hxxps://cl[.]s51[.]exct[.]net/?qs=4dc96501a668195a047b7a73c9a70947c4b39b85c3c6dc7f3389b0cf5e5f4a955aade06f3ba42ee47d9e6a9aa9fabcac5e06d8770234ef8b

Analysis

max time kernel
53s
max time network
60s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19-01-2024 15:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cl.s51.exct.net/?qs=4dc96501a668195a047b7a73c9a70947c4b39b85c3c6dc7f3389b0cf5e5f4a955aade06f3ba42ee47d9e6a9aa9fabcac5e06d8770234ef8b

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133501519511608999"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4844	chrome.exe
4844	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4844	chrome.exe
Token: SeCreatePagefilePrivilege	4844	chrome.exe
Token: SeShutdownPrivilege	4844	chrome.exe
Token: SeCreatePagefilePrivilege	4844	chrome.exe
Token: SeShutdownPrivilege	4844	chrome.exe
Token: SeCreatePagefilePrivilege	4844	chrome.exe
Token: SeShutdownPrivilege	4844	chrome.exe
Token: SeCreatePagefilePrivilege	4844	chrome.exe
Token: SeShutdownPrivilege	4844	chrome.exe
Token: SeCreatePagefilePrivilege	4844	chrome.exe
Token: SeShutdownPrivilege	4844	chrome.exe
Token: SeCreatePagefilePrivilege	4844	chrome.exe
Token: SeShutdownPrivilege	4844	chrome.exe
Token: SeCreatePagefilePrivilege	4844	chrome.exe
Token: SeShutdownPrivilege	4844	chrome.exe
Token: SeCreatePagefilePrivilege	4844	chrome.exe
Token: SeShutdownPrivilege	4844	chrome.exe
Token: SeCreatePagefilePrivilege	4844	chrome.exe
Token: SeShutdownPrivilege	4844	chrome.exe
Token: SeCreatePagefilePrivilege	4844	chrome.exe
Token: SeShutdownPrivilege	4844	chrome.exe
Token: SeCreatePagefilePrivilege	4844	chrome.exe
Token: SeShutdownPrivilege	4844	chrome.exe
Token: SeCreatePagefilePrivilege	4844	chrome.exe
Token: SeShutdownPrivilege	4844	chrome.exe
Token: SeCreatePagefilePrivilege	4844	chrome.exe
Token: SeShutdownPrivilege	4844	chrome.exe
Token: SeCreatePagefilePrivilege	4844	chrome.exe
Token: SeShutdownPrivilege	4844	chrome.exe
Token: SeCreatePagefilePrivilege	4844	chrome.exe
Token: SeShutdownPrivilege	4844	chrome.exe
Token: SeCreatePagefilePrivilege	4844	chrome.exe
Token: SeShutdownPrivilege	4844	chrome.exe
Token: SeCreatePagefilePrivilege	4844	chrome.exe
Token: SeShutdownPrivilege	4844	chrome.exe
Token: SeCreatePagefilePrivilege	4844	chrome.exe
Token: SeShutdownPrivilege	4844	chrome.exe
Token: SeCreatePagefilePrivilege	4844	chrome.exe
Token: SeShutdownPrivilege	4844	chrome.exe
Token: SeCreatePagefilePrivilege	4844	chrome.exe
Token: SeShutdownPrivilege	4844	chrome.exe
Token: SeCreatePagefilePrivilege	4844	chrome.exe
Token: SeShutdownPrivilege	4844	chrome.exe
Token: SeCreatePagefilePrivilege	4844	chrome.exe
Token: SeShutdownPrivilege	4844	chrome.exe
Token: SeCreatePagefilePrivilege	4844	chrome.exe
Token: SeShutdownPrivilege	4844	chrome.exe
Token: SeCreatePagefilePrivilege	4844	chrome.exe
Token: SeShutdownPrivilege	4844	chrome.exe
Token: SeCreatePagefilePrivilege	4844	chrome.exe
Token: SeShutdownPrivilege	4844	chrome.exe
Token: SeCreatePagefilePrivilege	4844	chrome.exe
Token: SeShutdownPrivilege	4844	chrome.exe
Token: SeCreatePagefilePrivilege	4844	chrome.exe
Token: SeShutdownPrivilege	4844	chrome.exe
Token: SeCreatePagefilePrivilege	4844	chrome.exe
Token: SeShutdownPrivilege	4844	chrome.exe
Token: SeCreatePagefilePrivilege	4844	chrome.exe
Token: SeShutdownPrivilege	4844	chrome.exe
Token: SeCreatePagefilePrivilege	4844	chrome.exe
Token: SeShutdownPrivilege	4844	chrome.exe
Token: SeCreatePagefilePrivilege	4844	chrome.exe
Token: SeShutdownPrivilege	4844	chrome.exe
Token: SeCreatePagefilePrivilege	4844	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4844 wrote to memory of 2396	4844	chrome.exe	86
PID 4844 wrote to memory of 2396	4844	chrome.exe	86
PID 4844 wrote to memory of 1748	4844	chrome.exe	88
PID 4844 wrote to memory of 1748	4844	chrome.exe	88
PID 4844 wrote to memory of 1748	4844	chrome.exe	88
PID 4844 wrote to memory of 1748	4844	chrome.exe	88
PID 4844 wrote to memory of 1748	4844	chrome.exe	88
PID 4844 wrote to memory of 1748	4844	chrome.exe	88
PID 4844 wrote to memory of 1748	4844	chrome.exe	88
PID 4844 wrote to memory of 1748	4844	chrome.exe	88
PID 4844 wrote to memory of 1748	4844	chrome.exe	88
PID 4844 wrote to memory of 1748	4844	chrome.exe	88
PID 4844 wrote to memory of 1748	4844	chrome.exe	88
PID 4844 wrote to memory of 1748	4844	chrome.exe	88
PID 4844 wrote to memory of 1748	4844	chrome.exe	88
PID 4844 wrote to memory of 1748	4844	chrome.exe	88
PID 4844 wrote to memory of 1748	4844	chrome.exe	88
PID 4844 wrote to memory of 1748	4844	chrome.exe	88
PID 4844 wrote to memory of 1748	4844	chrome.exe	88
PID 4844 wrote to memory of 1748	4844	chrome.exe	88
PID 4844 wrote to memory of 1748	4844	chrome.exe	88
PID 4844 wrote to memory of 1748	4844	chrome.exe	88
PID 4844 wrote to memory of 1748	4844	chrome.exe	88
PID 4844 wrote to memory of 1748	4844	chrome.exe	88
PID 4844 wrote to memory of 1748	4844	chrome.exe	88
PID 4844 wrote to memory of 1748	4844	chrome.exe	88
PID 4844 wrote to memory of 1748	4844	chrome.exe	88
PID 4844 wrote to memory of 1748	4844	chrome.exe	88
PID 4844 wrote to memory of 1748	4844	chrome.exe	88
PID 4844 wrote to memory of 1748	4844	chrome.exe	88
PID 4844 wrote to memory of 1748	4844	chrome.exe	88
PID 4844 wrote to memory of 1748	4844	chrome.exe	88
PID 4844 wrote to memory of 1748	4844	chrome.exe	88
PID 4844 wrote to memory of 1748	4844	chrome.exe	88
PID 4844 wrote to memory of 1748	4844	chrome.exe	88
PID 4844 wrote to memory of 1748	4844	chrome.exe	88
PID 4844 wrote to memory of 1748	4844	chrome.exe	88
PID 4844 wrote to memory of 1748	4844	chrome.exe	88
PID 4844 wrote to memory of 1748	4844	chrome.exe	88
PID 4844 wrote to memory of 1748	4844	chrome.exe	88
PID 4844 wrote to memory of 2068	4844	chrome.exe	89
PID 4844 wrote to memory of 2068	4844	chrome.exe	89
PID 4844 wrote to memory of 2284	4844	chrome.exe	90
PID 4844 wrote to memory of 2284	4844	chrome.exe	90
PID 4844 wrote to memory of 2284	4844	chrome.exe	90
PID 4844 wrote to memory of 2284	4844	chrome.exe	90
PID 4844 wrote to memory of 2284	4844	chrome.exe	90
PID 4844 wrote to memory of 2284	4844	chrome.exe	90
PID 4844 wrote to memory of 2284	4844	chrome.exe	90
PID 4844 wrote to memory of 2284	4844	chrome.exe	90
PID 4844 wrote to memory of 2284	4844	chrome.exe	90
PID 4844 wrote to memory of 2284	4844	chrome.exe	90
PID 4844 wrote to memory of 2284	4844	chrome.exe	90
PID 4844 wrote to memory of 2284	4844	chrome.exe	90
PID 4844 wrote to memory of 2284	4844	chrome.exe	90
PID 4844 wrote to memory of 2284	4844	chrome.exe	90
PID 4844 wrote to memory of 2284	4844	chrome.exe	90
PID 4844 wrote to memory of 2284	4844	chrome.exe	90
PID 4844 wrote to memory of 2284	4844	chrome.exe	90
PID 4844 wrote to memory of 2284	4844	chrome.exe	90
PID 4844 wrote to memory of 2284	4844	chrome.exe	90
PID 4844 wrote to memory of 2284	4844	chrome.exe	90
PID 4844 wrote to memory of 2284	4844	chrome.exe	90
PID 4844 wrote to memory of 2284	4844	chrome.exe	90

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://cl.s51.exct.net/?qs=4dc96501a668195a047b7a73c9a70947c4b39b85c3c6dc7f3389b0cf5e5f4a955aade06f3ba42ee47d9e6a9aa9fabcac5e06d8770234ef8b
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff986e09758,0x7ff986e09768,0x7ff986e09778
  2⤵
  PID:2396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1700 --field-trial-handle=1868,i,4562122837081948067,2576636515498648819,131072 /prefetch:2
  2⤵
  PID:1748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1956 --field-trial-handle=1868,i,4562122837081948067,2576636515498648819,131072 /prefetch:8
  2⤵
  PID:2068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2200 --field-trial-handle=1868,i,4562122837081948067,2576636515498648819,131072 /prefetch:8
  2⤵
  PID:2284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3016 --field-trial-handle=1868,i,4562122837081948067,2576636515498648819,131072 /prefetch:1
  2⤵
  PID:812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3004 --field-trial-handle=1868,i,4562122837081948067,2576636515498648819,131072 /prefetch:1
  2⤵
  PID:3196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3996 --field-trial-handle=1868,i,4562122837081948067,2576636515498648819,131072 /prefetch:1
  2⤵
  PID:1332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4792 --field-trial-handle=1868,i,4562122837081948067,2576636515498648819,131072 /prefetch:8
  2⤵
  PID:2096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4904 --field-trial-handle=1868,i,4562122837081948067,2576636515498648819,131072 /prefetch:8
  2⤵
  PID:1288

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
9a5f47bb8589a9f9edacaa2e62e83da5

SHA1
2a1eb745d83189be049d5f1f27ec8d0df4b3aa74

SHA256
38a49849f65102b3ef9e0bb8c89d247cb987994b44aa8f2e2fd10e44f0cafc83

SHA512
b6b6fec04f55c714c6e8433c445befcf5a6d99166931347319a15fbea07c405689b1dc627bf2f07a3798ff632db4ee6175415f89f6a476794f496629386f502f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
ec4669fa7dc8a83260c17e91bf33ee12

SHA1
9f7aabac334f377af6539333521003a3fbcf7cda

SHA256
53e7830f31576b9df25ab51ca21c98b587b386b8a4fe8727ddbe4b9cc209450b

SHA512
65a453b1625faadd1f45d9e454bc65c66ad4ef697d092b9d012eaf270123145bd873a30a89e34b9b3a78811b356421bb55303eb5f4d9d0b5712d5c17300ba3ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
9299e142e5be23ba73fd4483139c0a9a

SHA1
99143bb40ce19e0debfe00f43f79645b0a16bc24

SHA256
cb456706fbaa54e44430e6fde57fe80a5e286c26de34c2fc0297fe5e8afb3d09

SHA512
a05e679e2121113be1d52c0a70a41ac3f480d1e64ff4acf30de5ba38f3f78727425c7e90ba12521829b148da9ec7b18f4a1d132675f4eb47055279fb4e61257f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit