hxxps://inst[.]flockoff[.]org/lt/1125899922943027/aGDrUZGhA9pxtRc06SDNq

Analysis

max time kernel
52s
max time network
58s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
20/02/2024, 17:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://inst.flockoff.org/lt/1125899922943027/aGDrUZGhA9pxtRc06SDNq

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133529249987288787"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2908	chrome.exe
2908	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 4988	2908	chrome.exe	84
PID 2908 wrote to memory of 4988	2908	chrome.exe	84
PID 2908 wrote to memory of 2112	2908	chrome.exe	86
PID 2908 wrote to memory of 2112	2908	chrome.exe	86
PID 2908 wrote to memory of 2112	2908	chrome.exe	86
PID 2908 wrote to memory of 2112	2908	chrome.exe	86
PID 2908 wrote to memory of 2112	2908	chrome.exe	86
PID 2908 wrote to memory of 2112	2908	chrome.exe	86
PID 2908 wrote to memory of 2112	2908	chrome.exe	86
PID 2908 wrote to memory of 2112	2908	chrome.exe	86
PID 2908 wrote to memory of 2112	2908	chrome.exe	86
PID 2908 wrote to memory of 2112	2908	chrome.exe	86
PID 2908 wrote to memory of 2112	2908	chrome.exe	86
PID 2908 wrote to memory of 2112	2908	chrome.exe	86
PID 2908 wrote to memory of 2112	2908	chrome.exe	86
PID 2908 wrote to memory of 2112	2908	chrome.exe	86
PID 2908 wrote to memory of 2112	2908	chrome.exe	86
PID 2908 wrote to memory of 2112	2908	chrome.exe	86
PID 2908 wrote to memory of 2112	2908	chrome.exe	86
PID 2908 wrote to memory of 2112	2908	chrome.exe	86
PID 2908 wrote to memory of 2112	2908	chrome.exe	86
PID 2908 wrote to memory of 2112	2908	chrome.exe	86
PID 2908 wrote to memory of 2112	2908	chrome.exe	86
PID 2908 wrote to memory of 2112	2908	chrome.exe	86
PID 2908 wrote to memory of 2112	2908	chrome.exe	86
PID 2908 wrote to memory of 2112	2908	chrome.exe	86
PID 2908 wrote to memory of 2112	2908	chrome.exe	86
PID 2908 wrote to memory of 2112	2908	chrome.exe	86
PID 2908 wrote to memory of 2112	2908	chrome.exe	86
PID 2908 wrote to memory of 2112	2908	chrome.exe	86
PID 2908 wrote to memory of 2112	2908	chrome.exe	86
PID 2908 wrote to memory of 2112	2908	chrome.exe	86
PID 2908 wrote to memory of 2112	2908	chrome.exe	86
PID 2908 wrote to memory of 2112	2908	chrome.exe	86
PID 2908 wrote to memory of 2112	2908	chrome.exe	86
PID 2908 wrote to memory of 2112	2908	chrome.exe	86
PID 2908 wrote to memory of 2112	2908	chrome.exe	86
PID 2908 wrote to memory of 2112	2908	chrome.exe	86
PID 2908 wrote to memory of 2112	2908	chrome.exe	86
PID 2908 wrote to memory of 2112	2908	chrome.exe	86
PID 2908 wrote to memory of 4364	2908	chrome.exe	87
PID 2908 wrote to memory of 4364	2908	chrome.exe	87
PID 2908 wrote to memory of 4780	2908	chrome.exe	88
PID 2908 wrote to memory of 4780	2908	chrome.exe	88
PID 2908 wrote to memory of 4780	2908	chrome.exe	88
PID 2908 wrote to memory of 4780	2908	chrome.exe	88
PID 2908 wrote to memory of 4780	2908	chrome.exe	88
PID 2908 wrote to memory of 4780	2908	chrome.exe	88
PID 2908 wrote to memory of 4780	2908	chrome.exe	88
PID 2908 wrote to memory of 4780	2908	chrome.exe	88
PID 2908 wrote to memory of 4780	2908	chrome.exe	88
PID 2908 wrote to memory of 4780	2908	chrome.exe	88
PID 2908 wrote to memory of 4780	2908	chrome.exe	88
PID 2908 wrote to memory of 4780	2908	chrome.exe	88
PID 2908 wrote to memory of 4780	2908	chrome.exe	88
PID 2908 wrote to memory of 4780	2908	chrome.exe	88
PID 2908 wrote to memory of 4780	2908	chrome.exe	88
PID 2908 wrote to memory of 4780	2908	chrome.exe	88
PID 2908 wrote to memory of 4780	2908	chrome.exe	88
PID 2908 wrote to memory of 4780	2908	chrome.exe	88
PID 2908 wrote to memory of 4780	2908	chrome.exe	88
PID 2908 wrote to memory of 4780	2908	chrome.exe	88
PID 2908 wrote to memory of 4780	2908	chrome.exe	88
PID 2908 wrote to memory of 4780	2908	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://inst.flockoff.org/lt/1125899922943027/aGDrUZGhA9pxtRc06SDNq
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffccf379758,0x7ffccf379768,0x7ffccf379778
  2⤵
  PID:4988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1692 --field-trial-handle=1856,i,15436406354685640714,5196757469642301254,131072 /prefetch:2
  2⤵
  PID:2112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1856,i,15436406354685640714,5196757469642301254,131072 /prefetch:8
  2⤵
  PID:4364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1676 --field-trial-handle=1856,i,15436406354685640714,5196757469642301254,131072 /prefetch:8
  2⤵
  PID:4780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3068 --field-trial-handle=1856,i,15436406354685640714,5196757469642301254,131072 /prefetch:1
  2⤵
  PID:1536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3056 --field-trial-handle=1856,i,15436406354685640714,5196757469642301254,131072 /prefetch:1
  2⤵
  PID:3424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4808 --field-trial-handle=1856,i,15436406354685640714,5196757469642301254,131072 /prefetch:1
  2⤵
  PID:1652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4996 --field-trial-handle=1856,i,15436406354685640714,5196757469642301254,131072 /prefetch:1
  2⤵
  PID:3864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 --field-trial-handle=1856,i,15436406354685640714,5196757469642301254,131072 /prefetch:8
  2⤵
  PID:2936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5052 --field-trial-handle=1856,i,15436406354685640714,5196757469642301254,131072 /prefetch:8
  2⤵
  PID:5036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3828 --field-trial-handle=1856,i,15436406354685640714,5196757469642301254,131072 /prefetch:1
  2⤵
  PID:1368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4676 --field-trial-handle=1856,i,15436406354685640714,5196757469642301254,131072 /prefetch:8
  2⤵
  PID:1672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 --field-trial-handle=1856,i,15436406354685640714,5196757469642301254,131072 /prefetch:8
  2⤵
  PID:3108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5420 --field-trial-handle=1856,i,15436406354685640714,5196757469642301254,131072 /prefetch:1
  2⤵
  PID:2456

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
58a7674e87d765089a67b1bf0a5799ac

SHA1
dbbe33cb21c5ecb7bb2d9cb3d1906b8f8ea276e6

SHA256
165423ea1915a6ffae7955ad464729303b8a9f3298b461960cd225b7bc8f8da1

SHA512
8e163aa22fc019bd212713753d61e3e6daa602a11b22f1995981b6e43f93c481620bf3e421351818a21b90a9ec311d2055d2cfbbae750b155443ef6b6932fa78

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\ad5bb1dd-9b0a-421b-8397-05fe25416913.tmp

Filesize
6KB

MD5
5b2dd870978c5b1184d74b11ccf86a29

SHA1
4872ec61e3be4837d4e7d00e33c71d98dbcabfa6

SHA256
56d0b26278978702774cf77ab42f5163b077761536f3147b501246cc0e469aa6

SHA512
bcc1d8a61d05e62fe41fcfc7b94638bc3350ee57b83bc2c4ba09487952992bf897cf40d854b0914348934f0a325d3a37070d4e3e7f648e875998cb83276ae09f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
e37b8eb1c563e8342ffe941d5892acf2

SHA1
acc7058eec9c092f33e5b7bac257ed65e2a4b315

SHA256
6dc0b24df09139841d1a0650bbeda31473912735be7842f0d31a04ec0cc456df

SHA512
9b331c6194d151b7c443c3973a6662bc481693e02a55f97954f78b51047d535eb781234139c88e6f5e3e4287beb082b5f9442f2599ab1f18b8df655347c05764

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
115KB

MD5
29472d97504cac26592ceff2c452a982

SHA1
5d5aa045a8a83d6dbd5737952ab3aaafd40947fb

SHA256
3ef5ee20979806824fbe15447204f7f292330438d38ea6ae99523b5a2c5e3b71

SHA512
f72743a7ae7fb1252fb286dd664ee1d74859f8a92c0c5a0bd227b90e72587b779dd09071e40d30d8f2fe1cdb6c7dac734e61778077f5a001a90825a9ede5d0d7

Download Submit