1840,i,14673611770665102745,5938239295587945767,131072 /prefetch:1
  2⤵
  PID:4760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2888 --field-trial-handle=1840,i,14673611770665102745,5938239295587945767,131072 /prefetch:1
  2⤵
  PID:5016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3736 --field-trial-handle=1840,i,14673611770665102745,5938239295587945767,131072 /prefetch:1
  2⤵
  PID:3212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4424 --field-trial-handle=1840,i,14673611770665102745,5938239295587945767,131072 /prefetch:1
  2⤵
  PID:2916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=5036 --field-trial-handle=1840,i,14673611770665102745,5938239295587945767,131072 /prefetch:1
  2⤵
  PID:2736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 --field-trial-handle=1840,i,14673611770665102745,5938239295587945767,131072 /prefetch:8
  2⤵
  PID:3124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4964 --field-trial-handle=1840,i,14673611770665102745,5938239295587945767,131072 /prefetch:8
  2⤵
  PID:3736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4412 --field-trial-handle=1840,i,14673611770665102745,5938239295587945767,131072 /prefetch:1
  2⤵
  PID:1316

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
07c9bc45a8c95890fdb4601c4c2f0f74

SHA1
4fa00b1759fbf67e0a805ae3b32553b6bf94e0ed

SHA256
91c949b043a08e422b438488168721f78858deb4015322b8d3064f217bee867b

SHA512
314b53df9d329cfcb2d990779d3618c3a840ac43c3183944030f6a2019d861dd343db53f3eadf281af44a3c855b83ffa7319ff8209e8ed0f06c8d11a986072ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
7c13c05e9df865fbdbc0adcb81f835e9

SHA1
f377393f01a5854db3e9527dc17fa52e81c98772

SHA256
85e2f78998c957ce536a5e3bedb60b515b94657212f3b9ae78a8368337832e74

SHA512
d8311696c40726daf7191e3e2bd7459350f41800820c07a7cca3bc6ec314c5b47ff163c5426cc073f633c49b755ed6c3f78e6fc14c2119d026c271540c2d7057

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
707B

MD5
5176f8ed6ac91687ee0c3e5d6917e656

SHA1
7a6b957583c9b300fba1ef02e068f1bf2f4dcef9

SHA256
021d119f17643d0f85c9e53e58004e05c802b595a3ab8d279066a992e1806ce6

SHA512
68580f0a69bd64ed93c448ee0ba6533ffe1194bb2cc6560dab256e01cbbefb679b1a0b13b637bf443aae5cf612dc44d92c0f39b414dbc461b48baf8579caeae6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
853646f57d8cb28b92323b87e20a95f0

SHA1
be8d4cba3dc7379d00c0d9ccc1153b321cfe7ace

SHA256
49b6d79b41cf4b7537056478e6e80dae0871968a72c261398f8f928442fffff5

SHA512
665e302623cc925237e7a071e062475ccc2691d64dabe002f9b33157d32c6aab231c8a7898d502ac83d35cf51f46887aec14d1141a48664495af695d15c6ef1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f02b9fc9f4b72f48984df554869cd73d

SHA1
3eca09e6247b3cb9a75663caaa0b4a1ded6d0f6f

SHA256
c69107158b650805b295d96a6d2507d054b9d12236a8961bfcd72e2286f0945f

SHA512
878688f567f1e7bd6abe9273af09fe093c94ecef18721be01133d4fbed3acc4163809314be5adb721063d002439fda0c8c9d24e5fd9487c18ae99c7a8f13c3c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
23a091a4c624b5de535a80861095a29b

SHA1
dad70c42bb0c80d908701b180736eb7f4d51e0b4

SHA256
cd07ba91a0d3bb09993d352f9935563b1cba057a35cd18da5cb39cdfe2bee6a3

SHA512
86f8b61cb89b96435ff03d1a9ec15fe3d2dcee096428c0a6040cbe7cfd3d0b98ca1544bfeb8a7fff43ffe5157e674eaf3795ece7d31f1f78e173513a93e21acd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit