hxxps://tinyurl[.]com/ysokufj9

Analysis

max time kernel
149s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
23/01/2024, 03:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://tinyurl.com/ysokufj9

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133504528507022137"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5072	chrome.exe
5072	chrome.exe
1972	chrome.exe
1972	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5072 wrote to memory of 3304	5072	chrome.exe	86
PID 5072 wrote to memory of 3304	5072	chrome.exe	86
PID 5072 wrote to memory of 1376	5072	chrome.exe	90
PID 5072 wrote to memory of 1376	5072	chrome.exe	90
PID 5072 wrote to memory of 1376	5072	chrome.exe	90
PID 5072 wrote to memory of 1376	5072	chrome.exe	90
PID 5072 wrote to memory of 1376	5072	chrome.exe	90
PID 5072 wrote to memory of 1376	5072	chrome.exe	90
PID 5072 wrote to memory of 1376	5072	chrome.exe	90
PID 5072 wrote to memory of 1376	5072	chrome.exe	90
PID 5072 wrote to memory of 1376	5072	chrome.exe	90
PID 5072 wrote to memory of 1376	5072	chrome.exe	90
PID 5072 wrote to memory of 1376	5072	chrome.exe	90
PID 5072 wrote to memory of 1376	5072	chrome.exe	90
PID 5072 wrote to memory of 1376	5072	chrome.exe	90
PID 5072 wrote to memory of 1376	5072	chrome.exe	90
PID 5072 wrote to memory of 1376	5072	chrome.exe	90
PID 5072 wrote to memory of 1376	5072	chrome.exe	90
PID 5072 wrote to memory of 1376	5072	chrome.exe	90
PID 5072 wrote to memory of 1376	5072	chrome.exe	90
PID 5072 wrote to memory of 1376	5072	chrome.exe	90
PID 5072 wrote to memory of 1376	5072	chrome.exe	90
PID 5072 wrote to memory of 1376	5072	chrome.exe	90
PID 5072 wrote to memory of 1376	5072	chrome.exe	90
PID 5072 wrote to memory of 1376	5072	chrome.exe	90
PID 5072 wrote to memory of 1376	5072	chrome.exe	90
PID 5072 wrote to memory of 1376	5072	chrome.exe	90
PID 5072 wrote to memory of 1376	5072	chrome.exe	90
PID 5072 wrote to memory of 1376	5072	chrome.exe	90
PID 5072 wrote to memory of 1376	5072	chrome.exe	90
PID 5072 wrote to memory of 1376	5072	chrome.exe	90
PID 5072 wrote to memory of 1376	5072	chrome.exe	90
PID 5072 wrote to memory of 1376	5072	chrome.exe	90
PID 5072 wrote to memory of 1376	5072	chrome.exe	90
PID 5072 wrote to memory of 1376	5072	chrome.exe	90
PID 5072 wrote to memory of 1376	5072	chrome.exe	90
PID 5072 wrote to memory of 1376	5072	chrome.exe	90
PID 5072 wrote to memory of 1376	5072	chrome.exe	90
PID 5072 wrote to memory of 1376	5072	chrome.exe	90
PID 5072 wrote to memory of 1376	5072	chrome.exe	90
PID 5072 wrote to memory of 1976	5072	chrome.exe	92
PID 5072 wrote to memory of 1976	5072	chrome.exe	92
PID 5072 wrote to memory of 3064	5072	chrome.exe	91
PID 5072 wrote to memory of 3064	5072	chrome.exe	91
PID 5072 wrote to memory of 3064	5072	chrome.exe	91
PID 5072 wrote to memory of 3064	5072	chrome.exe	91
PID 5072 wrote to memory of 3064	5072	chrome.exe	91
PID 5072 wrote to memory of 3064	5072	chrome.exe	91
PID 5072 wrote to memory of 3064	5072	chrome.exe	91
PID 5072 wrote to memory of 3064	5072	chrome.exe	91
PID 5072 wrote to memory of 3064	5072	chrome.exe	91
PID 5072 wrote to memory of 3064	5072	chrome.exe	91
PID 5072 wrote to memory of 3064	5072	chrome.exe	91
PID 5072 wrote to memory of 3064	5072	chrome.exe	91
PID 5072 wrote to memory of 3064	5072	chrome.exe	91
PID 5072 wrote to memory of 3064	5072	chrome.exe	91
PID 5072 wrote to memory of 3064	5072	chrome.exe	91
PID 5072 wrote to memory of 3064	5072	chrome.exe	91
PID 5072 wrote to memory of 3064	5072	chrome.exe	91
PID 5072 wrote to memory of 3064	5072	chrome.exe	91
PID 5072 wrote to memory of 3064	5072	chrome.exe	91
PID 5072 wrote to memory of 3064	5072	chrome.exe	91
PID 5072 wrote to memory of 3064	5072	chrome.exe	91
PID 5072 wrote to memory of 3064	5072	chrome.exe	91

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://tinyurl.com/ysokufj9
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9dca69758,0x7ff9dca69768,0x7ff9dca69778
  2⤵
  PID:3304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1244 --field-trial-handle=2088,i,810128441566400257,15014228097856507778,131072 /prefetch:2
  2⤵
  PID:1376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2124 --field-trial-handle=2088,i,810128441566400257,15014228097856507778,131072 /prefetch:8
  2⤵
  PID:3064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1900 --field-trial-handle=2088,i,810128441566400257,15014228097856507778,131072 /prefetch:8
  2⤵
  PID:1976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2904 --field-trial-handle=2088,i,810128441566400257,15014228097856507778,131072 /prefetch:1
  2⤵
  PID:880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2912 --field-trial-handle=2088,i,810128441566400257,15014228097856507778,131072 /prefetch:1
  2⤵
  PID:3352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4520 --field-trial-handle=2088,i,810128441566400257,15014228097856507778,131072 /prefetch:1
  2⤵
  PID:2508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 --field-trial-handle=2088,i,810128441566400257,15014228097856507778,131072 /prefetch:8
  2⤵
  PID:676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 --field-trial-handle=2088,i,810128441566400257,15014228097856507778,131072 /prefetch:8
  2⤵
  PID:4936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3660 --field-trial-handle=2088,i,810128441566400257,15014228097856507778,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1972

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
d635c35a21cdb541f3e4c9a65c02fe69

SHA1
f44e72d6f17a6de8c087053f9032ed67f5bd9f68

SHA256
9ba62ab8a8644d6fdfd59bc3222a81bbb7f4322015f8a069824894085dd5104e

SHA512
c5c63c84da811c67427b4afd4b1159901b22517491b8936afeb08840663ed9548e51977bfa5ca61ba5e3b6d5314ed307aed9f7bd308c2ccdee2db782591f3e9d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
d3f479986602ab63ab440bf0dc056eb6

SHA1
c148b0fa6f281ccea44a85c49b9a634045635a44

SHA256
a2c6267e742e7bd2c00d5035ffc0eff3a8198063475188e9a814c04a0b92132e

SHA512
b70a44998f8ac2ffd6f9a9a7ba2ab9c350fb0546a409148d440bfa3e246461734a4c4ae10f86128de674d60e79cefc94366578ba42297b0b63a1756d5c8b69e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f64819593d8f250e7bad3b1eaa74420f

SHA1
ba3194d02d5a8c7c6b4a7706102700862ac9414c

SHA256
39a660a8761253cc6ea144d9a0b21544be67737ad98e38b49f7e7b07208d79bb

SHA512
f7a949f9d892ff284c7bee83928cb0801b87a26d2f2c79e40773652c466a613c67865bfa5a6cdc0fe7181be18691287d4a646d117b0c6504a7f496d183cbf3cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b34b0ac6d7c50d8912df6aeb6ea730fc

SHA1
93c023355316b6e3369fe83916046449a4048d08

SHA256
836ad2ea6416ef0cb9a95207d624a26fe373e5fa88d2699cd2e554570f225b3b

SHA512
e542edf3c38792e6ab661b5973366894b59e0c4b010b795070826a97656cf17d60bf53acf995b72bd727315c4ec444de6292bd0dd0d467c0b04ee80597d3b0d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
8f9f388418f9928da3f24845388168ac

SHA1
6937684b3042afb067e2b24023c9c36e00a77fc7

SHA256
52982ca442fd51e25f721e18b851398ce37b3103d8cb28eb39c325fe42798ed8

SHA512
cb0b605121a9711680ff1636e22dac2018bb4b07e6970bd90e8ac92bfb8dfa99c16788ac7d91d3b75cb9b3a47b80a6b9367858c073851960d5f13f8f7cce8b41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\e0183160-3879-4e16-96a2-cb0e053ba43f.tmp

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit