hxxps://forms[.]gle/yYDQxP7mRWUbq4Lw5

Analysis

max time kernel
119s
max time network
125s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
14/02/2024, 09:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://forms.gle/yYDQxP7mRWUbq4Lw5

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133523774690767158"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4808	chrome.exe
4808	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4808 wrote to memory of 220	4808	chrome.exe	73
PID 4808 wrote to memory of 220	4808	chrome.exe	73
PID 4808 wrote to memory of 348	4808	chrome.exe	75
PID 4808 wrote to memory of 348	4808	chrome.exe	75
PID 4808 wrote to memory of 348	4808	chrome.exe	75
PID 4808 wrote to memory of 348	4808	chrome.exe	75
PID 4808 wrote to memory of 348	4808	chrome.exe	75
PID 4808 wrote to memory of 348	4808	chrome.exe	75
PID 4808 wrote to memory of 348	4808	chrome.exe	75
PID 4808 wrote to memory of 348	4808	chrome.exe	75
PID 4808 wrote to memory of 348	4808	chrome.exe	75
PID 4808 wrote to memory of 348	4808	chrome.exe	75
PID 4808 wrote to memory of 348	4808	chrome.exe	75
PID 4808 wrote to memory of 348	4808	chrome.exe	75
PID 4808 wrote to memory of 348	4808	chrome.exe	75
PID 4808 wrote to memory of 348	4808	chrome.exe	75
PID 4808 wrote to memory of 348	4808	chrome.exe	75
PID 4808 wrote to memory of 348	4808	chrome.exe	75
PID 4808 wrote to memory of 348	4808	chrome.exe	75
PID 4808 wrote to memory of 348	4808	chrome.exe	75
PID 4808 wrote to memory of 348	4808	chrome.exe	75
PID 4808 wrote to memory of 348	4808	chrome.exe	75
PID 4808 wrote to memory of 348	4808	chrome.exe	75
PID 4808 wrote to memory of 348	4808	chrome.exe	75
PID 4808 wrote to memory of 348	4808	chrome.exe	75
PID 4808 wrote to memory of 348	4808	chrome.exe	75
PID 4808 wrote to memory of 348	4808	chrome.exe	75
PID 4808 wrote to memory of 348	4808	chrome.exe	75
PID 4808 wrote to memory of 348	4808	chrome.exe	75
PID 4808 wrote to memory of 348	4808	chrome.exe	75
PID 4808 wrote to memory of 348	4808	chrome.exe	75
PID 4808 wrote to memory of 348	4808	chrome.exe	75
PID 4808 wrote to memory of 348	4808	chrome.exe	75
PID 4808 wrote to memory of 348	4808	chrome.exe	75
PID 4808 wrote to memory of 348	4808	chrome.exe	75
PID 4808 wrote to memory of 348	4808	chrome.exe	75
PID 4808 wrote to memory of 348	4808	chrome.exe	75
PID 4808 wrote to memory of 348	4808	chrome.exe	75
PID 4808 wrote to memory of 348	4808	chrome.exe	75
PID 4808 wrote to memory of 348	4808	chrome.exe	75
PID 4808 wrote to memory of 4292	4808	chrome.exe	76
PID 4808 wrote to memory of 4292	4808	chrome.exe	76
PID 4808 wrote to memory of 4948	4808	chrome.exe	77
PID 4808 wrote to memory of 4948	4808	chrome.exe	77
PID 4808 wrote to memory of 4948	4808	chrome.exe	77
PID 4808 wrote to memory of 4948	4808	chrome.exe	77
PID 4808 wrote to memory of 4948	4808	chrome.exe	77
PID 4808 wrote to memory of 4948	4808	chrome.exe	77
PID 4808 wrote to memory of 4948	4808	chrome.exe	77
PID 4808 wrote to memory of 4948	4808	chrome.exe	77
PID 4808 wrote to memory of 4948	4808	chrome.exe	77
PID 4808 wrote to memory of 4948	4808	chrome.exe	77
PID 4808 wrote to memory of 4948	4808	chrome.exe	77
PID 4808 wrote to memory of 4948	4808	chrome.exe	77
PID 4808 wrote to memory of 4948	4808	chrome.exe	77
PID 4808 wrote to memory of 4948	4808	chrome.exe	77
PID 4808 wrote to memory of 4948	4808	chrome.exe	77
PID 4808 wrote to memory of 4948	4808	chrome.exe	77
PID 4808 wrote to memory of 4948	4808	chrome.exe	77
PID 4808 wrote to memory of 4948	4808	chrome.exe	77
PID 4808 wrote to memory of 4948	4808	chrome.exe	77
PID 4808 wrote to memory of 4948	4808	chrome.exe	77
PID 4808 wrote to memory of 4948	4808	chrome.exe	77
PID 4808 wrote to memory of 4948	4808	chrome.exe	77

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://forms.gle/yYDQxP7mRWUbq4Lw5
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffc4d409758,0x7ffc4d409768,0x7ffc4d409778
  2⤵
  PID:220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1548 --field-trial-handle=1780,i,772582187235864012,2670411482116419608,131072 /prefetch:2
  2⤵
  PID:348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1908 --field-trial-handle=1780,i,772582187235864012,2670411482116419608,131072 /prefetch:8
  2⤵
  PID:4292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2088 --field-trial-handle=1780,i,772582187235864012,2670411482116419608,131072 /prefetch:8
  2⤵
  PID:4948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2888 --field-trial-handle=1780,i,772582187235864012,2670411482116419608,131072 /prefetch:1
  2⤵
  PID:1600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1540 --field-trial-handle=1780,i,772582187235864012,2670411482116419608,131072 /prefetch:1
  2⤵
  PID:5080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4348 --field-trial-handle=1780,i,772582187235864012,2670411482116419608,131072 /prefetch:1
  2⤵
  PID:5060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4956 --field-trial-handle=1780,i,772582187235864012,2670411482116419608,131072 /prefetch:8
  2⤵
  PID:4588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4952 --field-trial-handle=1780,i,772582187235864012,2670411482116419608,131072 /prefetch:8
  2⤵
  PID:2580

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
b7b2c93f8670376494f4f190f5a1d509

SHA1
15fea06c081dfc9aef508c3f69b7919011b1e715

SHA256
46db7886819d2bfe5d027de1487ef2e881d5a0151306cd74570c8038477e2be8

SHA512
3de373df81a86c19a7dedd5a627516df667cabe1e3a9ed08057388061d9582d30d27a062548798e628a5cc41070417cde8faf0ae03e85629b7616754c27d130e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
047d368e6fba2492f9e785fcc790f70a

SHA1
74e4e61d9b11af134a03739a8e1505701a6e94b9

SHA256
b100d2045ddf007fdce324968c527b758ddca24716fda13d4ffd6bb9825f3e81

SHA512
14b2e6f7d07bdcc3bcf56156d2e8cec9d7548607ee43caa2a70c6987617888a9a8428cf8dda15fd19a9fad8f388029ec0c40cc88299aa92c5f65bb469b932455

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
ab7aaed6386ccea6b981af5eb318046b

SHA1
c478c71bbe8914c9d539ca79fea2e807510b4fd9

SHA256
d77978ac7992148a209b42ccafdee362173d09c48581666c4fa37ba563536ffc

SHA512
f2cf7c1481043b60c0aaefc0259e43f193df28c1a912f3add6c617f7eb8000bbf3aef653bb92ed588d1aa79dc94b4677d21377ac62501c02d3e9dfaceb6e84ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
2171bbf5bad651c210a3015682058a30

SHA1
393ed0113902d516abee8e3b9c1d90c6db748142

SHA256
05f50512ec0b177e95c6b5a19f878d3e6a1365db438492bc813fdcddeaa31d8a

SHA512
2a87e7863585c3ec9fceba7d2a691a80eb89cec38177ba0d6e23ad1de02b55c51db56914028abcf8224b5091429896e78ba55e938986b661a86ea28097926e4f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
fcb99cbf1c1faad46d6dc7dcd39323e6

SHA1
5b60023e53343fc195f368a7e659ae5af104b5ec

SHA256
0c8f29995cb0f521a7743b6e503fee9f82ec5af3bc0723b75ce2ac6f248e1bb2

SHA512
4dc3378fd725da37a9d5f4607cb5ce828d0285b0228cc777568bfaacf428394214f3f395a7e0006e7893b0f8e60f66b3b66461873f510a58fb47389603a6a7b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
2e446e9e19d3d26c71d7c81982df5f20

SHA1
83fd9bb6e03f23fc671b8f6479545bbb90cb41fd

SHA256
6a180aefa33d7682d82b90a03793d86d9fd9a818a7be3915e2ed4269f36e55e6

SHA512
cb07767136f23f268c788753c620d978efdfbc1fb4616404a2d7e430b1fa8b747b26e442668ddfd861908c1342c6f371c82279f1be6c3e922657947fe13103a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
3c8bb32ce5fd23672e3b46e68a98ed73

SHA1
f21092f2547f7734adc4972d246a71d6436159c1

SHA256
74a8b1a1c480ad51873e7c64fea4451d139e0a11f9e1b955befb027bc8ef7708

SHA512
100c27488ddd924395abf7011143bb9a41c1af8b74eafc8eff0a237e4313fafc071be2e7abb7cebf27ad59f6f09a7adf9fb096c4f0ac5ae0450688eef445ceaa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit