hxxp://password-update[.]com/password/change[.]htm

Analysis

max time kernel
299s
max time network
256s
platform
windows10-1703_x64
resource
win10-20240214-en
resource tags

arch:x64arch:x86image:win10-20240214-enlocale:en-usos:windows10-1703-x64system
submitted
19/02/2024, 12:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://password-update.com/password/change.htm

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133528206596396619"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1828	chrome.exe
1828	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1828	chrome.exe
1828	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1828 wrote to memory of 2760	1828	chrome.exe	75
PID 1828 wrote to memory of 2760	1828	chrome.exe	75
PID 1828 wrote to memory of 3568	1828	chrome.exe	79
PID 1828 wrote to memory of 3568	1828	chrome.exe	79
PID 1828 wrote to memory of 3568	1828	chrome.exe	79
PID 1828 wrote to memory of 3568	1828	chrome.exe	79
PID 1828 wrote to memory of 3568	1828	chrome.exe	79
PID 1828 wrote to memory of 3568	1828	chrome.exe	79
PID 1828 wrote to memory of 3568	1828	chrome.exe	79
PID 1828 wrote to memory of 3568	1828	chrome.exe	79
PID 1828 wrote to memory of 3568	1828	chrome.exe	79
PID 1828 wrote to memory of 3568	1828	chrome.exe	79
PID 1828 wrote to memory of 3568	1828	chrome.exe	79
PID 1828 wrote to memory of 3568	1828	chrome.exe	79
PID 1828 wrote to memory of 3568	1828	chrome.exe	79
PID 1828 wrote to memory of 3568	1828	chrome.exe	79
PID 1828 wrote to memory of 3568	1828	chrome.exe	79
PID 1828 wrote to memory of 3568	1828	chrome.exe	79
PID 1828 wrote to memory of 3568	1828	chrome.exe	79
PID 1828 wrote to memory of 3568	1828	chrome.exe	79
PID 1828 wrote to memory of 3568	1828	chrome.exe	79
PID 1828 wrote to memory of 3568	1828	chrome.exe	79
PID 1828 wrote to memory of 3568	1828	chrome.exe	79
PID 1828 wrote to memory of 3568	1828	chrome.exe	79
PID 1828 wrote to memory of 3568	1828	chrome.exe	79
PID 1828 wrote to memory of 3568	1828	chrome.exe	79
PID 1828 wrote to memory of 3568	1828	chrome.exe	79
PID 1828 wrote to memory of 3568	1828	chrome.exe	79
PID 1828 wrote to memory of 3568	1828	chrome.exe	79
PID 1828 wrote to memory of 3568	1828	chrome.exe	79
PID 1828 wrote to memory of 3568	1828	chrome.exe	79
PID 1828 wrote to memory of 3568	1828	chrome.exe	79
PID 1828 wrote to memory of 3568	1828	chrome.exe	79
PID 1828 wrote to memory of 3568	1828	chrome.exe	79
PID 1828 wrote to memory of 3568	1828	chrome.exe	79
PID 1828 wrote to memory of 3568	1828	chrome.exe	79
PID 1828 wrote to memory of 3568	1828	chrome.exe	79
PID 1828 wrote to memory of 3568	1828	chrome.exe	79
PID 1828 wrote to memory of 3568	1828	chrome.exe	79
PID 1828 wrote to memory of 3568	1828	chrome.exe	79
PID 1828 wrote to memory of 5048	1828	chrome.exe	77
PID 1828 wrote to memory of 5048	1828	chrome.exe	77
PID 1828 wrote to memory of 508	1828	chrome.exe	78
PID 1828 wrote to memory of 508	1828	chrome.exe	78
PID 1828 wrote to memory of 508	1828	chrome.exe	78
PID 1828 wrote to memory of 508	1828	chrome.exe	78
PID 1828 wrote to memory of 508	1828	chrome.exe	78
PID 1828 wrote to memory of 508	1828	chrome.exe	78
PID 1828 wrote to memory of 508	1828	chrome.exe	78
PID 1828 wrote to memory of 508	1828	chrome.exe	78
PID 1828 wrote to memory of 508	1828	chrome.exe	78
PID 1828 wrote to memory of 508	1828	chrome.exe	78
PID 1828 wrote to memory of 508	1828	chrome.exe	78
PID 1828 wrote to memory of 508	1828	chrome.exe	78
PID 1828 wrote to memory of 508	1828	chrome.exe	78
PID 1828 wrote to memory of 508	1828	chrome.exe	78
PID 1828 wrote to memory of 508	1828	chrome.exe	78
PID 1828 wrote to memory of 508	1828	chrome.exe	78
PID 1828 wrote to memory of 508	1828	chrome.exe	78
PID 1828 wrote to memory of 508	1828	chrome.exe	78
PID 1828 wrote to memory of 508	1828	chrome.exe	78
PID 1828 wrote to memory of 508	1828	chrome.exe	78
PID 1828 wrote to memory of 508	1828	chrome.exe	78
PID 1828 wrote to memory of 508	1828	chrome.exe	78

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://password-update.com/password/change.htm
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffc7e809758,0x7ffc7e809768,0x7ffc7e809778
  2⤵
  PID:2760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1804 --field-trial-handle=1836,i,18032373950256721821,9768374517150028384,131072 /prefetch:8
  2⤵
  PID:5048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2096 --field-trial-handle=1836,i,18032373950256721821,9768374517150028384,131072 /prefetch:8
  2⤵
  PID:508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1576 --field-trial-handle=1836,i,18032373950256721821,9768374517150028384,131072 /prefetch:2
  2⤵
  PID:3568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2708 --field-trial-handle=1836,i,18032373950256721821,9768374517150028384,131072 /prefetch:1
  2⤵
  PID:768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2724 --field-trial-handle=1836,i,18032373950256721821,9768374517150028384,131072 /prefetch:1
  2⤵
  PID:4348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4188 --field-trial-handle=1836,i,18032373950256721821,9768374517150028384,131072 /prefetch:8
  2⤵
  PID:3152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4276 --field-trial-handle=1836,i,18032373950256721821,9768374517150028384,131072 /prefetch:8
  2⤵
  PID:1392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2556 --field-trial-handle=1836,i,18032373950256721821,9768374517150028384,131072 /prefetch:2
  2⤵
  PID:1548

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
64d3bfa35adaf72b21158612aaa4d1d9

SHA1
7098792547b123533bc0c27e3fc707df41a568f6

SHA256
9ea6701f55b80f787c9574e16075f2c90e78855146aaaba17714c1c891474983

SHA512
e9ef1778caaf68305bd14f592cfc8d7e208a1df746caaef01bea21a3d544c0d32e498fbe601e26cc742d35ca41f8450d5a557071cc11a937e3fc0dbe4383aef1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
70c689bff8bf9336f107d1c3e9f78d06

SHA1
342e4e0d7a41361752cc4628ac838be532966575

SHA256
c679a3b34a7c29d062159f3971b9b4643e46103d7aa5c179dff81ab372cbbf85

SHA512
8388efbba6832fab21071fb01f0c20861eda80d6dfbf607f2effbba88c93b7b2fbff718d885c4c70223f23e70e8130aaa0f05ce34a8cc4d463b3125bafe20ded

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
1780c7bd6039f15d0b7fb42359d22070

SHA1
7bae52c4da76809f1a2254adccbd522d759b6551

SHA256
0597094d16e330b73d92663533cf26dedd3729a4bada935f95a992a0ed7f3e91

SHA512
0f580e73b284a8b8c22cdd1997d990c25922de633b9a266c1b38ad266e45a4e61cd408763733d74a29ad1484f893844e645a9e440238b267b8b46a1f31799800

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
ec179ac8ce5fbd707225160aaabc21af

SHA1
81076556f490757e07f9ae306a2df92125b413d3

SHA256
5860ab1ed63d632d60f7736b8ca616195b3c991a8d20ea6c4992dfc750ec3b75

SHA512
90131a54291bf660bcd6a8c493bd36316e654549d12c505297e3b5771088b45696d7a49c518666a7ecbea07334b5ffc610324cc81e2becd8c5cc9229b363e33c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
129KB

MD5
5935e2327c9296d54f2045b674e74503

SHA1
962bf7112286182aa6086e0defa10bda612ec969

SHA256
6481b328f043cd6d7e5160ea2bcd02f23a738bd3df5b4329898d5c87b5911320

SHA512
9c857f10fa3f2220f0a49069ddd67a11d40a15923bec71143d68a1afa0a0e8e0a9ffd45ea751239ce596a983045fc88df3b958285fe4641d9c8326c0ba47d21b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit