hxxp://e[.]pc[.]cd/SOzy6alK

Analysis

max time kernel
149s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
20/02/2024, 15:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://e.pc.cd/SOzy6alK

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133529173932124725"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3012	chrome.exe
3012	chrome.exe
3776	chrome.exe
3776	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3012	chrome.exe
Token: SeCreatePagefilePrivilege	3012	chrome.exe
Token: SeShutdownPrivilege	3012	chrome.exe
Token: SeCreatePagefilePrivilege	3012	chrome.exe
Token: SeShutdownPrivilege	3012	chrome.exe
Token: SeCreatePagefilePrivilege	3012	chrome.exe
Token: SeShutdownPrivilege	3012	chrome.exe
Token: SeCreatePagefilePrivilege	3012	chrome.exe
Token: SeShutdownPrivilege	3012	chrome.exe
Token: SeCreatePagefilePrivilege	3012	chrome.exe
Token: SeShutdownPrivilege	3012	chrome.exe
Token: SeCreatePagefilePrivilege	3012	chrome.exe
Token: SeShutdownPrivilege	3012	chrome.exe
Token: SeCreatePagefilePrivilege	3012	chrome.exe
Token: SeShutdownPrivilege	3012	chrome.exe
Token: SeCreatePagefilePrivilege	3012	chrome.exe
Token: SeShutdownPrivilege	3012	chrome.exe
Token: SeCreatePagefilePrivilege	3012	chrome.exe
Token: SeShutdownPrivilege	3012	chrome.exe
Token: SeCreatePagefilePrivilege	3012	chrome.exe
Token: SeShutdownPrivilege	3012	chrome.exe
Token: SeCreatePagefilePrivilege	3012	chrome.exe
Token: SeShutdownPrivilege	3012	chrome.exe
Token: SeCreatePagefilePrivilege	3012	chrome.exe
Token: SeShutdownPrivilege	3012	chrome.exe
Token: SeCreatePagefilePrivilege	3012	chrome.exe
Token: SeShutdownPrivilege	3012	chrome.exe
Token: SeCreatePagefilePrivilege	3012	chrome.exe
Token: SeShutdownPrivilege	3012	chrome.exe
Token: SeCreatePagefilePrivilege	3012	chrome.exe
Token: SeShutdownPrivilege	3012	chrome.exe
Token: SeCreatePagefilePrivilege	3012	chrome.exe
Token: SeShutdownPrivilege	3012	chrome.exe
Token: SeCreatePagefilePrivilege	3012	chrome.exe
Token: SeShutdownPrivilege	3012	chrome.exe
Token: SeCreatePagefilePrivilege	3012	chrome.exe
Token: SeShutdownPrivilege	3012	chrome.exe
Token: SeCreatePagefilePrivilege	3012	chrome.exe
Token: SeShutdownPrivilege	3012	chrome.exe
Token: SeCreatePagefilePrivilege	3012	chrome.exe
Token: SeShutdownPrivilege	3012	chrome.exe
Token: SeCreatePagefilePrivilege	3012	chrome.exe
Token: SeShutdownPrivilege	3012	chrome.exe
Token: SeCreatePagefilePrivilege	3012	chrome.exe
Token: SeShutdownPrivilege	3012	chrome.exe
Token: SeCreatePagefilePrivilege	3012	chrome.exe
Token: SeShutdownPrivilege	3012	chrome.exe
Token: SeCreatePagefilePrivilege	3012	chrome.exe
Token: SeShutdownPrivilege	3012	chrome.exe
Token: SeCreatePagefilePrivilege	3012	chrome.exe
Token: SeShutdownPrivilege	3012	chrome.exe
Token: SeCreatePagefilePrivilege	3012	chrome.exe
Token: SeShutdownPrivilege	3012	chrome.exe
Token: SeCreatePagefilePrivilege	3012	chrome.exe
Token: SeShutdownPrivilege	3012	chrome.exe
Token: SeCreatePagefilePrivilege	3012	chrome.exe
Token: SeShutdownPrivilege	3012	chrome.exe
Token: SeCreatePagefilePrivilege	3012	chrome.exe
Token: SeShutdownPrivilege	3012	chrome.exe
Token: SeCreatePagefilePrivilege	3012	chrome.exe
Token: SeShutdownPrivilege	3012	chrome.exe
Token: SeCreatePagefilePrivilege	3012	chrome.exe
Token: SeShutdownPrivilege	3012	chrome.exe
Token: SeCreatePagefilePrivilege	3012	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2392	3012	chrome.exe	85
PID 3012 wrote to memory of 2392	3012	chrome.exe	85
PID 3012 wrote to memory of 4804	3012	chrome.exe	87
PID 3012 wrote to memory of 4804	3012	chrome.exe	87
PID 3012 wrote to memory of 4804	3012	chrome.exe	87
PID 3012 wrote to memory of 4804	3012	chrome.exe	87
PID 3012 wrote to memory of 4804	3012	chrome.exe	87
PID 3012 wrote to memory of 4804	3012	chrome.exe	87
PID 3012 wrote to memory of 4804	3012	chrome.exe	87
PID 3012 wrote to memory of 4804	3012	chrome.exe	87
PID 3012 wrote to memory of 4804	3012	chrome.exe	87
PID 3012 wrote to memory of 4804	3012	chrome.exe	87
PID 3012 wrote to memory of 4804	3012	chrome.exe	87
PID 3012 wrote to memory of 4804	3012	chrome.exe	87
PID 3012 wrote to memory of 4804	3012	chrome.exe	87
PID 3012 wrote to memory of 4804	3012	chrome.exe	87
PID 3012 wrote to memory of 4804	3012	chrome.exe	87
PID 3012 wrote to memory of 4804	3012	chrome.exe	87
PID 3012 wrote to memory of 4804	3012	chrome.exe	87
PID 3012 wrote to memory of 4804	3012	chrome.exe	87
PID 3012 wrote to memory of 4804	3012	chrome.exe	87
PID 3012 wrote to memory of 4804	3012	chrome.exe	87
PID 3012 wrote to memory of 4804	3012	chrome.exe	87
PID 3012 wrote to memory of 4804	3012	chrome.exe	87
PID 3012 wrote to memory of 4804	3012	chrome.exe	87
PID 3012 wrote to memory of 4804	3012	chrome.exe	87
PID 3012 wrote to memory of 4804	3012	chrome.exe	87
PID 3012 wrote to memory of 4804	3012	chrome.exe	87
PID 3012 wrote to memory of 4804	3012	chrome.exe	87
PID 3012 wrote to memory of 4804	3012	chrome.exe	87
PID 3012 wrote to memory of 4804	3012	chrome.exe	87
PID 3012 wrote to memory of 4804	3012	chrome.exe	87
PID 3012 wrote to memory of 4804	3012	chrome.exe	87
PID 3012 wrote to memory of 4804	3012	chrome.exe	87
PID 3012 wrote to memory of 4804	3012	chrome.exe	87
PID 3012 wrote to memory of 4804	3012	chrome.exe	87
PID 3012 wrote to memory of 4804	3012	chrome.exe	87
PID 3012 wrote to memory of 4804	3012	chrome.exe	87
PID 3012 wrote to memory of 4804	3012	chrome.exe	87
PID 3012 wrote to memory of 4804	3012	chrome.exe	87
PID 3012 wrote to memory of 4732	3012	chrome.exe	88
PID 3012 wrote to memory of 4732	3012	chrome.exe	88
PID 3012 wrote to memory of 3064	3012	chrome.exe	89
PID 3012 wrote to memory of 3064	3012	chrome.exe	89
PID 3012 wrote to memory of 3064	3012	chrome.exe	89
PID 3012 wrote to memory of 3064	3012	chrome.exe	89
PID 3012 wrote to memory of 3064	3012	chrome.exe	89
PID 3012 wrote to memory of 3064	3012	chrome.exe	89
PID 3012 wrote to memory of 3064	3012	chrome.exe	89
PID 3012 wrote to memory of 3064	3012	chrome.exe	89
PID 3012 wrote to memory of 3064	3012	chrome.exe	89
PID 3012 wrote to memory of 3064	3012	chrome.exe	89
PID 3012 wrote to memory of 3064	3012	chrome.exe	89
PID 3012 wrote to memory of 3064	3012	chrome.exe	89
PID 3012 wrote to memory of 3064	3012	chrome.exe	89
PID 3012 wrote to memory of 3064	3012	chrome.exe	89
PID 3012 wrote to memory of 3064	3012	chrome.exe	89
PID 3012 wrote to memory of 3064	3012	chrome.exe	89
PID 3012 wrote to memory of 3064	3012	chrome.exe	89
PID 3012 wrote to memory of 3064	3012	chrome.exe	89
PID 3012 wrote to memory of 3064	3012	chrome.exe	89
PID 3012 wrote to memory of 3064	3012	chrome.exe	89
PID 3012 wrote to memory of 3064	3012	chrome.exe	89
PID 3012 wrote to memory of 3064	3012	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://e.pc.cd/SOzy6alK
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffed12d9758,0x7ffed12d9768,0x7ffed12d9778
  2⤵
  PID:2392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1648 --field-trial-handle=1880,i,9204651041775556057,606171664229732658,131072 /prefetch:2
  2⤵
  PID:4804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=1880,i,9204651041775556057,606171664229732658,131072 /prefetch:8
  2⤵
  PID:4732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2192 --field-trial-handle=1880,i,9204651041775556057,606171664229732658,131072 /prefetch:8
  2⤵
  PID:3064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2796 --field-trial-handle=1880,i,9204651041775556057,606171664229732658,131072 /prefetch:1
  2⤵
  PID:364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2812 --field-trial-handle=1880,i,9204651041775556057,606171664229732658,131072 /prefetch:1
  2⤵
  PID:3752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4604 --field-trial-handle=1880,i,9204651041775556057,606171664229732658,131072 /prefetch:1
  2⤵
  PID:2360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 --field-trial-handle=1880,i,9204651041775556057,606171664229732658,131072 /prefetch:8
  2⤵
  PID:2260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4848 --field-trial-handle=1880,i,9204651041775556057,606171664229732658,131072 /prefetch:8
  2⤵
  PID:2908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3460 --field-trial-handle=1880,i,9204651041775556057,606171664229732658,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3776

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
fb08f473927e7838126931e748f37c71

SHA1
e30c91b7f43e6587dd3daa52b3b80acefe976e41

SHA256
387d23acd7cf265769c564ea20f6a0c0fe66a292b0e06df520c18781420ba266

SHA512
f931d1d83973049e60808b9163ecb53b8f57c1c4cba289a4e928ee27c19c8c2e495994eb50af8d41c1502a4cc396d679b2519809f36ad6b2666b091d4fa3f85c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
297869eaeb42604d24668abcd65555a6

SHA1
a51cec34cbaf897949f57cc532951d8058003baa

SHA256
be22691ed6e32cc1e8d0939894ef58a7e3c3e5ee056622008aaccf35ae793965

SHA512
9c239636f588b1a67c64b1c2613aeb4852a06241eda535552eb603ebd3b5c01cc5d8e1398bd52467982202f173719d2cc31d515537fd9ba931b6205d2017f9f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
73e15c539f76ae6f380070567eb78e7e

SHA1
c7f32c3dcb3b0a04cc0cf7f9770887595b4a4d39

SHA256
ef4bc23f9502c2752a49747dbda1ddcc58030034f5140f6ebb0827744bfeb5cc

SHA512
81f4e160e2f55fddbb5513d03ccec55b0b7a939eb0d0732b0ba0b989500e38df675176ecebe0785db50c3ecece952a346aa9e9cf983a3707076478583ec6997d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
036c960cd514741be5463315d5969f82

SHA1
eddd6d0f75590e658de85aadcaa249e0f5ff65ca

SHA256
299fe37dc12db915baf66d6af7dfa4ccb9ba11b70501ded62498783481eac78d

SHA512
6fb4bb9a0b7d9a00a1e510649951c39727723ce11f6bbd4cfedbb9c001401774c3806b080118f57940f0ecf7c734fbcd60072a73af1ae853ec7aa8b43781ec85

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
b3fb9f0ea449cf1059fde8400faf4249

SHA1
aebb3d3fb1d2ba60e49710be8b91bf78cb4f5166

SHA256
e15ba661b68dcc49000a4bef5896c1ec68e74770055f96b733510a1d235c57d9

SHA512
0f321bfe0a4ea8e54fe5a82238e2b942b26a35c886cbfc5f737d4d4fdd92c557a97b42c1c8b40ac16f9d18ab35925ca534dd5fea3392657960dc8353fecde97e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit