hxxp://checks[.]center

Analysis

max time kernel
150s
max time network
160s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
14/02/2024, 10:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

http://checks.center

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133523795971489368"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
356	chrome.exe
356	chrome.exe
4040	chrome.exe
4040	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
356	chrome.exe
356	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	356	chrome.exe
Token: SeCreatePagefilePrivilege	356	chrome.exe
Token: SeShutdownPrivilege	356	chrome.exe
Token: SeCreatePagefilePrivilege	356	chrome.exe
Token: SeShutdownPrivilege	356	chrome.exe
Token: SeCreatePagefilePrivilege	356	chrome.exe
Token: SeShutdownPrivilege	356	chrome.exe
Token: SeCreatePagefilePrivilege	356	chrome.exe
Token: SeShutdownPrivilege	356	chrome.exe
Token: SeCreatePagefilePrivilege	356	chrome.exe
Token: SeShutdownPrivilege	356	chrome.exe
Token: SeCreatePagefilePrivilege	356	chrome.exe
Token: SeShutdownPrivilege	356	chrome.exe
Token: SeCreatePagefilePrivilege	356	chrome.exe
Token: SeShutdownPrivilege	356	chrome.exe
Token: SeCreatePagefilePrivilege	356	chrome.exe
Token: SeShutdownPrivilege	356	chrome.exe
Token: SeCreatePagefilePrivilege	356	chrome.exe
Token: SeShutdownPrivilege	356	chrome.exe
Token: SeCreatePagefilePrivilege	356	chrome.exe
Token: SeShutdownPrivilege	356	chrome.exe
Token: SeCreatePagefilePrivilege	356	chrome.exe
Token: SeShutdownPrivilege	356	chrome.exe
Token: SeCreatePagefilePrivilege	356	chrome.exe
Token: SeShutdownPrivilege	356	chrome.exe
Token: SeCreatePagefilePrivilege	356	chrome.exe
Token: SeShutdownPrivilege	356	chrome.exe
Token: SeCreatePagefilePrivilege	356	chrome.exe
Token: SeShutdownPrivilege	356	chrome.exe
Token: SeCreatePagefilePrivilege	356	chrome.exe
Token: SeShutdownPrivilege	356	chrome.exe
Token: SeCreatePagefilePrivilege	356	chrome.exe
Token: SeShutdownPrivilege	356	chrome.exe
Token: SeCreatePagefilePrivilege	356	chrome.exe
Token: SeShutdownPrivilege	356	chrome.exe
Token: SeCreatePagefilePrivilege	356	chrome.exe
Token: SeShutdownPrivilege	356	chrome.exe
Token: SeCreatePagefilePrivilege	356	chrome.exe
Token: SeShutdownPrivilege	356	chrome.exe
Token: SeCreatePagefilePrivilege	356	chrome.exe
Token: SeShutdownPrivilege	356	chrome.exe
Token: SeCreatePagefilePrivilege	356	chrome.exe
Token: SeShutdownPrivilege	356	chrome.exe
Token: SeCreatePagefilePrivilege	356	chrome.exe
Token: SeShutdownPrivilege	356	chrome.exe
Token: SeCreatePagefilePrivilege	356	chrome.exe
Token: SeShutdownPrivilege	356	chrome.exe
Token: SeCreatePagefilePrivilege	356	chrome.exe
Token: SeShutdownPrivilege	356	chrome.exe
Token: SeCreatePagefilePrivilege	356	chrome.exe
Token: SeShutdownPrivilege	356	chrome.exe
Token: SeCreatePagefilePrivilege	356	chrome.exe
Token: SeShutdownPrivilege	356	chrome.exe
Token: SeCreatePagefilePrivilege	356	chrome.exe
Token: SeShutdownPrivilege	356	chrome.exe
Token: SeCreatePagefilePrivilege	356	chrome.exe
Token: SeShutdownPrivilege	356	chrome.exe
Token: SeCreatePagefilePrivilege	356	chrome.exe
Token: SeShutdownPrivilege	356	chrome.exe
Token: SeCreatePagefilePrivilege	356	chrome.exe
Token: SeShutdownPrivilege	356	chrome.exe
Token: SeCreatePagefilePrivilege	356	chrome.exe
Token: SeShutdownPrivilege	356	chrome.exe
Token: SeCreatePagefilePrivilege	356	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
356	chrome.exe
356	chrome.exe
356	chrome.exe
356	chrome.exe
356	chrome.exe
356	chrome.exe
356	chrome.exe
356	chrome.exe
356	chrome.exe
356	chrome.exe
356	chrome.exe
356	chrome.exe
356	chrome.exe
356	chrome.exe
356	chrome.exe
356	chrome.exe
356	chrome.exe
356	chrome.exe
356	chrome.exe
356	chrome.exe
356	chrome.exe
356	chrome.exe
356	chrome.exe
356	chrome.exe
356	chrome.exe
356	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
356	chrome.exe
356	chrome.exe
356	chrome.exe
356	chrome.exe
356	chrome.exe
356	chrome.exe
356	chrome.exe
356	chrome.exe
356	chrome.exe
356	chrome.exe
356	chrome.exe
356	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 356 wrote to memory of 2504	356	chrome.exe	76
PID 356 wrote to memory of 2504	356	chrome.exe	76
PID 356 wrote to memory of 1124	356	chrome.exe	80
PID 356 wrote to memory of 1124	356	chrome.exe	80
PID 356 wrote to memory of 1124	356	chrome.exe	80
PID 356 wrote to memory of 1124	356	chrome.exe	80
PID 356 wrote to memory of 1124	356	chrome.exe	80
PID 356 wrote to memory of 1124	356	chrome.exe	80
PID 356 wrote to memory of 1124	356	chrome.exe	80
PID 356 wrote to memory of 1124	356	chrome.exe	80
PID 356 wrote to memory of 1124	356	chrome.exe	80
PID 356 wrote to memory of 1124	356	chrome.exe	80
PID 356 wrote to memory of 1124	356	chrome.exe	80
PID 356 wrote to memory of 1124	356	chrome.exe	80
PID 356 wrote to memory of 1124	356	chrome.exe	80
PID 356 wrote to memory of 1124	356	chrome.exe	80
PID 356 wrote to memory of 1124	356	chrome.exe	80
PID 356 wrote to memory of 1124	356	chrome.exe	80
PID 356 wrote to memory of 1124	356	chrome.exe	80
PID 356 wrote to memory of 1124	356	chrome.exe	80
PID 356 wrote to memory of 1124	356	chrome.exe	80
PID 356 wrote to memory of 1124	356	chrome.exe	80
PID 356 wrote to memory of 1124	356	chrome.exe	80
PID 356 wrote to memory of 1124	356	chrome.exe	80
PID 356 wrote to memory of 1124	356	chrome.exe	80
PID 356 wrote to memory of 1124	356	chrome.exe	80
PID 356 wrote to memory of 1124	356	chrome.exe	80
PID 356 wrote to memory of 1124	356	chrome.exe	80
PID 356 wrote to memory of 1124	356	chrome.exe	80
PID 356 wrote to memory of 1124	356	chrome.exe	80
PID 356 wrote to memory of 1124	356	chrome.exe	80
PID 356 wrote to memory of 1124	356	chrome.exe	80
PID 356 wrote to memory of 1124	356	chrome.exe	80
PID 356 wrote to memory of 1124	356	chrome.exe	80
PID 356 wrote to memory of 1124	356	chrome.exe	80
PID 356 wrote to memory of 1124	356	chrome.exe	80
PID 356 wrote to memory of 1124	356	chrome.exe	80
PID 356 wrote to memory of 1124	356	chrome.exe	80
PID 356 wrote to memory of 1124	356	chrome.exe	80
PID 356 wrote to memory of 1124	356	chrome.exe	80
PID 356 wrote to memory of 3760	356	chrome.exe	82
PID 356 wrote to memory of 3760	356	chrome.exe	82
PID 356 wrote to memory of 3132	356	chrome.exe	81
PID 356 wrote to memory of 3132	356	chrome.exe	81
PID 356 wrote to memory of 3132	356	chrome.exe	81
PID 356 wrote to memory of 3132	356	chrome.exe	81
PID 356 wrote to memory of 3132	356	chrome.exe	81
PID 356 wrote to memory of 3132	356	chrome.exe	81
PID 356 wrote to memory of 3132	356	chrome.exe	81
PID 356 wrote to memory of 3132	356	chrome.exe	81
PID 356 wrote to memory of 3132	356	chrome.exe	81
PID 356 wrote to memory of 3132	356	chrome.exe	81
PID 356 wrote to memory of 3132	356	chrome.exe	81
PID 356 wrote to memory of 3132	356	chrome.exe	81
PID 356 wrote to memory of 3132	356	chrome.exe	81
PID 356 wrote to memory of 3132	356	chrome.exe	81
PID 356 wrote to memory of 3132	356	chrome.exe	81
PID 356 wrote to memory of 3132	356	chrome.exe	81
PID 356 wrote to memory of 3132	356	chrome.exe	81
PID 356 wrote to memory of 3132	356	chrome.exe	81
PID 356 wrote to memory of 3132	356	chrome.exe	81
PID 356 wrote to memory of 3132	356	chrome.exe	81
PID 356 wrote to memory of 3132	356	chrome.exe	81
PID 356 wrote to memory of 3132	356	chrome.exe	81

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://checks.center
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe29a99758,0x7ffe29a99768,0x7ffe29a99778
  2⤵
  PID:2504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1568 --field-trial-handle=1808,i,12370848840919708572,8545658663755018103,131072 /prefetch:2
  2⤵
  PID:1124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2160 --field-trial-handle=1808,i,12370848840919708572,8545658663755018103,131072 /prefetch:8
  2⤵
  PID:3132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=1808,i,12370848840919708572,8545658663755018103,131072 /prefetch:8
  2⤵
  PID:3760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2840 --field-trial-handle=1808,i,12370848840919708572,8545658663755018103,131072 /prefetch:1
  2⤵
  PID:2484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2784 --field-trial-handle=1808,i,12370848840919708572,8545658663755018103,131072 /prefetch:1
  2⤵
  PID:3412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5024 --field-trial-handle=1808,i,12370848840919708572,8545658663755018103,131072 /prefetch:8
  2⤵
  PID:2476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4588 --field-trial-handle=1808,i,12370848840919708572,8545658663755018103,131072 /prefetch:8
  2⤵
  PID:2936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4480 --field-trial-handle=1808,i,12370848840919708572,8545658663755018103,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4040

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
e591f9cf2a89eb45110f586787fc236a

SHA1
98d29db7a3289e75414a6b0b3bc6e5f4e7a790a7

SHA256
dedb88dca5da3b907632029188063a8052c79a1c806518fe7bdb5801fc3f6dc6

SHA512
c298ed599f42d1a6bb4d881d17f9158cf78fa075a3f4a8c88d1a16cc35f177664e7add2fa6bad5c588d48ba556a926d00770f750fa93dfe6b19c67d22fb6b80a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
5267fce43c778984fba5660749eed606

SHA1
008a8165f44c2328ab0d90174fba946ef3374e0f

SHA256
a9eb214fe007cd6721402cc4df8b32b36217fca070e97138ae635c44e340ee72

SHA512
cb7de0e42d4c36646133a5b42ef4069ba8450b27fd51da8fe59f54bf10f63cc0ea780f5106f870e433de690a1435c083e0ba8734a1cf9d3fa5dea700a6caf4b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
cd877b05f3e47bc9096dbbec0990735b

SHA1
96fe914f0afdc798277e3053a2fe3521b022a7f8

SHA256
dfed7dac9c47c12ab2de390f95778e29f05956e77f2c389855f2d73b28292351

SHA512
140b412987240a0696edea2b68635df2bba30e431b4d6801bdf5a42a257aca749b63488f9f604e34cc163e2e9e62e9e8f4989c643891aa25defa3f506c98b16c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
97807f588ac596b81969fee80e602521

SHA1
ca821d845a56a91f0c04fab9b974d305f47ee41f

SHA256
50a60955136b062f5dcf61b95b3d43cce987f1599f9651dc482c532a09ff8d03

SHA512
7b2fc66d6b306736668a62bd44d81630c3b9dbbc6a200901219f073fb15897168b3a638e5b16634aa51d32c4bffeab785201eb42d2c351b9fa7242ba9b1794ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
12746299ecb891ef0d60445835681c14

SHA1
08fb387a762a32d5ea613001d1fcea822fa2b2a4

SHA256
47f7e61313fd9822b63270ace3c75deec674064c1dbde873b12c4af0bd68b34c

SHA512
8867f547858a9c9289d893583d699435cebaad0970278d9525fa6f92ea3f93e5b37f0c41475c0d660ec5fd4b3f72bf16a1218409d431add32624e5594f0d7ea1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
a606713ef18ee8a6f57eb5ab2f27fbaf

SHA1
e165e652bc51253ee0b34e528626168bb42cc204

SHA256
a74aeb0618666eb49694ccaeb2f2ba45ae33ddc9b97f1d737024ae9335b87dbc

SHA512
a81159edc7d42f985eec3f0b8c869b9f8bb6b132c20a1fbcee9f23e842e5b2a0491645a46e98a55b4f1f09813bf34acc7101b433a8dc15dfbdbaf21817d8b4eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit