hxxps://www[.]google[.]com/maps/search

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
23/01/2024, 23:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.google.com/maps/search

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133505248669624001"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1964	chrome.exe
1964	chrome.exe
3992	chrome.exe
3992	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1964	chrome.exe
1964	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeCreatePagefilePrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeCreatePagefilePrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeCreatePagefilePrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeCreatePagefilePrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeCreatePagefilePrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeCreatePagefilePrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeCreatePagefilePrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeCreatePagefilePrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeCreatePagefilePrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeCreatePagefilePrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeCreatePagefilePrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeCreatePagefilePrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeCreatePagefilePrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeCreatePagefilePrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeCreatePagefilePrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeCreatePagefilePrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeCreatePagefilePrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeCreatePagefilePrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeCreatePagefilePrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeCreatePagefilePrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeCreatePagefilePrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeCreatePagefilePrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeCreatePagefilePrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeCreatePagefilePrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeCreatePagefilePrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeCreatePagefilePrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeCreatePagefilePrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeCreatePagefilePrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeCreatePagefilePrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeCreatePagefilePrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeCreatePagefilePrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeCreatePagefilePrivilege	1964	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 4484	1964	chrome.exe	85
PID 1964 wrote to memory of 4484	1964	chrome.exe	85
PID 1964 wrote to memory of 1344	1964	chrome.exe	88
PID 1964 wrote to memory of 1344	1964	chrome.exe	88
PID 1964 wrote to memory of 1344	1964	chrome.exe	88
PID 1964 wrote to memory of 1344	1964	chrome.exe	88
PID 1964 wrote to memory of 1344	1964	chrome.exe	88
PID 1964 wrote to memory of 1344	1964	chrome.exe	88
PID 1964 wrote to memory of 1344	1964	chrome.exe	88
PID 1964 wrote to memory of 1344	1964	chrome.exe	88
PID 1964 wrote to memory of 1344	1964	chrome.exe	88
PID 1964 wrote to memory of 1344	1964	chrome.exe	88
PID 1964 wrote to memory of 1344	1964	chrome.exe	88
PID 1964 wrote to memory of 1344	1964	chrome.exe	88
PID 1964 wrote to memory of 1344	1964	chrome.exe	88
PID 1964 wrote to memory of 1344	1964	chrome.exe	88
PID 1964 wrote to memory of 1344	1964	chrome.exe	88
PID 1964 wrote to memory of 1344	1964	chrome.exe	88
PID 1964 wrote to memory of 1344	1964	chrome.exe	88
PID 1964 wrote to memory of 1344	1964	chrome.exe	88
PID 1964 wrote to memory of 1344	1964	chrome.exe	88
PID 1964 wrote to memory of 1344	1964	chrome.exe	88
PID 1964 wrote to memory of 1344	1964	chrome.exe	88
PID 1964 wrote to memory of 1344	1964	chrome.exe	88
PID 1964 wrote to memory of 1344	1964	chrome.exe	88
PID 1964 wrote to memory of 1344	1964	chrome.exe	88
PID 1964 wrote to memory of 1344	1964	chrome.exe	88
PID 1964 wrote to memory of 1344	1964	chrome.exe	88
PID 1964 wrote to memory of 1344	1964	chrome.exe	88
PID 1964 wrote to memory of 1344	1964	chrome.exe	88
PID 1964 wrote to memory of 1344	1964	chrome.exe	88
PID 1964 wrote to memory of 1344	1964	chrome.exe	88
PID 1964 wrote to memory of 1344	1964	chrome.exe	88
PID 1964 wrote to memory of 1344	1964	chrome.exe	88
PID 1964 wrote to memory of 1344	1964	chrome.exe	88
PID 1964 wrote to memory of 1344	1964	chrome.exe	88
PID 1964 wrote to memory of 1344	1964	chrome.exe	88
PID 1964 wrote to memory of 1344	1964	chrome.exe	88
PID 1964 wrote to memory of 1344	1964	chrome.exe	88
PID 1964 wrote to memory of 1344	1964	chrome.exe	88
PID 1964 wrote to memory of 1492	1964	chrome.exe	89
PID 1964 wrote to memory of 1492	1964	chrome.exe	89
PID 1964 wrote to memory of 1392	1964	chrome.exe	90
PID 1964 wrote to memory of 1392	1964	chrome.exe	90
PID 1964 wrote to memory of 1392	1964	chrome.exe	90
PID 1964 wrote to memory of 1392	1964	chrome.exe	90
PID 1964 wrote to memory of 1392	1964	chrome.exe	90
PID 1964 wrote to memory of 1392	1964	chrome.exe	90
PID 1964 wrote to memory of 1392	1964	chrome.exe	90
PID 1964 wrote to memory of 1392	1964	chrome.exe	90
PID 1964 wrote to memory of 1392	1964	chrome.exe	90
PID 1964 wrote to memory of 1392	1964	chrome.exe	90
PID 1964 wrote to memory of 1392	1964	chrome.exe	90
PID 1964 wrote to memory of 1392	1964	chrome.exe	90
PID 1964 wrote to memory of 1392	1964	chrome.exe	90
PID 1964 wrote to memory of 1392	1964	chrome.exe	90
PID 1964 wrote to memory of 1392	1964	chrome.exe	90
PID 1964 wrote to memory of 1392	1964	chrome.exe	90
PID 1964 wrote to memory of 1392	1964	chrome.exe	90
PID 1964 wrote to memory of 1392	1964	chrome.exe	90
PID 1964 wrote to memory of 1392	1964	chrome.exe	90
PID 1964 wrote to memory of 1392	1964	chrome.exe	90
PID 1964 wrote to memory of 1392	1964	chrome.exe	90
PID 1964 wrote to memory of 1392	1964	chrome.exe	90

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.google.com/maps/search
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa98a09758,0x7ffa98a09768,0x7ffa98a09778
  2⤵
  PID:4484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1740 --field-trial-handle=1852,i,12582644200839251020,5926575908624370294,131072 /prefetch:2
  2⤵
  PID:1344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1852,i,12582644200839251020,5926575908624370294,131072 /prefetch:8
  2⤵
  PID:1492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 --field-trial-handle=1852,i,12582644200839251020,5926575908624370294,131072 /prefetch:8
  2⤵
  PID:1392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3144 --field-trial-handle=1852,i,12582644200839251020,5926575908624370294,131072 /prefetch:1
  2⤵
  PID:2812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3168 --field-trial-handle=1852,i,12582644200839251020,5926575908624370294,131072 /prefetch:1
  2⤵
  PID:1356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4800 --field-trial-handle=1852,i,12582644200839251020,5926575908624370294,131072 /prefetch:8
  2⤵
  PID:1932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4796 --field-trial-handle=1852,i,12582644200839251020,5926575908624370294,131072 /prefetch:8
  2⤵
  PID:2540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2484 --field-trial-handle=1852,i,12582644200839251020,5926575908624370294,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3992

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
973B

MD5
2a6f68d57db305c70001756601ef0d5f

SHA1
46644acbb376222134d0f7a2b6ddaaad5908ce1e

SHA256
a85d556ead90294c7a9d25dc6a19ad6b2d7a9673e6477261be1a7ebde8563e31

SHA512
374f85f95e08490ba942cb890b85d0c2ce351e986d6e51c1dea32b4640a6ef0a787bbee5ae56ee7b565d1cfdbf18052e7c2720a76aa1872d76ef7cdc98a2f9ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
98a513212bcd80ea3d2fd4af0e5aab3e

SHA1
b0fe5de7eb8ec662339e5f5e389ff9e48c9b00f2

SHA256
d13c7b94a2a6f5f93fcf2ad69f02b147bd016af5eaee157c4c0e5735282714db

SHA512
1f597039fc8f7e7893f0b5d2ada4b174cc439983c9b0102f108bc2ce36d9ef7d18060f3b8974df7b43a7020d19de88830807821e78a8e145fabfd4d1c863ad5f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
bb425c3043501ff8c9d8fd6738cb3a5c

SHA1
1d6d94e67ef2a1cb9d2796cfeb870ea53bd83fb2

SHA256
ddc6fc169ad68a37f756d9678c6976115ad6631f840ea49a4c9b67283224bee8

SHA512
b2413098dadc9422c7744bd4ac7ea2ecf61b55e554c09464c82afa7337e19b9aea6ecfb2b6efac79704e9cb3ee6f91fd464e85243158e0c0376ce322a18f6ab4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit