hxxp://www[.]qsti[.]com[.]au/

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
04/02/2024, 10:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://www.qsti.com.au/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133515158805497097"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2616	chrome.exe
2616	chrome.exe
4380	chrome.exe
4380	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2616 wrote to memory of 1936	2616	chrome.exe	67
PID 2616 wrote to memory of 1936	2616	chrome.exe	67
PID 2616 wrote to memory of 3420	2616	chrome.exe	87
PID 2616 wrote to memory of 3420	2616	chrome.exe	87
PID 2616 wrote to memory of 3420	2616	chrome.exe	87
PID 2616 wrote to memory of 3420	2616	chrome.exe	87
PID 2616 wrote to memory of 3420	2616	chrome.exe	87
PID 2616 wrote to memory of 3420	2616	chrome.exe	87
PID 2616 wrote to memory of 3420	2616	chrome.exe	87
PID 2616 wrote to memory of 3420	2616	chrome.exe	87
PID 2616 wrote to memory of 3420	2616	chrome.exe	87
PID 2616 wrote to memory of 3420	2616	chrome.exe	87
PID 2616 wrote to memory of 3420	2616	chrome.exe	87
PID 2616 wrote to memory of 3420	2616	chrome.exe	87
PID 2616 wrote to memory of 3420	2616	chrome.exe	87
PID 2616 wrote to memory of 3420	2616	chrome.exe	87
PID 2616 wrote to memory of 3420	2616	chrome.exe	87
PID 2616 wrote to memory of 3420	2616	chrome.exe	87
PID 2616 wrote to memory of 3420	2616	chrome.exe	87
PID 2616 wrote to memory of 3420	2616	chrome.exe	87
PID 2616 wrote to memory of 3420	2616	chrome.exe	87
PID 2616 wrote to memory of 3420	2616	chrome.exe	87
PID 2616 wrote to memory of 3420	2616	chrome.exe	87
PID 2616 wrote to memory of 3420	2616	chrome.exe	87
PID 2616 wrote to memory of 3420	2616	chrome.exe	87
PID 2616 wrote to memory of 3420	2616	chrome.exe	87
PID 2616 wrote to memory of 3420	2616	chrome.exe	87
PID 2616 wrote to memory of 3420	2616	chrome.exe	87
PID 2616 wrote to memory of 3420	2616	chrome.exe	87
PID 2616 wrote to memory of 3420	2616	chrome.exe	87
PID 2616 wrote to memory of 3420	2616	chrome.exe	87
PID 2616 wrote to memory of 3420	2616	chrome.exe	87
PID 2616 wrote to memory of 3420	2616	chrome.exe	87
PID 2616 wrote to memory of 3420	2616	chrome.exe	87
PID 2616 wrote to memory of 3420	2616	chrome.exe	87
PID 2616 wrote to memory of 3420	2616	chrome.exe	87
PID 2616 wrote to memory of 3420	2616	chrome.exe	87
PID 2616 wrote to memory of 3420	2616	chrome.exe	87
PID 2616 wrote to memory of 3420	2616	chrome.exe	87
PID 2616 wrote to memory of 3420	2616	chrome.exe	87
PID 2616 wrote to memory of 4368	2616	chrome.exe	88
PID 2616 wrote to memory of 4368	2616	chrome.exe	88
PID 2616 wrote to memory of 948	2616	chrome.exe	89
PID 2616 wrote to memory of 948	2616	chrome.exe	89
PID 2616 wrote to memory of 948	2616	chrome.exe	89
PID 2616 wrote to memory of 948	2616	chrome.exe	89
PID 2616 wrote to memory of 948	2616	chrome.exe	89
PID 2616 wrote to memory of 948	2616	chrome.exe	89
PID 2616 wrote to memory of 948	2616	chrome.exe	89
PID 2616 wrote to memory of 948	2616	chrome.exe	89
PID 2616 wrote to memory of 948	2616	chrome.exe	89
PID 2616 wrote to memory of 948	2616	chrome.exe	89
PID 2616 wrote to memory of 948	2616	chrome.exe	89
PID 2616 wrote to memory of 948	2616	chrome.exe	89
PID 2616 wrote to memory of 948	2616	chrome.exe	89
PID 2616 wrote to memory of 948	2616	chrome.exe	89
PID 2616 wrote to memory of 948	2616	chrome.exe	89
PID 2616 wrote to memory of 948	2616	chrome.exe	89
PID 2616 wrote to memory of 948	2616	chrome.exe	89
PID 2616 wrote to memory of 948	2616	chrome.exe	89
PID 2616 wrote to memory of 948	2616	chrome.exe	89
PID 2616 wrote to memory of 948	2616	chrome.exe	89
PID 2616 wrote to memory of 948	2616	chrome.exe	89
PID 2616 wrote to memory of 948	2616	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://www.qsti.com.au/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8d9c69758,0x7ff8d9c69768,0x7ff8d9c69778
  2⤵
  PID:1936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1700 --field-trial-handle=1792,i,9863561858858687319,8986356095139935240,131072 /prefetch:2
  2⤵
  PID:3420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2008 --field-trial-handle=1792,i,9863561858858687319,8986356095139935240,131072 /prefetch:8
  2⤵
  PID:4368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2216 --field-trial-handle=1792,i,9863561858858687319,8986356095139935240,131072 /prefetch:8
  2⤵
  PID:948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2632 --field-trial-handle=1792,i,9863561858858687319,8986356095139935240,131072 /prefetch:1
  2⤵
  PID:2660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2624 --field-trial-handle=1792,i,9863561858858687319,8986356095139935240,131072 /prefetch:1
  2⤵
  PID:1304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4760 --field-trial-handle=1792,i,9863561858858687319,8986356095139935240,131072 /prefetch:1
  2⤵
  PID:1660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3380 --field-trial-handle=1792,i,9863561858858687319,8986356095139935240,131072 /prefetch:1
  2⤵
  PID:2176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5492 --field-trial-handle=1792,i,9863561858858687319,8986356095139935240,131072 /prefetch:8
  2⤵
  PID:2308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5584 --field-trial-handle=1792,i,9863561858858687319,8986356095139935240,131072 /prefetch:8
  2⤵
  PID:3676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5412 --field-trial-handle=1792,i,9863561858858687319,8986356095139935240,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4380

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000014

Filesize
193KB

MD5
7fe2c36271aa8065b034ce9efdbd2a07

SHA1
e22ee654cb122d0d62393dd8d6753d2bcad148a3

SHA256
02cf672988303d8fbdbc7625f54596ece6d83c78152ca6e1aa332fc8c75d5c34

SHA512
45d53a09ced29138e2f99e0e8a293322050f8032e006df06315ac9af2f1ab64d1c767ea5db53289bb5881a4866061299e5a60cd83753fe6ba88e8de7562706ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
960B

MD5
633e69dcd37f3249e32b093e1f1b520f

SHA1
3e0cc95627b111cc478433d3808fc2f3e6c71854

SHA256
f675414cf831965701b428df525535672dbbf8a15ad8de275f55b2af57f4e9e2

SHA512
d0351094bcd46e7f3e03c30f1e1ce17e1505e6d41975ff95ee7a12985be96dd4f001e19a69e1c9f445702c134dba8834048099b9633af83b6171a31fa530feed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
a5403b388ade0697ca420c1073e02eac

SHA1
c702bded32219f137b53ae815a656e4fdebac09c

SHA256
dcbf5da9d01eae531e92411032fe13e332c15e912168dfef2d0684261f34c35a

SHA512
1cf3eeef8867388b24c51f879aa2ec5517a3f03038b8014be1fe878f77e5a1573481bc5a486a2d05d13c3be3b46f4409f6b1796571838478dbd0b258e95f767c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
fd53ea210cf007ce21827fb55ff6aa33

SHA1
844bd6b342a6e07ae34154610437efc0106218f8

SHA256
847759195285191093f50e96a981776200a3d81f6b46a4ce055c5117a96d9d64

SHA512
e14910d0fae73dc2cf52c5d86b9655341c50ffc909da71a8060acd6bbd6f92c501a8416267cf8355146e5517dff7451427337b42177c4b542573b1e24ef6781d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
171392a4871a2fa0c9eb9cd56fa8728d

SHA1
5f71894406ab7374785ccd9f195e4a3b1592cbaa

SHA256
99d23e23071239ed73a9335c3c3d0560170684a8e86e09c6ae6ea4c3efabb7c8

SHA512
2994330addffe4b0894a53cace766e6168995fa089fe0a3db3c4f52c1f1ed9a77464e88a66bffbf1f22c71b4667b4d67b01e89d880f77529385e2308be9a75b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
588663a33b6afa55e394d0bc68041ac6

SHA1
c9a81aed7c3be46a2f86ec199ce4bf8165229e2e

SHA256
e27f9d4ba849f821c27ce467d3f810045f715ab012e893f25cd62da531a110fc

SHA512
26dbbedd3250aac5b7e3eda3f4b6adca5d8d2b0ded078ed1ba5488fc19895a1dee0a3806bb889dfe10c85205c120c2993b8a8506638a1101d7eb8b8afdba6bdf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
43d5bb90b4e31d6d36b8df1d7d7e6035

SHA1
085fd9e889490b5aea08bf98a62a2bb4817e4ac6

SHA256
52cc7bf4685ca16f98878a8925a884306a03013fde95d4335e05f33659af1775

SHA512
69466c1bea8651f29d2a1db871c9dac5e9797daaf8248524d1dce3999572167c005aba8fd335361f68e3ec20065e74726076dcb43eca6234035196acc1f2c116

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit