hxxps://client[.]southernscripts[.]net/Reports/QuarterlyReport?accountGuid=dd89920f-8339-43d3-b542-2b090474ef32

Analysis

max time kernel
151s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/01/2024, 01:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://client.southernscripts.net/Reports/QuarterlyReport?accountGuid=dd89920f-8339-43d3-b542-2b090474ef32

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133506216212437237"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3408	chrome.exe
3408	chrome.exe
3488	chrome.exe
3488	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3408	chrome.exe
3408	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3408	chrome.exe
Token: SeCreatePagefilePrivilege	3408	chrome.exe
Token: SeShutdownPrivilege	3408	chrome.exe
Token: SeCreatePagefilePrivilege	3408	chrome.exe
Token: SeShutdownPrivilege	3408	chrome.exe
Token: SeCreatePagefilePrivilege	3408	chrome.exe
Token: SeShutdownPrivilege	3408	chrome.exe
Token: SeCreatePagefilePrivilege	3408	chrome.exe
Token: SeShutdownPrivilege	3408	chrome.exe
Token: SeCreatePagefilePrivilege	3408	chrome.exe
Token: SeShutdownPrivilege	3408	chrome.exe
Token: SeCreatePagefilePrivilege	3408	chrome.exe
Token: SeShutdownPrivilege	3408	chrome.exe
Token: SeCreatePagefilePrivilege	3408	chrome.exe
Token: SeShutdownPrivilege	3408	chrome.exe
Token: SeCreatePagefilePrivilege	3408	chrome.exe
Token: SeShutdownPrivilege	3408	chrome.exe
Token: SeCreatePagefilePrivilege	3408	chrome.exe
Token: SeShutdownPrivilege	3408	chrome.exe
Token: SeCreatePagefilePrivilege	3408	chrome.exe
Token: SeShutdownPrivilege	3408	chrome.exe
Token: SeCreatePagefilePrivilege	3408	chrome.exe
Token: SeShutdownPrivilege	3408	chrome.exe
Token: SeCreatePagefilePrivilege	3408	chrome.exe
Token: SeShutdownPrivilege	3408	chrome.exe
Token: SeCreatePagefilePrivilege	3408	chrome.exe
Token: SeShutdownPrivilege	3408	chrome.exe
Token: SeCreatePagefilePrivilege	3408	chrome.exe
Token: SeShutdownPrivilege	3408	chrome.exe
Token: SeCreatePagefilePrivilege	3408	chrome.exe
Token: SeShutdownPrivilege	3408	chrome.exe
Token: SeCreatePagefilePrivilege	3408	chrome.exe
Token: SeShutdownPrivilege	3408	chrome.exe
Token: SeCreatePagefilePrivilege	3408	chrome.exe
Token: SeShutdownPrivilege	3408	chrome.exe
Token: SeCreatePagefilePrivilege	3408	chrome.exe
Token: SeShutdownPrivilege	3408	chrome.exe
Token: SeCreatePagefilePrivilege	3408	chrome.exe
Token: SeShutdownPrivilege	3408	chrome.exe
Token: SeCreatePagefilePrivilege	3408	chrome.exe
Token: SeShutdownPrivilege	3408	chrome.exe
Token: SeCreatePagefilePrivilege	3408	chrome.exe
Token: SeShutdownPrivilege	3408	chrome.exe
Token: SeCreatePagefilePrivilege	3408	chrome.exe
Token: SeShutdownPrivilege	3408	chrome.exe
Token: SeCreatePagefilePrivilege	3408	chrome.exe
Token: SeShutdownPrivilege	3408	chrome.exe
Token: SeCreatePagefilePrivilege	3408	chrome.exe
Token: SeShutdownPrivilege	3408	chrome.exe
Token: SeCreatePagefilePrivilege	3408	chrome.exe
Token: SeShutdownPrivilege	3408	chrome.exe
Token: SeCreatePagefilePrivilege	3408	chrome.exe
Token: SeShutdownPrivilege	3408	chrome.exe
Token: SeCreatePagefilePrivilege	3408	chrome.exe
Token: SeShutdownPrivilege	3408	chrome.exe
Token: SeCreatePagefilePrivilege	3408	chrome.exe
Token: SeShutdownPrivilege	3408	chrome.exe
Token: SeCreatePagefilePrivilege	3408	chrome.exe
Token: SeShutdownPrivilege	3408	chrome.exe
Token: SeCreatePagefilePrivilege	3408	chrome.exe
Token: SeShutdownPrivilege	3408	chrome.exe
Token: SeCreatePagefilePrivilege	3408	chrome.exe
Token: SeShutdownPrivilege	3408	chrome.exe
Token: SeCreatePagefilePrivilege	3408	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3408	chrome.exe
3408	chrome.exe
3408	chrome.exe
3408	chrome.exe
3408	chrome.exe
3408	chrome.exe
3408	chrome.exe
3408	chrome.exe
3408	chrome.exe
3408	chrome.exe
3408	chrome.exe
3408	chrome.exe
3408	chrome.exe
3408	chrome.exe
3408	chrome.exe
3408	chrome.exe
3408	chrome.exe
3408	chrome.exe
3408	chrome.exe
3408	chrome.exe
3408	chrome.exe
3408	chrome.exe
3408	chrome.exe
3408	chrome.exe
3408	chrome.exe
3408	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3408	chrome.exe
3408	chrome.exe
3408	chrome.exe
3408	chrome.exe
3408	chrome.exe
3408	chrome.exe
3408	chrome.exe
3408	chrome.exe
3408	chrome.exe
3408	chrome.exe
3408	chrome.exe
3408	chrome.exe
3408	chrome.exe
3408	chrome.exe
3408	chrome.exe
3408	chrome.exe
3408	chrome.exe
3408	chrome.exe
3408	chrome.exe
3408	chrome.exe
3408	chrome.exe
3408	chrome.exe
3408	chrome.exe
3408	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3408 wrote to memory of 1380	3408	chrome.exe	87
PID 3408 wrote to memory of 1380	3408	chrome.exe	87
PID 3408 wrote to memory of 4072	3408	chrome.exe	92
PID 3408 wrote to memory of 4072	3408	chrome.exe	92
PID 3408 wrote to memory of 4072	3408	chrome.exe	92
PID 3408 wrote to memory of 4072	3408	chrome.exe	92
PID 3408 wrote to memory of 4072	3408	chrome.exe	92
PID 3408 wrote to memory of 4072	3408	chrome.exe	92
PID 3408 wrote to memory of 4072	3408	chrome.exe	92
PID 3408 wrote to memory of 4072	3408	chrome.exe	92
PID 3408 wrote to memory of 4072	3408	chrome.exe	92
PID 3408 wrote to memory of 4072	3408	chrome.exe	92
PID 3408 wrote to memory of 4072	3408	chrome.exe	92
PID 3408 wrote to memory of 4072	3408	chrome.exe	92
PID 3408 wrote to memory of 4072	3408	chrome.exe	92
PID 3408 wrote to memory of 4072	3408	chrome.exe	92
PID 3408 wrote to memory of 4072	3408	chrome.exe	92
PID 3408 wrote to memory of 4072	3408	chrome.exe	92
PID 3408 wrote to memory of 4072	3408	chrome.exe	92
PID 3408 wrote to memory of 4072	3408	chrome.exe	92
PID 3408 wrote to memory of 4072	3408	chrome.exe	92
PID 3408 wrote to memory of 4072	3408	chrome.exe	92
PID 3408 wrote to memory of 4072	3408	chrome.exe	92
PID 3408 wrote to memory of 4072	3408	chrome.exe	92
PID 3408 wrote to memory of 4072	3408	chrome.exe	92
PID 3408 wrote to memory of 4072	3408	chrome.exe	92
PID 3408 wrote to memory of 4072	3408	chrome.exe	92
PID 3408 wrote to memory of 4072	3408	chrome.exe	92
PID 3408 wrote to memory of 4072	3408	chrome.exe	92
PID 3408 wrote to memory of 4072	3408	chrome.exe	92
PID 3408 wrote to memory of 4072	3408	chrome.exe	92
PID 3408 wrote to memory of 4072	3408	chrome.exe	92
PID 3408 wrote to memory of 4072	3408	chrome.exe	92
PID 3408 wrote to memory of 4072	3408	chrome.exe	92
PID 3408 wrote to memory of 4072	3408	chrome.exe	92
PID 3408 wrote to memory of 4072	3408	chrome.exe	92
PID 3408 wrote to memory of 4072	3408	chrome.exe	92
PID 3408 wrote to memory of 4072	3408	chrome.exe	92
PID 3408 wrote to memory of 4072	3408	chrome.exe	92
PID 3408 wrote to memory of 4072	3408	chrome.exe	92
PID 3408 wrote to memory of 4892	3408	chrome.exe	93
PID 3408 wrote to memory of 4892	3408	chrome.exe	93
PID 3408 wrote to memory of 1484	3408	chrome.exe	94
PID 3408 wrote to memory of 1484	3408	chrome.exe	94
PID 3408 wrote to memory of 1484	3408	chrome.exe	94
PID 3408 wrote to memory of 1484	3408	chrome.exe	94
PID 3408 wrote to memory of 1484	3408	chrome.exe	94
PID 3408 wrote to memory of 1484	3408	chrome.exe	94
PID 3408 wrote to memory of 1484	3408	chrome.exe	94
PID 3408 wrote to memory of 1484	3408	chrome.exe	94
PID 3408 wrote to memory of 1484	3408	chrome.exe	94
PID 3408 wrote to memory of 1484	3408	chrome.exe	94
PID 3408 wrote to memory of 1484	3408	chrome.exe	94
PID 3408 wrote to memory of 1484	3408	chrome.exe	94
PID 3408 wrote to memory of 1484	3408	chrome.exe	94
PID 3408 wrote to memory of 1484	3408	chrome.exe	94
PID 3408 wrote to memory of 1484	3408	chrome.exe	94
PID 3408 wrote to memory of 1484	3408	chrome.exe	94
PID 3408 wrote to memory of 1484	3408	chrome.exe	94
PID 3408 wrote to memory of 1484	3408	chrome.exe	94
PID 3408 wrote to memory of 1484	3408	chrome.exe	94
PID 3408 wrote to memory of 1484	3408	chrome.exe	94
PID 3408 wrote to memory of 1484	3408	chrome.exe	94
PID 3408 wrote to memory of 1484	3408	chrome.exe	94

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://client.southernscripts.net/Reports/QuarterlyReport?accountGuid=dd89920f-8339-43d3-b542-2b090474ef32
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff921bd9758,0x7ff921bd9768,0x7ff921bd9778
  2⤵
  PID:1380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1640 --field-trial-handle=1872,i,13734533698865046100,16036144221009508070,131072 /prefetch:2
  2⤵
  PID:4072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1872,i,13734533698865046100,16036144221009508070,131072 /prefetch:8
  2⤵
  PID:4892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2216 --field-trial-handle=1872,i,13734533698865046100,16036144221009508070,131072 /prefetch:8
  2⤵
  PID:1484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1632 --field-trial-handle=1872,i,13734533698865046100,16036144221009508070,131072 /prefetch:1
  2⤵
  PID:644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2984 --field-trial-handle=1872,i,13734533698865046100,16036144221009508070,131072 /prefetch:1
  2⤵
  PID:4604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 --field-trial-handle=1872,i,13734533698865046100,16036144221009508070,131072 /prefetch:8
  2⤵
  PID:1904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 --field-trial-handle=1872,i,13734533698865046100,16036144221009508070,131072 /prefetch:8
  2⤵
  PID:4576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1776 --field-trial-handle=1872,i,13734533698865046100,16036144221009508070,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3488

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
9909daf4305ee74fd382743e58450b1a

SHA1
08db5d3de69f5fee5e3d736e9d754f2625597b08

SHA256
80c5dc4f29617b3b81431c5edceec92085fc070770fb46d9bc1d2ac10b1ab841

SHA512
e2850c34a7d932f4d1bb45be2deddbf99134eaac4cfb511e8947275c4c7180a798b8d2d60b68b20f7316d33f963b44425f07066b62effd57b43ba0569b0fa641

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
836B

MD5
867abcd3dc3aa1bf45f5c9fd16ff941a

SHA1
6451a0d8484e249f1921cb93e4ff8d67f5f2470e

SHA256
e21e752374ba1ad602c9147f51a26df135baaaaf9834282e07811e6e308f0a17

SHA512
996ddf233d2fc391dd6518b9dfdad8a07d7b783aeec8fd5c00b0862aa0b64007d76fbd27549d6919f33e85329d139ccb5087357bcb714bc793f433d1c37e1ec1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
822519ea5917faf103ce4a7c34eaa7d2

SHA1
d9f3e773081b1ce4d9f99346dfbb2e0fa2ff61bc

SHA256
809bf2a56e9c6b5095ccc808bbdea0a62128349bd3b469978eff0acea0196c55

SHA512
f65c84987a7c3e8fb3cc38bdb561ecf91777f55947fe6b178ceea8a62e4264d12010416c418a087dd118309164518989eb1d3d2d53f9cd1a437baa29369db054

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
21bf691eac8d306475675ee95aefccfa

SHA1
fbcb09b0440fbb36b2b81c05db9c745a56fad8cb

SHA256
1fd28d28dead4f1412154728dbeabc68bcdb7a0fbba2f7f43eb19526561849c2

SHA512
908a4e3d2c833aab0d1a5da990f2d8c62f3f182416431a69b02b313268ff7f7699a6c71f77ad2fb4b342ac40ec055768d54c500354ec7de130304bf621127747

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f975f622a21969006c64016907b22c70

SHA1
56c99d3cd0213789380c877839424b2da45f0206

SHA256
d7fadcb6464be6603d0667ab00444a6e1b2f7c7a3f5060d374444f2dec0e1b27

SHA512
92d5c711806f8eea46b5eb716dcf005f68c6f9509d405be4615fb5e62219c25b130c709cd6f184adacaea94c62d6819ea064763c43f364830fe0a3e863484b8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
1a48ff63bdb33e6f2ba65d5705e0eff8

SHA1
f9e322d4db4f5c907e0a437765c1ff863248ba42

SHA256
ce574e6062902b1cdb05ecb447b38c9a874b93d4d6aabbeadf98560fca90c5ac

SHA512
8134c86498c66fff321ed78705a70caa93e6bbdf96faef5c2f17da5f3180743e8a675fac5b410ab53d32c04c9fd14b686b86a3f407c2b16db24877573780548c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit