hxxps://r20[.]rs6[.]net/tn[.]jsp?f=00186oipH2NWmHtg9Wz-KCzJQ76K0x-s0E81EAK1VkA_eC1Yw-pP7qVrCz0WMkH9weDUD1PlDVplLvFl1L-IiOOPiZMAuNtnKxT3GsbXkKWTPjj9O1CXbLYcQ6HqwfNuNI8sNQMiaH6OwXm539FjUqXzQ==&c=9bVDNfxG8jVxC3DGzivlpBptWEu0VZxzY3fjg2jfMpx82RzAoJnNfg==&ch=zddH3U1i4nJRDFNs-8tBGpl13R9i44HYsjj6RCSOxWyRqm7qno6yDQ==

Analysis

max time kernel
0s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
23/01/2024, 20:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://r20.rs6.net/tn.jsp?f=00186oipH2NWmHtg9Wz-KCzJQ76K0x-s0E81EAK1VkA_eC1Yw-pP7qVrCz0WMkH9weDUD1PlDVplLvFl1L-IiOOPiZMAuNtnKxT3GsbXkKWTPjj9O1CXbLYcQ6HqwfNuNI8sNQMiaH6OwXm539FjUqXzQ==&c=9bVDNfxG8jVxC3DGzivlpBptWEu0VZxzY3fjg2jfMpx82RzAoJnNfg==&ch=zddH3U1i4nJRDFNs-8tBGpl13R9i44HYsjj6RCSOxWyRqm7qno6yDQ==

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5096 wrote to memory of 1752	5096	chrome.exe	14
PID 5096 wrote to memory of 1752	5096	chrome.exe	14
PID 5096 wrote to memory of 5060	5096	chrome.exe	27
PID 5096 wrote to memory of 5060	5096	chrome.exe	27
PID 5096 wrote to memory of 5060	5096	chrome.exe	27
PID 5096 wrote to memory of 5060	5096	chrome.exe	27
PID 5096 wrote to memory of 5060	5096	chrome.exe	27
PID 5096 wrote to memory of 5060	5096	chrome.exe	27
PID 5096 wrote to memory of 5060	5096	chrome.exe	27
PID 5096 wrote to memory of 5060	5096	chrome.exe	27
PID 5096 wrote to memory of 5060	5096	chrome.exe	27
PID 5096 wrote to memory of 5060	5096	chrome.exe	27
PID 5096 wrote to memory of 5060	5096	chrome.exe	27
PID 5096 wrote to memory of 5060	5096	chrome.exe	27
PID 5096 wrote to memory of 5060	5096	chrome.exe	27
PID 5096 wrote to memory of 5060	5096	chrome.exe	27
PID 5096 wrote to memory of 5060	5096	chrome.exe	27
PID 5096 wrote to memory of 5060	5096	chrome.exe	27
PID 5096 wrote to memory of 5060	5096	chrome.exe	27
PID 5096 wrote to memory of 5060	5096	chrome.exe	27
PID 5096 wrote to memory of 5060	5096	chrome.exe	27
PID 5096 wrote to memory of 5060	5096	chrome.exe	27
PID 5096 wrote to memory of 5060	5096	chrome.exe	27
PID 5096 wrote to memory of 5060	5096	chrome.exe	27
PID 5096 wrote to memory of 5060	5096	chrome.exe	27
PID 5096 wrote to memory of 5060	5096	chrome.exe	27
PID 5096 wrote to memory of 5060	5096	chrome.exe	27
PID 5096 wrote to memory of 5060	5096	chrome.exe	27
PID 5096 wrote to memory of 5060	5096	chrome.exe	27
PID 5096 wrote to memory of 5060	5096	chrome.exe	27
PID 5096 wrote to memory of 5060	5096	chrome.exe	27
PID 5096 wrote to memory of 5060	5096	chrome.exe	27
PID 5096 wrote to memory of 5060	5096	chrome.exe	27
PID 5096 wrote to memory of 5060	5096	chrome.exe	27
PID 5096 wrote to memory of 5060	5096	chrome.exe	27
PID 5096 wrote to memory of 5060	5096	chrome.exe	27
PID 5096 wrote to memory of 5060	5096	chrome.exe	27
PID 5096 wrote to memory of 5060	5096	chrome.exe	27
PID 5096 wrote to memory of 5060	5096	chrome.exe	27
PID 5096 wrote to memory of 5060	5096	chrome.exe	27
PID 5096 wrote to memory of 3656	5096	chrome.exe	26
PID 5096 wrote to memory of 3656	5096	chrome.exe	26
PID 5096 wrote to memory of 2248	5096	chrome.exe	22
PID 5096 wrote to memory of 2248	5096	chrome.exe	22
PID 5096 wrote to memory of 2248	5096	chrome.exe	22
PID 5096 wrote to memory of 2248	5096	chrome.exe	22
PID 5096 wrote to memory of 2248	5096	chrome.exe	22
PID 5096 wrote to memory of 2248	5096	chrome.exe	22
PID 5096 wrote to memory of 2248	5096	chrome.exe	22
PID 5096 wrote to memory of 2248	5096	chrome.exe	22
PID 5096 wrote to memory of 2248	5096	chrome.exe	22
PID 5096 wrote to memory of 2248	5096	chrome.exe	22
PID 5096 wrote to memory of 2248	5096	chrome.exe	22
PID 5096 wrote to memory of 2248	5096	chrome.exe	22
PID 5096 wrote to memory of 2248	5096	chrome.exe	22
PID 5096 wrote to memory of 2248	5096	chrome.exe	22
PID 5096 wrote to memory of 2248	5096	chrome.exe	22
PID 5096 wrote to memory of 2248	5096	chrome.exe	22
PID 5096 wrote to memory of 2248	5096	chrome.exe	22
PID 5096 wrote to memory of 2248	5096	chrome.exe	22
PID 5096 wrote to memory of 2248	5096	chrome.exe	22
PID 5096 wrote to memory of 2248	5096	chrome.exe	22
PID 5096 wrote to memory of 2248	5096	chrome.exe	22
PID 5096 wrote to memory of 2248	5096	chrome.exe	22

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0x74,0x108,0x7ffe3bae9758,0x7ffe3bae9768,0x7ffe3bae9778
1⤵
PID:1752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://r20.rs6.net/tn.jsp?f=00186oipH2NWmHtg9Wz-KCzJQ76K0x-s0E81EAK1VkA_eC1Yw-pP7qVrCz0WMkH9weDUD1PlDVplLvFl1L-IiOOPiZMAuNtnKxT3GsbXkKWTPjj9O1CXbLYcQ6HqwfNuNI8sNQMiaH6OwXm539FjUqXzQ==&c=9bVDNfxG8jVxC3DGzivlpBptWEu0VZxzY3fjg2jfMpx82RzAoJnNfg==&ch=zddH3U1i4nJRDFNs-8tBGpl13R9i44HYsjj6RCSOxWyRqm7qno6yDQ==
1⤵
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:5096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2172 --field-trial-handle=1864,i,16475841414259318025,9372791232284880568,131072 /prefetch:8
  2⤵
  PID:2248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3124 --field-trial-handle=1864,i,16475841414259318025,9372791232284880568,131072 /prefetch:1
  2⤵
  PID:756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3108 --field-trial-handle=1864,i,16475841414259318025,9372791232284880568,131072 /prefetch:1
  2⤵
  PID:4424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1864,i,16475841414259318025,9372791232284880568,131072 /prefetch:8
  2⤵
  PID:3656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1756 --field-trial-handle=1864,i,16475841414259318025,9372791232284880568,131072 /prefetch:2
  2⤵
  PID:5060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4716 --field-trial-handle=1864,i,16475841414259318025,9372791232284880568,131072 /prefetch:1
  2⤵
  PID:1844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 --field-trial-handle=1864,i,16475841414259318025,9372791232284880568,131072 /prefetch:8
  2⤵
  PID:2944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3988 --field-trial-handle=1864,i,16475841414259318025,9372791232284880568,131072 /prefetch:8
  2⤵
  PID:3208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2720 --field-trial-handle=1864,i,16475841414259318025,9372791232284880568,131072 /prefetch:2
  2⤵
  PID:3888

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
a822d866d9611c31a6beae070d8ff45c

SHA1
216ade2194bd05fa694fc2b5de806d85b021f54f

SHA256
52711c72e09e28045f16b38fc5bb22d77bac2b63f3a3d5060a18f8897d128e0b

SHA512
789e230eefaa0cc6a87fb23e0fb8ed0b91471966f7101c2309b068e1503ea14850e24a400f1315b859c497cf067d584f24296d1fd9728c957a4eb39732dae800

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
f6b4cef95fc170ad98faa96da1721d39

SHA1
69493caeba96f2d438c9f0a0a1777475d1e4a887

SHA256
088e58802c9e5982bbf53f58940f134c46831897b6904c1ee16b7731535d9d34

SHA512
d138234fe6b7f07a26d814bae42228c6354d559e301df4d32ed6d25b81cc9399301913d4cce8de8481069cd7cb396b3b5be853aa1611a88720e00175c34a007e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
64d3f8a81a727e59994f9ef737dce7b9

SHA1
1dd8448fac3bc85cf60c8dcd2ca4d8a90deecbf4

SHA256
1d1b315233c04e07dd67932125747e761ae0db4358dc893ad39a56bcb42b90d6

SHA512
292090146da051552df8430876a6ff1324eb16725bbae99b4131d8b373a9fe5383c1bc58a22c53e7eb1c607abcac5eae8142c03562d2e1784660950be6589511

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
dc145f686412c37152b717f74ae5335f

SHA1
a8053e5ad914971942477c537c3bad6e3e6c9668

SHA256
f98703bcd9a6b76cf73dec6280657aecc7bfd9d7df6d82552d04ffef63ebfa67

SHA512
ce65414cfb97b0755759654b93bcabd46821afe08f04bf772d2762f12fcd5313d514c5b0b6fc5e1e57039c39d9064b092fcc3b587dae5ee194ad77a270db7b11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
97KB

MD5
83ed25beeeb1d2103d1450d1c8c02eb7

SHA1
194bcab4916f2527b387f23005dcad5bcbabda48

SHA256
c360acdc8c6cdf60b592c48a6ca877eea726ff816e1eb24cecdebf7f624c8eb3

SHA512
1ecdf1225bd92bdcc28c006ab24d3ef99999b232f9a47f75f39a83fa44e029696d8833b45784a987606a35a52bfd1cba336c4ea14564c7590e975f99cd6feb1f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit