hxxp://www[.]facebook[.]co

Analysis

max time kernel
149s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24-01-2024 04:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://www.facebook.co

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133505442430975087"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
964	chrome.exe
964	chrome.exe
1540	chrome.exe
1540	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
964	chrome.exe
964	chrome.exe
964	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 964 wrote to memory of 3720	964	chrome.exe	22
PID 964 wrote to memory of 3720	964	chrome.exe	22
PID 964 wrote to memory of 2588	964	chrome.exe	87
PID 964 wrote to memory of 2588	964	chrome.exe	87
PID 964 wrote to memory of 2588	964	chrome.exe	87
PID 964 wrote to memory of 2588	964	chrome.exe	87
PID 964 wrote to memory of 2588	964	chrome.exe	87
PID 964 wrote to memory of 2588	964	chrome.exe	87
PID 964 wrote to memory of 2588	964	chrome.exe	87
PID 964 wrote to memory of 2588	964	chrome.exe	87
PID 964 wrote to memory of 2588	964	chrome.exe	87
PID 964 wrote to memory of 2588	964	chrome.exe	87
PID 964 wrote to memory of 2588	964	chrome.exe	87
PID 964 wrote to memory of 2588	964	chrome.exe	87
PID 964 wrote to memory of 2588	964	chrome.exe	87
PID 964 wrote to memory of 2588	964	chrome.exe	87
PID 964 wrote to memory of 2588	964	chrome.exe	87
PID 964 wrote to memory of 2588	964	chrome.exe	87
PID 964 wrote to memory of 2588	964	chrome.exe	87
PID 964 wrote to memory of 2588	964	chrome.exe	87
PID 964 wrote to memory of 2588	964	chrome.exe	87
PID 964 wrote to memory of 2588	964	chrome.exe	87
PID 964 wrote to memory of 2588	964	chrome.exe	87
PID 964 wrote to memory of 2588	964	chrome.exe	87
PID 964 wrote to memory of 2588	964	chrome.exe	87
PID 964 wrote to memory of 2588	964	chrome.exe	87
PID 964 wrote to memory of 2588	964	chrome.exe	87
PID 964 wrote to memory of 2588	964	chrome.exe	87
PID 964 wrote to memory of 2588	964	chrome.exe	87
PID 964 wrote to memory of 2588	964	chrome.exe	87
PID 964 wrote to memory of 2588	964	chrome.exe	87
PID 964 wrote to memory of 2588	964	chrome.exe	87
PID 964 wrote to memory of 2588	964	chrome.exe	87
PID 964 wrote to memory of 2588	964	chrome.exe	87
PID 964 wrote to memory of 2588	964	chrome.exe	87
PID 964 wrote to memory of 2588	964	chrome.exe	87
PID 964 wrote to memory of 2588	964	chrome.exe	87
PID 964 wrote to memory of 2588	964	chrome.exe	87
PID 964 wrote to memory of 2588	964	chrome.exe	87
PID 964 wrote to memory of 2588	964	chrome.exe	87
PID 964 wrote to memory of 3188	964	chrome.exe	86
PID 964 wrote to memory of 3188	964	chrome.exe	86
PID 964 wrote to memory of 4844	964	chrome.exe	88
PID 964 wrote to memory of 4844	964	chrome.exe	88
PID 964 wrote to memory of 4844	964	chrome.exe	88
PID 964 wrote to memory of 4844	964	chrome.exe	88
PID 964 wrote to memory of 4844	964	chrome.exe	88
PID 964 wrote to memory of 4844	964	chrome.exe	88
PID 964 wrote to memory of 4844	964	chrome.exe	88
PID 964 wrote to memory of 4844	964	chrome.exe	88
PID 964 wrote to memory of 4844	964	chrome.exe	88
PID 964 wrote to memory of 4844	964	chrome.exe	88
PID 964 wrote to memory of 4844	964	chrome.exe	88
PID 964 wrote to memory of 4844	964	chrome.exe	88
PID 964 wrote to memory of 4844	964	chrome.exe	88
PID 964 wrote to memory of 4844	964	chrome.exe	88
PID 964 wrote to memory of 4844	964	chrome.exe	88
PID 964 wrote to memory of 4844	964	chrome.exe	88
PID 964 wrote to memory of 4844	964	chrome.exe	88
PID 964 wrote to memory of 4844	964	chrome.exe	88
PID 964 wrote to memory of 4844	964	chrome.exe	88
PID 964 wrote to memory of 4844	964	chrome.exe	88
PID 964 wrote to memory of 4844	964	chrome.exe	88
PID 964 wrote to memory of 4844	964	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://www.facebook.co
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0x40,0x108,0x7ffef7209758,0x7ffef7209768,0x7ffef7209778
  2⤵
  PID:3720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 --field-trial-handle=1856,i,4044171507830955652,11071182139417277308,131072 /prefetch:8
  2⤵
  PID:3188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1680 --field-trial-handle=1856,i,4044171507830955652,11071182139417277308,131072 /prefetch:2
  2⤵
  PID:2588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2212 --field-trial-handle=1856,i,4044171507830955652,11071182139417277308,131072 /prefetch:8
  2⤵
  PID:4844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2964 --field-trial-handle=1856,i,4044171507830955652,11071182139417277308,131072 /prefetch:1
  2⤵
  PID:4536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2956 --field-trial-handle=1856,i,4044171507830955652,11071182139417277308,131072 /prefetch:1
  2⤵
  PID:3308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4604 --field-trial-handle=1856,i,4044171507830955652,11071182139417277308,131072 /prefetch:1
  2⤵
  PID:2548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3188 --field-trial-handle=1856,i,4044171507830955652,11071182139417277308,131072 /prefetch:8
  2⤵
  PID:1208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5032 --field-trial-handle=1856,i,4044171507830955652,11071182139417277308,131072 /prefetch:8
  2⤵
  PID:1676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2352 --field-trial-handle=1856,i,4044171507830955652,11071182139417277308,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1540

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
672B

MD5
c047667a06924b3c4cb0cdce23030eff

SHA1
ac07d4f53a3050593a7111a035fc6ea44826ba7f

SHA256
06b1f3405a151cbe333048f97ba400129800e4f58e8b6e0bbf6e25434db3496a

SHA512
56911a360254f0dae39b77c962934d00b33bc51a7aae726151aad9d0c516a2b7211e7994665b44620ebdd235dc35ffdb521f65f853a82512bc5703618f8cb8d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
0d139ff69c9444548e7e70b0749a19c3

SHA1
c5ffab6c78bd88e34e97a00755fd2bbd43799a2a

SHA256
03de679633e7eb2275d7e3250382a90b7d694ee592681660f07c6bb8137f6a7e

SHA512
14e7776b41c4483546f32dc855f59fb1222472227984569afefed73cb649cffd5ff7dc91479b97302533ffc7a151555586ce064a7cf433f5b7e65c6938b5469f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
0d3a3aa9ff799b4e2c69dde1f3accea4

SHA1
194a1c95d9ed990c1419c74ec30bb34ea538dc62

SHA256
32be65882ae0b365e256345cfcffe8ce7d95ee1e840a45ea158290ff823538c7

SHA512
127860e57f5c12d840fd2abcf43d85b9f61cb1c8903ab480c6e605c33306b9380467cbe9edd6d2ec99bdca41d430e47a4666fbefa95e4f0bfc0973ceee7ef20f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
706B

MD5
e7f542d517713b6977cb1c69bd479a51

SHA1
0ae886562f284415f00d50abb8011ba8670d8da3

SHA256
f2aa2c56d423aea63d8cf1a04f0982138e10271c2d44425a142546ce59941f94

SHA512
37dab61ea2f6264e004340ac842d5b6579162f495c7bcaf1a0daa7c562e0b046916c299a1299e154f9d5f37c6a5210ec1fd461b628dd888372d8c6f101c889dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
706B

MD5
00560ecb0ef50fad4046feef31c4e252

SHA1
4d2e87359305157752e5d485fd15903c47a43a79

SHA256
3ef73c0211bfa4413b1c69f157f1f531d2b097f46618b64dc2f7564e94d61d7e

SHA512
18f841b4912925cd7ca8c9364d84edf9981cc2920841a3a10f1be9a7ee92047156ad92695ce9276e78eff246f876b530b2510f7dbab782d430a276fed65d9db6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
706B

MD5
baff90dc0c091a08cf09cd7ffc2be5f2

SHA1
382ea2d211f037bcda5656e8214a089874458eca

SHA256
75b5bdc8263fd0f9667928185ba2435f286899aa8ff3a5b907eb0077dfff22ed

SHA512
a48acf6e49a5c14b7f1e9f9939cfe4e944a629833c849a33bcfa40afed9eb98645145c1a9df7a1257960766d4f9da2ab2adca96d24fd237eb7fc67d12c5bcb58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
706B

MD5
8a65276b30b6ac8ff8446e3ab4909dbd

SHA1
e1a99d2c648f1eeb48312ecdd3447dd5aefdfaf6

SHA256
ad9de8f8f8baffca61a11adf831d3a67838ad684331ebd042c2186173b299803

SHA512
a8e272208ebe08fdacca32e6d11186bed5bca234fbaefc7403a75a4b4b3008e80db77947e4143f9df3cccbcb952515441bd372cf6fd7c8675a294f5913d19661

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
4e45bbfc4283d5b22e1d4c4448e43f0c

SHA1
5add65f382120454656072b820717bc542008481

SHA256
c015fa29bf7f316cdd4a56506c05053d7c8a770bbd72310029bb20f909b18529

SHA512
11487ad7366f30de4c8eb6dea212086b0403f0b01a2e68b0517f314b8b4b4319300951413d435277acc2e8c1cdf4993b387a1108b204d135db5ebd1c93551c4c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
46a5aab062db9b91f0a35cdb44350387

SHA1
42461ea4625f2c1517f5cf276d044d8ba0870b77

SHA256
530c6d9b7384c8c36d4d751d39a53f3ea9669326282be308d407b9d7fe3f73fe

SHA512
40a5af3d5d3181806751a4973c77ba4bad4d5d3681754be3549749edf1d2626035cc90fb9c5512afe1cf3bdbd9886ee9cf1a0c664f88e2266a40ff572c76b75c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit