hxxp://54[.]237[.]150[.]173

General

Target

http://54.237.150.173

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133522365512564021"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

1368 chrome.exe
1368 chrome.exe
2336 chrome.exe
2336 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

1368 chrome.exe
1368 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1368 wrote to memory of 4868	1368	chrome.exe	chrome.exe
PID 1368 wrote to memory of 4868	1368	chrome.exe	chrome.exe
PID 1368 wrote to memory of 2080	1368	chrome.exe	chrome.exe
PID 1368 wrote to memory of 2080	1368	chrome.exe	chrome.exe
PID 1368 wrote to memory of 2080	1368	chrome.exe	chrome.exe
PID 1368 wrote to memory of 2080	1368	chrome.exe	chrome.exe
PID 1368 wrote to memory of 2080	1368	chrome.exe	chrome.exe
PID 1368 wrote to memory of 2080	1368	chrome.exe	chrome.exe
PID 1368 wrote to memory of 2080	1368	chrome.exe	chrome.exe
PID 1368 wrote to memory of 2080	1368	chrome.exe	chrome.exe
PID 1368 wrote to memory of 2080	1368	chrome.exe	chrome.exe
PID 1368 wrote to memory of 2080	1368	chrome.exe	chrome.exe
PID 1368 wrote to memory of 2080	1368	chrome.exe	chrome.exe
PID 1368 wrote to memory of 2080	1368	chrome.exe	chrome.exe
PID 1368 wrote to memory of 2080	1368	chrome.exe	chrome.exe
PID 1368 wrote to memory of 2080	1368	chrome.exe	chrome.exe
PID 1368 wrote to memory of 2080	1368	chrome.exe	chrome.exe
PID 1368 wrote to memory of 2080	1368	chrome.exe	chrome.exe
PID 1368 wrote to memory of 2080	1368	chrome.exe	chrome.exe
PID 1368 wrote to memory of 2080	1368	chrome.exe	chrome.exe
PID 1368 wrote to memory of 2080	1368	chrome.exe	chrome.exe
PID 1368 wrote to memory of 2080	1368	chrome.exe	chrome.exe
PID 1368 wrote to memory of 2080	1368	chrome.exe	chrome.exe
PID 1368 wrote to memory of 2080	1368	chrome.exe	chrome.exe
PID 1368 wrote to memory of 2080	1368	chrome.exe	chrome.exe
PID 1368 wrote to memory of 2080	1368	chrome.exe	chrome.exe
PID 1368 wrote to memory of 2080	1368	chrome.exe	chrome.exe
PID 1368 wrote to memory of 2080	1368	chrome.exe	chrome.exe
PID 1368 wrote to memory of 2080	1368	chrome.exe	chrome.exe
PID 1368 wrote to memory of 2080	1368	chrome.exe	chrome.exe
PID 1368 wrote to memory of 2080	1368	chrome.exe	chrome.exe
PID 1368 wrote to memory of 2080	1368	chrome.exe	chrome.exe
PID 1368 wrote to memory of 2080	1368	chrome.exe	chrome.exe
PID 1368 wrote to memory of 2080	1368	chrome.exe	chrome.exe
PID 1368 wrote to memory of 2080	1368	chrome.exe	chrome.exe
PID 1368 wrote to memory of 2080	1368	chrome.exe	chrome.exe
PID 1368 wrote to memory of 2080	1368	chrome.exe	chrome.exe
PID 1368 wrote to memory of 2080	1368	chrome.exe	chrome.exe
PID 1368 wrote to memory of 2080	1368	chrome.exe	chrome.exe
PID 1368 wrote to memory of 2080	1368	chrome.exe	chrome.exe
PID 1368 wrote to memory of 3528	1368	chrome.exe	chrome.exe
PID 1368 wrote to memory of 3528	1368	chrome.exe	chrome.exe
PID 1368 wrote to memory of 396	1368	chrome.exe	chrome.exe
PID 1368 wrote to memory of 396	1368	chrome.exe	chrome.exe
PID 1368 wrote to memory of 396	1368	chrome.exe	chrome.exe
PID 1368 wrote to memory of 396	1368	chrome.exe	chrome.exe
PID 1368 wrote to memory of 396	1368	chrome.exe	chrome.exe
PID 1368 wrote to memory of 396	1368	chrome.exe	chrome.exe
PID 1368 wrote to memory of 396	1368	chrome.exe	chrome.exe
PID 1368 wrote to memory of 396	1368	chrome.exe	chrome.exe
PID 1368 wrote to memory of 396	1368	chrome.exe	chrome.exe
PID 1368 wrote to memory of 396	1368	chrome.exe	chrome.exe
PID 1368 wrote to memory of 396	1368	chrome.exe	chrome.exe
PID 1368 wrote to memory of 396	1368	chrome.exe	chrome.exe
PID 1368 wrote to memory of 396	1368	chrome.exe	chrome.exe
PID 1368 wrote to memory of 396	1368	chrome.exe	chrome.exe
PID 1368 wrote to memory of 396	1368	chrome.exe	chrome.exe
PID 1368 wrote to memory of 396	1368	chrome.exe	chrome.exe
PID 1368 wrote to memory of 396	1368	chrome.exe	chrome.exe
PID 1368 wrote to memory of 396	1368	chrome.exe	chrome.exe
PID 1368 wrote to memory of 396	1368	chrome.exe	chrome.exe
PID 1368 wrote to memory of 396	1368	chrome.exe	chrome.exe
PID 1368 wrote to memory of 396	1368	chrome.exe	chrome.exe
PID 1368 wrote to memory of 396	1368	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://54.237.150.173
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa5f829758,0x7ffa5f829768,0x7ffa5f829778
2⤵
PID:4868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1728 --field-trial-handle=1876,i,6201592567992603717,16237627658776487320,131072 /prefetch:2
2⤵
PID:2080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 --field-trial-handle=1876,i,6201592567992603717,16237627658776487320,131072 /prefetch:8
2⤵
PID:3528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2180 --field-trial-handle=1876,i,6201592567992603717,16237627658776487320,131072 /prefetch:8
2⤵
PID:396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2764 --field-trial-handle=1876,i,6201592567992603717,16237627658776487320,131072 /prefetch:1
2⤵
PID:1780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2812 --field-trial-handle=1876,i,6201592567992603717,16237627658776487320,131072 /prefetch:1
2⤵
PID:3816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4796 --field-trial-handle=1876,i,6201592567992603717,16237627658776487320,131072 /prefetch:8
2⤵
PID:1096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4904 --field-trial-handle=1876,i,6201592567992603717,16237627658776487320,131072 /prefetch:8
2⤵
PID:2336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 --field-trial-handle=1876,i,6201592567992603717,16237627658776487320,131072 /prefetch:8
2⤵
PID:1832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2332 --field-trial-handle=1876,i,6201592567992603717,16237627658776487320,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2336

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
823B

MD5
6429a273ae0134fb3159774a1ba01cf6

SHA1
4d8d7b5ba9bcc3f247a963018df72bb861f5455a

SHA256
e5fa245a747c555573f1a4b48746d2a64ccd261d932f2818914744145a4f57c0

SHA512
38f8632fc844aab066f99658620cf7268976ff402b2a7aede642271d138974c6ed9c8c8a3c49aa33d9a8db8327604d0193611988bde45258c47474befcd430ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
bb9595733443fc9d55344418b60413ec

SHA1
fdced732da48e5f0f9d70310ae5bf8cba574665b

SHA256
8922c85ad9968285565418693aca67d59a30a0753e71536b3f4f99745fd58424

SHA512
e7b945eb7b2378f65bec861ae7e5dd0f84f44a577140a8015b33374855d726641797f059eb804639c6066d9561227b9ffddc1078059db6e51f3ea01bad286d98

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e97d46142f69ff370e16b68f56bc88a9

SHA1
70866f8e4e53ebaef37c242a945f66c7ea54986e

SHA256
108526c5ba6f37a4faef6ec66c9e8e82a4e2373857dddada2be06c4c28f1878b

SHA512
ccab547b4e5ee73aa78a0620faea4130096ebdf09c307e607a5ad57fc5b6d59a5a307f3db8da91103168ef3b4f3308edfa766f60f693990dae7e33d4c8c0c828

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
4869c714e84070bc35c677da5fc6b263

SHA1
a94c30e8515e3154d0e2e74fe03f02adea398267

SHA256
306442406d3f4d1aa34018cfc94191e303afe4a65f76f59ef619793e674f26d0

SHA512
27e6d66211523a39a11c604223e132b326e1fd5eb40788194cbbfe44d600a9b42fbde590311628f7075c2f2a45c7cee668ab7520e40412540ca6285ddbaed6f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
\??\pipe\crashpad_1368_WVJJHJQEJCETJVGD

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads