hxxps://eu2[.]contabostorage[.]com

Analysis

max time kernel
149s
max time network
146s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
25/01/2024, 10:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://eu2.contabostorage.com

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133506527646004549"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
316	chrome.exe
316	chrome.exe
424	chrome.exe
424	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
316	chrome.exe
316	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	316	chrome.exe
Token: SeCreatePagefilePrivilege	316	chrome.exe
Token: SeShutdownPrivilege	316	chrome.exe
Token: SeCreatePagefilePrivilege	316	chrome.exe
Token: SeShutdownPrivilege	316	chrome.exe
Token: SeCreatePagefilePrivilege	316	chrome.exe
Token: SeShutdownPrivilege	316	chrome.exe
Token: SeCreatePagefilePrivilege	316	chrome.exe
Token: SeShutdownPrivilege	316	chrome.exe
Token: SeCreatePagefilePrivilege	316	chrome.exe
Token: SeShutdownPrivilege	316	chrome.exe
Token: SeCreatePagefilePrivilege	316	chrome.exe
Token: SeShutdownPrivilege	316	chrome.exe
Token: SeCreatePagefilePrivilege	316	chrome.exe
Token: SeShutdownPrivilege	316	chrome.exe
Token: SeCreatePagefilePrivilege	316	chrome.exe
Token: SeShutdownPrivilege	316	chrome.exe
Token: SeCreatePagefilePrivilege	316	chrome.exe
Token: SeShutdownPrivilege	316	chrome.exe
Token: SeCreatePagefilePrivilege	316	chrome.exe
Token: SeShutdownPrivilege	316	chrome.exe
Token: SeCreatePagefilePrivilege	316	chrome.exe
Token: SeShutdownPrivilege	316	chrome.exe
Token: SeCreatePagefilePrivilege	316	chrome.exe
Token: SeShutdownPrivilege	316	chrome.exe
Token: SeCreatePagefilePrivilege	316	chrome.exe
Token: SeShutdownPrivilege	316	chrome.exe
Token: SeCreatePagefilePrivilege	316	chrome.exe
Token: SeShutdownPrivilege	316	chrome.exe
Token: SeCreatePagefilePrivilege	316	chrome.exe
Token: SeShutdownPrivilege	316	chrome.exe
Token: SeCreatePagefilePrivilege	316	chrome.exe
Token: SeShutdownPrivilege	316	chrome.exe
Token: SeCreatePagefilePrivilege	316	chrome.exe
Token: SeShutdownPrivilege	316	chrome.exe
Token: SeCreatePagefilePrivilege	316	chrome.exe
Token: SeShutdownPrivilege	316	chrome.exe
Token: SeCreatePagefilePrivilege	316	chrome.exe
Token: SeShutdownPrivilege	316	chrome.exe
Token: SeCreatePagefilePrivilege	316	chrome.exe
Token: SeShutdownPrivilege	316	chrome.exe
Token: SeCreatePagefilePrivilege	316	chrome.exe
Token: SeShutdownPrivilege	316	chrome.exe
Token: SeCreatePagefilePrivilege	316	chrome.exe
Token: SeShutdownPrivilege	316	chrome.exe
Token: SeCreatePagefilePrivilege	316	chrome.exe
Token: SeShutdownPrivilege	316	chrome.exe
Token: SeCreatePagefilePrivilege	316	chrome.exe
Token: SeShutdownPrivilege	316	chrome.exe
Token: SeCreatePagefilePrivilege	316	chrome.exe
Token: SeShutdownPrivilege	316	chrome.exe
Token: SeCreatePagefilePrivilege	316	chrome.exe
Token: SeShutdownPrivilege	316	chrome.exe
Token: SeCreatePagefilePrivilege	316	chrome.exe
Token: SeShutdownPrivilege	316	chrome.exe
Token: SeCreatePagefilePrivilege	316	chrome.exe
Token: SeShutdownPrivilege	316	chrome.exe
Token: SeCreatePagefilePrivilege	316	chrome.exe
Token: SeShutdownPrivilege	316	chrome.exe
Token: SeCreatePagefilePrivilege	316	chrome.exe
Token: SeShutdownPrivilege	316	chrome.exe
Token: SeCreatePagefilePrivilege	316	chrome.exe
Token: SeShutdownPrivilege	316	chrome.exe
Token: SeCreatePagefilePrivilege	316	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
316	chrome.exe
316	chrome.exe
316	chrome.exe
316	chrome.exe
316	chrome.exe
316	chrome.exe
316	chrome.exe
316	chrome.exe
316	chrome.exe
316	chrome.exe
316	chrome.exe
316	chrome.exe
316	chrome.exe
316	chrome.exe
316	chrome.exe
316	chrome.exe
316	chrome.exe
316	chrome.exe
316	chrome.exe
316	chrome.exe
316	chrome.exe
316	chrome.exe
316	chrome.exe
316	chrome.exe
316	chrome.exe
316	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
316	chrome.exe
316	chrome.exe
316	chrome.exe
316	chrome.exe
316	chrome.exe
316	chrome.exe
316	chrome.exe
316	chrome.exe
316	chrome.exe
316	chrome.exe
316	chrome.exe
316	chrome.exe
316	chrome.exe
316	chrome.exe
316	chrome.exe
316	chrome.exe
316	chrome.exe
316	chrome.exe
316	chrome.exe
316	chrome.exe
316	chrome.exe
316	chrome.exe
316	chrome.exe
316	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 316 wrote to memory of 192	316	chrome.exe	74
PID 316 wrote to memory of 192	316	chrome.exe	74
PID 316 wrote to memory of 1412	316	chrome.exe	80
PID 316 wrote to memory of 1412	316	chrome.exe	80
PID 316 wrote to memory of 1412	316	chrome.exe	80
PID 316 wrote to memory of 1412	316	chrome.exe	80
PID 316 wrote to memory of 1412	316	chrome.exe	80
PID 316 wrote to memory of 1412	316	chrome.exe	80
PID 316 wrote to memory of 1412	316	chrome.exe	80
PID 316 wrote to memory of 1412	316	chrome.exe	80
PID 316 wrote to memory of 1412	316	chrome.exe	80
PID 316 wrote to memory of 1412	316	chrome.exe	80
PID 316 wrote to memory of 1412	316	chrome.exe	80
PID 316 wrote to memory of 1412	316	chrome.exe	80
PID 316 wrote to memory of 1412	316	chrome.exe	80
PID 316 wrote to memory of 1412	316	chrome.exe	80
PID 316 wrote to memory of 1412	316	chrome.exe	80
PID 316 wrote to memory of 1412	316	chrome.exe	80
PID 316 wrote to memory of 1412	316	chrome.exe	80
PID 316 wrote to memory of 1412	316	chrome.exe	80
PID 316 wrote to memory of 1412	316	chrome.exe	80
PID 316 wrote to memory of 1412	316	chrome.exe	80
PID 316 wrote to memory of 1412	316	chrome.exe	80
PID 316 wrote to memory of 1412	316	chrome.exe	80
PID 316 wrote to memory of 1412	316	chrome.exe	80
PID 316 wrote to memory of 1412	316	chrome.exe	80
PID 316 wrote to memory of 1412	316	chrome.exe	80
PID 316 wrote to memory of 1412	316	chrome.exe	80
PID 316 wrote to memory of 1412	316	chrome.exe	80
PID 316 wrote to memory of 1412	316	chrome.exe	80
PID 316 wrote to memory of 1412	316	chrome.exe	80
PID 316 wrote to memory of 1412	316	chrome.exe	80
PID 316 wrote to memory of 1412	316	chrome.exe	80
PID 316 wrote to memory of 1412	316	chrome.exe	80
PID 316 wrote to memory of 1412	316	chrome.exe	80
PID 316 wrote to memory of 1412	316	chrome.exe	80
PID 316 wrote to memory of 1412	316	chrome.exe	80
PID 316 wrote to memory of 1412	316	chrome.exe	80
PID 316 wrote to memory of 1412	316	chrome.exe	80
PID 316 wrote to memory of 1412	316	chrome.exe	80
PID 316 wrote to memory of 1096	316	chrome.exe	77
PID 316 wrote to memory of 1096	316	chrome.exe	77
PID 316 wrote to memory of 688	316	chrome.exe	76
PID 316 wrote to memory of 688	316	chrome.exe	76
PID 316 wrote to memory of 688	316	chrome.exe	76
PID 316 wrote to memory of 688	316	chrome.exe	76
PID 316 wrote to memory of 688	316	chrome.exe	76
PID 316 wrote to memory of 688	316	chrome.exe	76
PID 316 wrote to memory of 688	316	chrome.exe	76
PID 316 wrote to memory of 688	316	chrome.exe	76
PID 316 wrote to memory of 688	316	chrome.exe	76
PID 316 wrote to memory of 688	316	chrome.exe	76
PID 316 wrote to memory of 688	316	chrome.exe	76
PID 316 wrote to memory of 688	316	chrome.exe	76
PID 316 wrote to memory of 688	316	chrome.exe	76
PID 316 wrote to memory of 688	316	chrome.exe	76
PID 316 wrote to memory of 688	316	chrome.exe	76
PID 316 wrote to memory of 688	316	chrome.exe	76
PID 316 wrote to memory of 688	316	chrome.exe	76
PID 316 wrote to memory of 688	316	chrome.exe	76
PID 316 wrote to memory of 688	316	chrome.exe	76
PID 316 wrote to memory of 688	316	chrome.exe	76
PID 316 wrote to memory of 688	316	chrome.exe	76
PID 316 wrote to memory of 688	316	chrome.exe	76

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://eu2.contabostorage.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffa18c99758,0x7ffa18c99768,0x7ffa18c99778
  2⤵
  PID:192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1980 --field-trial-handle=1856,i,9452606185020143272,4808481163569854381,131072 /prefetch:8
  2⤵
  PID:688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1820 --field-trial-handle=1856,i,9452606185020143272,4808481163569854381,131072 /prefetch:8
  2⤵
  PID:1096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2940 --field-trial-handle=1856,i,9452606185020143272,4808481163569854381,131072 /prefetch:1
  2⤵
  PID:4988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2932 --field-trial-handle=1856,i,9452606185020143272,4808481163569854381,131072 /prefetch:1
  2⤵
  PID:1740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1520 --field-trial-handle=1856,i,9452606185020143272,4808481163569854381,131072 /prefetch:2
  2⤵
  PID:1412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4880 --field-trial-handle=1856,i,9452606185020143272,4808481163569854381,131072 /prefetch:8
  2⤵
  PID:2440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4976 --field-trial-handle=1856,i,9452606185020143272,4808481163569854381,131072 /prefetch:8
  2⤵
  PID:1712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 --field-trial-handle=1856,i,9452606185020143272,4808481163569854381,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:424

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
824B

MD5
88d3cfa095a7811b0267fed48138e8dd

SHA1
6c54133e161693eda06e5437d1e90172fca35df4

SHA256
8159997b3861bf244fc64d9233159e50c9e439342cc03d034428d85575e673c7

SHA512
3744344db25861291c1518249011ef1911acb288d94006695e4b42be7395a59b62e71d2b47bd753f89f03608b1cb60d7d918dbccf2cea2c4aeac61aeea70dae9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
cdd3cf24847fce77af27b8d048563cbe

SHA1
0a008b44de2b5a94351ab3ab728ae7304775f027

SHA256
dd3aa6921892a1c8c6c334a7fa096248209c6778473b4f3427286f9f01e9f2d5

SHA512
8f85d7efc00838081551bff0cf9537b5efbe10ecdf0c3c211a028a01710656673de6ef3b36686109a81413ea24154b5b86db633b67d5d8b033de45b69115405c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
6ceb771e470117620f171a469898d339

SHA1
e27aad386281f5cfe83120b95b7d5aea65cc5b69

SHA256
a93352db439476b312363c50c874313ffada4e6b958cd2ab6df69c1f48988ba9

SHA512
bfed06b2539fc471045f7f85b34b73e06ce53568a52aecd87cd511227d59b2520e2be643927a907538947bdb4217825b7a1d54924b3bb2dfc4eff3258b55dfed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
10102d72122fac65ef6c0b691c6690d9

SHA1
0b9bdffdee05751474626f84011c7788d8ba02a2

SHA256
c2fcd32fa2e57f36d0f79242fafa121e40ed0635adb73860e9d160baac856fef

SHA512
531f2a44b0e685e3c549b4c75e9a6ec402b034a72a21cd708154291554751550b6a5117f76ec4f6522c19c5d0a4b6b7891271e4b0ad4dc7740be07f69b021e53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit