hxxps://envs[.]sh/hDA

Analysis

max time kernel
149s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-02-2024 08:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://envs.sh/hDA

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133535811454842354"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

712 chrome.exe
712 chrome.exe
3792 chrome.exe
3792 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

712 chrome.exe
712 chrome.exe
712 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	712	chrome.exe
Token: SeCreatePagefilePrivilege	712	chrome.exe
Token: SeShutdownPrivilege	712	chrome.exe
Token: SeCreatePagefilePrivilege	712	chrome.exe
Token: SeShutdownPrivilege	712	chrome.exe
Token: SeCreatePagefilePrivilege	712	chrome.exe
Token: SeShutdownPrivilege	712	chrome.exe
Token: SeCreatePagefilePrivilege	712	chrome.exe
Token: SeShutdownPrivilege	712	chrome.exe
Token: SeCreatePagefilePrivilege	712	chrome.exe
Token: SeShutdownPrivilege	712	chrome.exe
Token: SeCreatePagefilePrivilege	712	chrome.exe
Token: SeShutdownPrivilege	712	chrome.exe
Token: SeCreatePagefilePrivilege	712	chrome.exe
Token: SeShutdownPrivilege	712	chrome.exe
Token: SeCreatePagefilePrivilege	712	chrome.exe
Token: SeShutdownPrivilege	712	chrome.exe
Token: SeCreatePagefilePrivilege	712	chrome.exe
Token: SeShutdownPrivilege	712	chrome.exe
Token: SeCreatePagefilePrivilege	712	chrome.exe
Token: SeShutdownPrivilege	712	chrome.exe
Token: SeCreatePagefilePrivilege	712	chrome.exe
Token: SeShutdownPrivilege	712	chrome.exe
Token: SeCreatePagefilePrivilege	712	chrome.exe
Token: SeShutdownPrivilege	712	chrome.exe
Token: SeCreatePagefilePrivilege	712	chrome.exe
Token: SeShutdownPrivilege	712	chrome.exe
Token: SeCreatePagefilePrivilege	712	chrome.exe
Token: SeShutdownPrivilege	712	chrome.exe
Token: SeCreatePagefilePrivilege	712	chrome.exe
Token: SeShutdownPrivilege	712	chrome.exe
Token: SeCreatePagefilePrivilege	712	chrome.exe
Token: SeShutdownPrivilege	712	chrome.exe
Token: SeCreatePagefilePrivilege	712	chrome.exe
Token: SeShutdownPrivilege	712	chrome.exe
Token: SeCreatePagefilePrivilege	712	chrome.exe
Token: SeShutdownPrivilege	712	chrome.exe
Token: SeCreatePagefilePrivilege	712	chrome.exe
Token: SeShutdownPrivilege	712	chrome.exe
Token: SeCreatePagefilePrivilege	712	chrome.exe
Token: SeShutdownPrivilege	712	chrome.exe
Token: SeCreatePagefilePrivilege	712	chrome.exe
Token: SeShutdownPrivilege	712	chrome.exe
Token: SeCreatePagefilePrivilege	712	chrome.exe
Token: SeShutdownPrivilege	712	chrome.exe
Token: SeCreatePagefilePrivilege	712	chrome.exe
Token: SeShutdownPrivilege	712	chrome.exe
Token: SeCreatePagefilePrivilege	712	chrome.exe
Token: SeShutdownPrivilege	712	chrome.exe
Token: SeCreatePagefilePrivilege	712	chrome.exe
Token: SeShutdownPrivilege	712	chrome.exe
Token: SeCreatePagefilePrivilege	712	chrome.exe
Token: SeShutdownPrivilege	712	chrome.exe
Token: SeCreatePagefilePrivilege	712	chrome.exe
Token: SeShutdownPrivilege	712	chrome.exe
Token: SeCreatePagefilePrivilege	712	chrome.exe
Token: SeShutdownPrivilege	712	chrome.exe
Token: SeCreatePagefilePrivilege	712	chrome.exe
Token: SeShutdownPrivilege	712	chrome.exe
Token: SeCreatePagefilePrivilege	712	chrome.exe
Token: SeShutdownPrivilege	712	chrome.exe
Token: SeCreatePagefilePrivilege	712	chrome.exe
Token: SeShutdownPrivilege	712	chrome.exe
Token: SeCreatePagefilePrivilege	712	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 712 wrote to memory of 5096	712	chrome.exe	chrome.exe
PID 712 wrote to memory of 5096	712	chrome.exe	chrome.exe
PID 712 wrote to memory of 2120	712	chrome.exe	chrome.exe
PID 712 wrote to memory of 2120	712	chrome.exe	chrome.exe
PID 712 wrote to memory of 2120	712	chrome.exe	chrome.exe
PID 712 wrote to memory of 2120	712	chrome.exe	chrome.exe
PID 712 wrote to memory of 2120	712	chrome.exe	chrome.exe
PID 712 wrote to memory of 2120	712	chrome.exe	chrome.exe
PID 712 wrote to memory of 2120	712	chrome.exe	chrome.exe
PID 712 wrote to memory of 2120	712	chrome.exe	chrome.exe
PID 712 wrote to memory of 2120	712	chrome.exe	chrome.exe
PID 712 wrote to memory of 2120	712	chrome.exe	chrome.exe
PID 712 wrote to memory of 2120	712	chrome.exe	chrome.exe
PID 712 wrote to memory of 2120	712	chrome.exe	chrome.exe
PID 712 wrote to memory of 2120	712	chrome.exe	chrome.exe
PID 712 wrote to memory of 2120	712	chrome.exe	chrome.exe
PID 712 wrote to memory of 2120	712	chrome.exe	chrome.exe
PID 712 wrote to memory of 2120	712	chrome.exe	chrome.exe
PID 712 wrote to memory of 2120	712	chrome.exe	chrome.exe
PID 712 wrote to memory of 2120	712	chrome.exe	chrome.exe
PID 712 wrote to memory of 2120	712	chrome.exe	chrome.exe
PID 712 wrote to memory of 2120	712	chrome.exe	chrome.exe
PID 712 wrote to memory of 2120	712	chrome.exe	chrome.exe
PID 712 wrote to memory of 2120	712	chrome.exe	chrome.exe
PID 712 wrote to memory of 2120	712	chrome.exe	chrome.exe
PID 712 wrote to memory of 2120	712	chrome.exe	chrome.exe
PID 712 wrote to memory of 2120	712	chrome.exe	chrome.exe
PID 712 wrote to memory of 2120	712	chrome.exe	chrome.exe
PID 712 wrote to memory of 2120	712	chrome.exe	chrome.exe
PID 712 wrote to memory of 2120	712	chrome.exe	chrome.exe
PID 712 wrote to memory of 2120	712	chrome.exe	chrome.exe
PID 712 wrote to memory of 2120	712	chrome.exe	chrome.exe
PID 712 wrote to memory of 2120	712	chrome.exe	chrome.exe
PID 712 wrote to memory of 2120	712	chrome.exe	chrome.exe
PID 712 wrote to memory of 2120	712	chrome.exe	chrome.exe
PID 712 wrote to memory of 2120	712	chrome.exe	chrome.exe
PID 712 wrote to memory of 2120	712	chrome.exe	chrome.exe
PID 712 wrote to memory of 2120	712	chrome.exe	chrome.exe
PID 712 wrote to memory of 2120	712	chrome.exe	chrome.exe
PID 712 wrote to memory of 2120	712	chrome.exe	chrome.exe
PID 712 wrote to memory of 1416	712	chrome.exe	chrome.exe
PID 712 wrote to memory of 1416	712	chrome.exe	chrome.exe
PID 712 wrote to memory of 3492	712	chrome.exe	chrome.exe
PID 712 wrote to memory of 3492	712	chrome.exe	chrome.exe
PID 712 wrote to memory of 3492	712	chrome.exe	chrome.exe
PID 712 wrote to memory of 3492	712	chrome.exe	chrome.exe
PID 712 wrote to memory of 3492	712	chrome.exe	chrome.exe
PID 712 wrote to memory of 3492	712	chrome.exe	chrome.exe
PID 712 wrote to memory of 3492	712	chrome.exe	chrome.exe
PID 712 wrote to memory of 3492	712	chrome.exe	chrome.exe
PID 712 wrote to memory of 3492	712	chrome.exe	chrome.exe
PID 712 wrote to memory of 3492	712	chrome.exe	chrome.exe
PID 712 wrote to memory of 3492	712	chrome.exe	chrome.exe
PID 712 wrote to memory of 3492	712	chrome.exe	chrome.exe
PID 712 wrote to memory of 3492	712	chrome.exe	chrome.exe
PID 712 wrote to memory of 3492	712	chrome.exe	chrome.exe
PID 712 wrote to memory of 3492	712	chrome.exe	chrome.exe
PID 712 wrote to memory of 3492	712	chrome.exe	chrome.exe
PID 712 wrote to memory of 3492	712	chrome.exe	chrome.exe
PID 712 wrote to memory of 3492	712	chrome.exe	chrome.exe
PID 712 wrote to memory of 3492	712	chrome.exe	chrome.exe
PID 712 wrote to memory of 3492	712	chrome.exe	chrome.exe
PID 712 wrote to memory of 3492	712	chrome.exe	chrome.exe
PID 712 wrote to memory of 3492	712	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://envs.sh/hDA
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd9d779758,0x7ffd9d779768,0x7ffd9d779778
2⤵
PID:5096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1740 --field-trial-handle=1704,i,13782390913385976642,508920113257286324,131072 /prefetch:2
2⤵
PID:2120

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 --field-trial-handle=1704,i,13782390913385976642,508920113257286324,131072 /prefetch:8
2⤵
PID:3492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1704,i,13782390913385976642,508920113257286324,131072 /prefetch:8
2⤵
PID:1416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2908 --field-trial-handle=1704,i,13782390913385976642,508920113257286324,131072 /prefetch:1
2⤵
PID:4424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2900 --field-trial-handle=1704,i,13782390913385976642,508920113257286324,131072 /prefetch:1
2⤵
PID:1688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4732 --field-trial-handle=1704,i,13782390913385976642,508920113257286324,131072 /prefetch:1
2⤵
PID:2112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4552 --field-trial-handle=1704,i,13782390913385976642,508920113257286324,131072 /prefetch:8
2⤵
PID:3176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 --field-trial-handle=1704,i,13782390913385976642,508920113257286324,131072 /prefetch:8
2⤵
PID:2320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5016 --field-trial-handle=1704,i,13782390913385976642,508920113257286324,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3792

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
168B

MD5
2e90a3459fa9d50de61987de23dbd4cb

SHA1
40aeca7470bd2cb22b5092d272db979f16662d66

SHA256
4b5ac5c33285121a850f488f78c98a9c2e1c001742f94a942d8d2af6df886774

SHA512
9c6665d63fee0aa547e6464a8b2a24a49bc1fdec094d51939b8b242e098cd95fbd7ea8df18477fa9dcce3958a18ebb261639419e85b34400d5b3517c4696c833

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
7c9190251c7ea98950e2c4826c3f1d2f

SHA1
32ea27432083b8dcd408c6f44a2287e2085eeb85

SHA256
cc10c155048b3136d4663c3601979769c581e842ac6f8f8187e86273619e53ba

SHA512
7bc581d146dac4e0772439a22fdb3a5da9f84ec34d0d0d416af0cfbb93fba356078e0790e93e15164dd60fdcf735343139436793d144cd2c37df4d4c1b8ec3a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
705B

MD5
b673fdb1ec3b73d40f04d65970162521

SHA1
007f67ca4306e98caa1f250e35d6be5b186839ce

SHA256
649e43ada76ee58a8341174bddbb23cdca8a9003a3ad3fc7507a329f1d8489e1

SHA512
eb4bef2c24e2df612148a9c39997a7119aacc6978cd112de52dde8ae6567ac393cbbe6571cab060466bd18b9bf33bbbfd5077b1bf4062f1861677e38f53a7b8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
a74815b39642bdf1c15bc20ba65a081a

SHA1
6ffa3a70e9be0985b45ab7480ec1c065351d2ef6

SHA256
c67496a66c22f3c1d0f144c923c00693e51c6c0c1a6c836bae011179a1a5e913

SHA512
789915d79234290de8c839f37d623a8264fc5fed6081fa07c5948ec13b1d372262f56b2251d660c41959debf31c4c1eaaacffe800ffb7368525ae28f91d13645

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
ff91b5f64d255b8d138f9d6c6a2cdc84

SHA1
3a63196e58e665789c03e1fa8500a6be8a40b3ba

SHA256
a04634634ac58e66a7cfb6830ea2367ce7ccc7eb6b26fea438c6c39a1f48a391

SHA512
cf39879775b764e61534c0d4164097ce9e589e04dc26359f1b4f07712f184b95f216eac0ad58be634a29f40ef7394e50db60647ff3a91ab44e150e6a78fdb779

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
e7803f2bb250f1733ba697d721bd7300

SHA1
8bc1fd322a127dcc277dcf8c064570b5e1b9f1c2

SHA256
e6b1478162eb81a105a515f65650ebded8b150b3f34505263b014f95dc83bbba

SHA512
c6b8448e451315799598ad6aecdfc13e4d383c924f909c606fc7243b8f2e0f3e4e578b2dd3f3080e5a3a29ff83cddcd600579abe6059caf49b1cad962c8a46b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
128KB

MD5
8a93f4fe9c5076f12d486659114a2163

SHA1
fa28e1570a8d4eba58df342ed7fb789ae9756e86

SHA256
833bcc8e8313ec728cb5d61e56891077b27dfddbe477bf7595af669a768250dd

SHA512
40fcfd27a2986f50e79c9320c59b2e1945bac585ba9ce75c8080791864130fdfa1e848e232e1232f8ad9ac3b01b9f0da7a8cee2b766ca9d37414b54b661bf841

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
\??\pipe\crashpad_712_IQKJVMLBLDGRDORE
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit