hxxps://intellipedia-test[.]intelink[.]gov/w/index[.]php?title=File[:]Analysis101_8-step_process[.]jpg&diff=next&oldid=950962

Analysis

max time kernel
61s
max time network
62s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
14-01-2024 12:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://intellipedia-test.intelink.gov/w/index.php?title=File:Analysis101_8-step_process.jpg&diff=next&oldid=950962

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133497088640795921"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5016	chrome.exe
5016	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5016 wrote to memory of 4180	5016	chrome.exe	32
PID 5016 wrote to memory of 4180	5016	chrome.exe	32
PID 5016 wrote to memory of 1956	5016	chrome.exe	92
PID 5016 wrote to memory of 1956	5016	chrome.exe	92
PID 5016 wrote to memory of 1956	5016	chrome.exe	92
PID 5016 wrote to memory of 1956	5016	chrome.exe	92
PID 5016 wrote to memory of 1956	5016	chrome.exe	92
PID 5016 wrote to memory of 1956	5016	chrome.exe	92
PID 5016 wrote to memory of 1956	5016	chrome.exe	92
PID 5016 wrote to memory of 1956	5016	chrome.exe	92
PID 5016 wrote to memory of 1956	5016	chrome.exe	92
PID 5016 wrote to memory of 1956	5016	chrome.exe	92
PID 5016 wrote to memory of 1956	5016	chrome.exe	92
PID 5016 wrote to memory of 1956	5016	chrome.exe	92
PID 5016 wrote to memory of 1956	5016	chrome.exe	92
PID 5016 wrote to memory of 1956	5016	chrome.exe	92
PID 5016 wrote to memory of 1956	5016	chrome.exe	92
PID 5016 wrote to memory of 1956	5016	chrome.exe	92
PID 5016 wrote to memory of 1956	5016	chrome.exe	92
PID 5016 wrote to memory of 1956	5016	chrome.exe	92
PID 5016 wrote to memory of 1956	5016	chrome.exe	92
PID 5016 wrote to memory of 1956	5016	chrome.exe	92
PID 5016 wrote to memory of 1956	5016	chrome.exe	92
PID 5016 wrote to memory of 1956	5016	chrome.exe	92
PID 5016 wrote to memory of 1956	5016	chrome.exe	92
PID 5016 wrote to memory of 1956	5016	chrome.exe	92
PID 5016 wrote to memory of 1956	5016	chrome.exe	92
PID 5016 wrote to memory of 1956	5016	chrome.exe	92
PID 5016 wrote to memory of 1956	5016	chrome.exe	92
PID 5016 wrote to memory of 1956	5016	chrome.exe	92
PID 5016 wrote to memory of 1956	5016	chrome.exe	92
PID 5016 wrote to memory of 1956	5016	chrome.exe	92
PID 5016 wrote to memory of 1956	5016	chrome.exe	92
PID 5016 wrote to memory of 1956	5016	chrome.exe	92
PID 5016 wrote to memory of 1956	5016	chrome.exe	92
PID 5016 wrote to memory of 1956	5016	chrome.exe	92
PID 5016 wrote to memory of 1956	5016	chrome.exe	92
PID 5016 wrote to memory of 1956	5016	chrome.exe	92
PID 5016 wrote to memory of 1956	5016	chrome.exe	92
PID 5016 wrote to memory of 1956	5016	chrome.exe	92
PID 5016 wrote to memory of 1624	5016	chrome.exe	93
PID 5016 wrote to memory of 1624	5016	chrome.exe	93
PID 5016 wrote to memory of 4004	5016	chrome.exe	94
PID 5016 wrote to memory of 4004	5016	chrome.exe	94
PID 5016 wrote to memory of 4004	5016	chrome.exe	94
PID 5016 wrote to memory of 4004	5016	chrome.exe	94
PID 5016 wrote to memory of 4004	5016	chrome.exe	94
PID 5016 wrote to memory of 4004	5016	chrome.exe	94
PID 5016 wrote to memory of 4004	5016	chrome.exe	94
PID 5016 wrote to memory of 4004	5016	chrome.exe	94
PID 5016 wrote to memory of 4004	5016	chrome.exe	94
PID 5016 wrote to memory of 4004	5016	chrome.exe	94
PID 5016 wrote to memory of 4004	5016	chrome.exe	94
PID 5016 wrote to memory of 4004	5016	chrome.exe	94
PID 5016 wrote to memory of 4004	5016	chrome.exe	94
PID 5016 wrote to memory of 4004	5016	chrome.exe	94
PID 5016 wrote to memory of 4004	5016	chrome.exe	94
PID 5016 wrote to memory of 4004	5016	chrome.exe	94
PID 5016 wrote to memory of 4004	5016	chrome.exe	94
PID 5016 wrote to memory of 4004	5016	chrome.exe	94
PID 5016 wrote to memory of 4004	5016	chrome.exe	94
PID 5016 wrote to memory of 4004	5016	chrome.exe	94
PID 5016 wrote to memory of 4004	5016	chrome.exe	94
PID 5016 wrote to memory of 4004	5016	chrome.exe	94

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://intellipedia-test.intelink.gov/w/index.php?title=File:Analysis101_8-step_process.jpg&diff=next&oldid=950962
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc96ad9758,0x7ffc96ad9768,0x7ffc96ad9778
  2⤵
  PID:4180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1732 --field-trial-handle=1852,i,16175754579310299766,6048479890688049685,131072 /prefetch:2
  2⤵
  PID:1956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1852,i,16175754579310299766,6048479890688049685,131072 /prefetch:8
  2⤵
  PID:1624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2244 --field-trial-handle=1852,i,16175754579310299766,6048479890688049685,131072 /prefetch:8
  2⤵
  PID:4004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2940 --field-trial-handle=1852,i,16175754579310299766,6048479890688049685,131072 /prefetch:1
  2⤵
  PID:3972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2948 --field-trial-handle=1852,i,16175754579310299766,6048479890688049685,131072 /prefetch:1
  2⤵
  PID:4872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4816 --field-trial-handle=1852,i,16175754579310299766,6048479890688049685,131072 /prefetch:1
  2⤵
  PID:4984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3924 --field-trial-handle=1852,i,16175754579310299766,6048479890688049685,131072 /prefetch:8
  2⤵
  PID:1996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4572 --field-trial-handle=1852,i,16175754579310299766,6048479890688049685,131072 /prefetch:8
  2⤵
  PID:4964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5312 --field-trial-handle=1852,i,16175754579310299766,6048479890688049685,131072 /prefetch:1
  2⤵
  PID:3436

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
bb3b25d915f8b07c788b590e2db352aa

SHA1
ecffbe721560a972e395f0f1d79db1f1d57439b4

SHA256
0e9fbd3f11e5f160acff95bc609209e8df22d88f32275993858c13488a79fb2e

SHA512
54fb71107ff1688d1cbac987b4d3a92723ea5c58bb6771b9c66d60337ca70364ef922e9acf93bedd1989b03b366ec7f313bbbe9966ec78a96ccd57c7cb86f33a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
760c543c1cbbc8ded74ffdb33423e2ab

SHA1
d30a603d943131096f7beebaaa0f6cf90387ab84

SHA256
f788132674e47e78c40cc263138d261a5e04203b8d5ed88b02b0d0f58395b1a5

SHA512
3f822b033b1129b1346b81c921232bd590bf601c3eca1065c9d787d8ac46c86de70062743e45facf40ddc75c687f61f30e878645eec20fdd345cb4f7e061946f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
f6dae582b2f5ea4e04688713959f67c5

SHA1
e941e0451c9f6e7dde5711a18d227a2c9fd9240a

SHA256
f23830888dbbdf91efd4e7c808bddb8f1d6b003671f48773d54531ed5913652e

SHA512
c06fb9feed3967f35222176a8a1915f31ee9dedd5e9f198f207eeeb072eee2999483d688c998a28f438fa8a696ba205dad5803b384604fabe60d67b66ea12830

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
0764ce330645e634776d86005f192d7d

SHA1
c39db7de1ca8a5844effda3c870a293e31425601

SHA256
3b5f835c8f4dc3fed63e33150f24f102558dd51f5e22bb983237a68d6110899a

SHA512
6813346814221aabf68a70ecd5ffd41d54715641e7c8fb8aa638eef2d84d5dbca7dfd3ad08f4b4ff7548b7b0ecb28be47709fd482384ab63050da7247c38a121

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
8dcd697b73baf764cecf5ed6759bc772

SHA1
aa33068823772299a263088a5d045434a72cf849

SHA256
a50d7c9e463cab7d8a0072de9e05433d3aabdc28c03cf02369ffbcc1570a8d0c

SHA512
4436dbabc8cb5df0a26fa6b2fdf9149034a28b34558f41ca4b151ef43fb77e3a9c0177d6db33bd72bd428a9a38b5321337b6c541a7c7071a542416125dd81e92

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
8acdfb31b3caa4c7b0a7cd955c978a21

SHA1
4d35fb1d322ff1b543fc7b329462bb6f8e5c0427

SHA256
9348d8a0d618820478daeeac06d9410043030e823833ea6ba6cba2e75db7af5a

SHA512
88b282d648b6a289e7c8f705a672a14d0a3f05905d226c73e2a0d29a3953860dc8dae4050ca875d6d4a6010938bb8dffe96f60601e2c91f14196f3b8e42a6874

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\a5c5be9e-35b2-441d-9274-03032794493c.tmp

Filesize
114KB

MD5
98c5cff331edc9c769b95fd1f6b1f575

SHA1
729d981ef42c5e6b8a346644fdc25a09ff7b54a2

SHA256
f1697286fb287fa46f170dc2f3cbf153e5de64703d4ff3e613df202d768ec3fd

SHA512
271198315829fa938fe101d44448fed98ab6473476ee4b6cdf08ef1fcdc68588724235a673230423520e2e74a4868bbe58cb01dd2bb4ec1df904f762987e0b7b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit