hxxp://11yii[.]com

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18/01/2024, 03:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

http://11yii.com

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133500223229734232"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
2056	chrome.exe
2056	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4580	chrome.exe
4580	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4580	chrome.exe
Token: SeCreatePagefilePrivilege	4580	chrome.exe
Token: SeShutdownPrivilege	4580	chrome.exe
Token: SeCreatePagefilePrivilege	4580	chrome.exe
Token: SeShutdownPrivilege	4580	chrome.exe
Token: SeCreatePagefilePrivilege	4580	chrome.exe
Token: SeShutdownPrivilege	4580	chrome.exe
Token: SeCreatePagefilePrivilege	4580	chrome.exe
Token: SeShutdownPrivilege	4580	chrome.exe
Token: SeCreatePagefilePrivilege	4580	chrome.exe
Token: SeShutdownPrivilege	4580	chrome.exe
Token: SeCreatePagefilePrivilege	4580	chrome.exe
Token: SeShutdownPrivilege	4580	chrome.exe
Token: SeCreatePagefilePrivilege	4580	chrome.exe
Token: SeShutdownPrivilege	4580	chrome.exe
Token: SeCreatePagefilePrivilege	4580	chrome.exe
Token: SeShutdownPrivilege	4580	chrome.exe
Token: SeCreatePagefilePrivilege	4580	chrome.exe
Token: SeShutdownPrivilege	4580	chrome.exe
Token: SeCreatePagefilePrivilege	4580	chrome.exe
Token: SeShutdownPrivilege	4580	chrome.exe
Token: SeCreatePagefilePrivilege	4580	chrome.exe
Token: SeShutdownPrivilege	4580	chrome.exe
Token: SeCreatePagefilePrivilege	4580	chrome.exe
Token: SeShutdownPrivilege	4580	chrome.exe
Token: SeCreatePagefilePrivilege	4580	chrome.exe
Token: SeShutdownPrivilege	4580	chrome.exe
Token: SeCreatePagefilePrivilege	4580	chrome.exe
Token: SeShutdownPrivilege	4580	chrome.exe
Token: SeCreatePagefilePrivilege	4580	chrome.exe
Token: SeShutdownPrivilege	4580	chrome.exe
Token: SeCreatePagefilePrivilege	4580	chrome.exe
Token: SeShutdownPrivilege	4580	chrome.exe
Token: SeCreatePagefilePrivilege	4580	chrome.exe
Token: SeShutdownPrivilege	4580	chrome.exe
Token: SeCreatePagefilePrivilege	4580	chrome.exe
Token: SeShutdownPrivilege	4580	chrome.exe
Token: SeCreatePagefilePrivilege	4580	chrome.exe
Token: SeShutdownPrivilege	4580	chrome.exe
Token: SeCreatePagefilePrivilege	4580	chrome.exe
Token: SeShutdownPrivilege	4580	chrome.exe
Token: SeCreatePagefilePrivilege	4580	chrome.exe
Token: SeShutdownPrivilege	4580	chrome.exe
Token: SeCreatePagefilePrivilege	4580	chrome.exe
Token: SeShutdownPrivilege	4580	chrome.exe
Token: SeCreatePagefilePrivilege	4580	chrome.exe
Token: SeShutdownPrivilege	4580	chrome.exe
Token: SeCreatePagefilePrivilege	4580	chrome.exe
Token: SeShutdownPrivilege	4580	chrome.exe
Token: SeCreatePagefilePrivilege	4580	chrome.exe
Token: SeShutdownPrivilege	4580	chrome.exe
Token: SeCreatePagefilePrivilege	4580	chrome.exe
Token: SeShutdownPrivilege	4580	chrome.exe
Token: SeCreatePagefilePrivilege	4580	chrome.exe
Token: SeShutdownPrivilege	4580	chrome.exe
Token: SeCreatePagefilePrivilege	4580	chrome.exe
Token: SeShutdownPrivilege	4580	chrome.exe
Token: SeCreatePagefilePrivilege	4580	chrome.exe
Token: SeShutdownPrivilege	4580	chrome.exe
Token: SeCreatePagefilePrivilege	4580	chrome.exe
Token: SeShutdownPrivilege	4580	chrome.exe
Token: SeCreatePagefilePrivilege	4580	chrome.exe
Token: SeShutdownPrivilege	4580	chrome.exe
Token: SeCreatePagefilePrivilege	4580	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4580 wrote to memory of 3916	4580	chrome.exe	82
PID 4580 wrote to memory of 3916	4580	chrome.exe	82
PID 4580 wrote to memory of 3552	4580	chrome.exe	94
PID 4580 wrote to memory of 3552	4580	chrome.exe	94
PID 4580 wrote to memory of 3552	4580	chrome.exe	94
PID 4580 wrote to memory of 3552	4580	chrome.exe	94
PID 4580 wrote to memory of 3552	4580	chrome.exe	94
PID 4580 wrote to memory of 3552	4580	chrome.exe	94
PID 4580 wrote to memory of 3552	4580	chrome.exe	94
PID 4580 wrote to memory of 3552	4580	chrome.exe	94
PID 4580 wrote to memory of 3552	4580	chrome.exe	94
PID 4580 wrote to memory of 3552	4580	chrome.exe	94
PID 4580 wrote to memory of 3552	4580	chrome.exe	94
PID 4580 wrote to memory of 3552	4580	chrome.exe	94
PID 4580 wrote to memory of 3552	4580	chrome.exe	94
PID 4580 wrote to memory of 3552	4580	chrome.exe	94
PID 4580 wrote to memory of 3552	4580	chrome.exe	94
PID 4580 wrote to memory of 3552	4580	chrome.exe	94
PID 4580 wrote to memory of 3552	4580	chrome.exe	94
PID 4580 wrote to memory of 3552	4580	chrome.exe	94
PID 4580 wrote to memory of 3552	4580	chrome.exe	94
PID 4580 wrote to memory of 3552	4580	chrome.exe	94
PID 4580 wrote to memory of 3552	4580	chrome.exe	94
PID 4580 wrote to memory of 3552	4580	chrome.exe	94
PID 4580 wrote to memory of 3552	4580	chrome.exe	94
PID 4580 wrote to memory of 3552	4580	chrome.exe	94
PID 4580 wrote to memory of 3552	4580	chrome.exe	94
PID 4580 wrote to memory of 3552	4580	chrome.exe	94
PID 4580 wrote to memory of 3552	4580	chrome.exe	94
PID 4580 wrote to memory of 3552	4580	chrome.exe	94
PID 4580 wrote to memory of 3552	4580	chrome.exe	94
PID 4580 wrote to memory of 3552	4580	chrome.exe	94
PID 4580 wrote to memory of 3552	4580	chrome.exe	94
PID 4580 wrote to memory of 3552	4580	chrome.exe	94
PID 4580 wrote to memory of 3552	4580	chrome.exe	94
PID 4580 wrote to memory of 3552	4580	chrome.exe	94
PID 4580 wrote to memory of 3552	4580	chrome.exe	94
PID 4580 wrote to memory of 3552	4580	chrome.exe	94
PID 4580 wrote to memory of 3552	4580	chrome.exe	94
PID 4580 wrote to memory of 3552	4580	chrome.exe	94
PID 4580 wrote to memory of 2636	4580	chrome.exe	93
PID 4580 wrote to memory of 2636	4580	chrome.exe	93
PID 4580 wrote to memory of 5072	4580	chrome.exe	92
PID 4580 wrote to memory of 5072	4580	chrome.exe	92
PID 4580 wrote to memory of 5072	4580	chrome.exe	92
PID 4580 wrote to memory of 5072	4580	chrome.exe	92
PID 4580 wrote to memory of 5072	4580	chrome.exe	92
PID 4580 wrote to memory of 5072	4580	chrome.exe	92
PID 4580 wrote to memory of 5072	4580	chrome.exe	92
PID 4580 wrote to memory of 5072	4580	chrome.exe	92
PID 4580 wrote to memory of 5072	4580	chrome.exe	92
PID 4580 wrote to memory of 5072	4580	chrome.exe	92
PID 4580 wrote to memory of 5072	4580	chrome.exe	92
PID 4580 wrote to memory of 5072	4580	chrome.exe	92
PID 4580 wrote to memory of 5072	4580	chrome.exe	92
PID 4580 wrote to memory of 5072	4580	chrome.exe	92
PID 4580 wrote to memory of 5072	4580	chrome.exe	92
PID 4580 wrote to memory of 5072	4580	chrome.exe	92
PID 4580 wrote to memory of 5072	4580	chrome.exe	92
PID 4580 wrote to memory of 5072	4580	chrome.exe	92
PID 4580 wrote to memory of 5072	4580	chrome.exe	92
PID 4580 wrote to memory of 5072	4580	chrome.exe	92
PID 4580 wrote to memory of 5072	4580	chrome.exe	92
PID 4580 wrote to memory of 5072	4580	chrome.exe	92

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://11yii.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff932b19758,0x7ff932b19768,0x7ff932b19778
  2⤵
  PID:3916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2788 --field-trial-handle=1908,i,14207927477230202035,5095902714473073430,131072 /prefetch:1
  2⤵
  PID:2660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2780 --field-trial-handle=1908,i,14207927477230202035,5095902714473073430,131072 /prefetch:1
  2⤵
  PID:4224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2220 --field-trial-handle=1908,i,14207927477230202035,5095902714473073430,131072 /prefetch:8
  2⤵
  PID:5072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1768 --field-trial-handle=1908,i,14207927477230202035,5095902714473073430,131072 /prefetch:8
  2⤵
  PID:2636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1648 --field-trial-handle=1908,i,14207927477230202035,5095902714473073430,131072 /prefetch:2
  2⤵
  PID:3552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4760 --field-trial-handle=1908,i,14207927477230202035,5095902714473073430,131072 /prefetch:8
  2⤵
  PID:2700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4700 --field-trial-handle=1908,i,14207927477230202035,5095902714473073430,131072 /prefetch:8
  2⤵
  PID:2676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4660 --field-trial-handle=1908,i,14207927477230202035,5095902714473073430,131072 /prefetch:8
  2⤵
  PID:4200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4692 --field-trial-handle=1908,i,14207927477230202035,5095902714473073430,131072 /prefetch:8
  2⤵
  PID:1984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4748 --field-trial-handle=1908,i,14207927477230202035,5095902714473073430,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2056

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
823B

MD5
6273fa68c556c00f7981b6c9db26ca85

SHA1
dd9b80a7340a5c6067d12630a75c827e0dbf2299

SHA256
1e83eade8df63d05398852c2ee43bc53709a640b35b3ac6c03e3e92f9e921c8c

SHA512
428d1fbbf00d812ccfa3b5ae6b6c1276223de662eb793efb0a37212e6c56e51e669d86c092c338413c9639961c0147130ffe3e7b9bcda12fa66e11d5d686d194

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
bf8245294772f5c1fb29c8c50819a2cf

SHA1
957ed79ecb83a45f3e202e1f68e4ec9ff6fdbc20

SHA256
116f4ff3527d464d451e262d2cd634bedee5573c4626e7a0a5950e03afce874c

SHA512
51d7486bab4c82657e75f940b6862fb942d8d978bd717c508cc19330c0c5937b65f9ec14dac38065f50e421f11d765d2b84c260f9f6ab1ed60fba257588de4e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
773d7648dc4b4b24236f88efe2e8f02c

SHA1
2f813529e3b913db8bc50463bf9b912954a9881a

SHA256
da2231fdb5a798fee8bbef67f11aa348c846a2150c87b7fd089cb1b9645d418f

SHA512
c45b6a46a67ed711006af94ebe4656568e1ee84139d58206d5f15a510dff780b8fadae33bc571f9c980bca65a2f18dd8a47229a1fb1180e793b001ee72af4158

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
135KB

MD5
62016edc6ea65576589ade090a25b0fb

SHA1
b3e64ec8fc5c016a30556d8cf87bae1f0a3c8808

SHA256
66d88802f654adb874f44152646d326c9b9aa00e96f0ae5b13d915c209b5f815

SHA512
950b0435ec13f85c5e061f66f604950bccaf9b6c522a9531942c595b9f8adc8bd8052fba105d9d60f4b28721e1f08ee9886f85d437fcefb91ddeb6f8cded3764

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
115KB

MD5
39822346362ac76195db5bd534cee881

SHA1
9421e19c0ad5413e396188ddba2b6da97db07a94

SHA256
4c43346c68a05025d48a5404a443019af1fad134843e72e054b612b63b0e9c59

SHA512
2876675fd2e9a2e22f88916a4051eab7176868b367abec2a579ee860819d2b8f2b8d10c143a573158ff7254d2c5d1ba923d32dc7608f0b468666145f359fe3c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
042413c44bab44f351e68307b604927a

SHA1
d5d8440b40790cd9253e7d0e8a0bd439985af756

SHA256
5125883b8d6952698e425460076388edea5f8b916c7cf3a416086de663352ad7

SHA512
0c2497cedac418d358886b93585ec6a509dd835ec19bf4cbe8db41377c2e87b4530e3042c2e13c2598b39c0bbc4d0b811f538e1187c1ee213be3712fc6bd1ddb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
115KB

MD5
22e644ff463040b2cf02ce5e301c7df7

SHA1
796c944f5aecea8673872d03fb9a207f84409bf9

SHA256
847a36e1b5843bb630a1a12379d94629e5f0a1645c16b7216c4c300d8e4eedc7

SHA512
c3583115771d3ccad4f2991055243b37f5f036249e68c34f129e5dfc575c9528e75b855b2d5543061caf75b85c250675d90db3b155f58ca76b93f7efeddd0176

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit