hxxps://ateneacrea[.]com/index[.]php?DbQPq=6d5febaafa37c4916afb91149203d6dc&QxHm

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2024, 14:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://ateneacrea.com/index.php?DbQPq=6d5febaafa37c4916afb91149203d6dc&QxHm

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133542083849001972"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1348	chrome.exe
1348	chrome.exe
5480	chrome.exe
5480	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 1600	1348	chrome.exe	89
PID 1348 wrote to memory of 1600	1348	chrome.exe	89
PID 1348 wrote to memory of 3536	1348	chrome.exe	91
PID 1348 wrote to memory of 3536	1348	chrome.exe	91
PID 1348 wrote to memory of 3536	1348	chrome.exe	91
PID 1348 wrote to memory of 3536	1348	chrome.exe	91
PID 1348 wrote to memory of 3536	1348	chrome.exe	91
PID 1348 wrote to memory of 3536	1348	chrome.exe	91
PID 1348 wrote to memory of 3536	1348	chrome.exe	91
PID 1348 wrote to memory of 3536	1348	chrome.exe	91
PID 1348 wrote to memory of 3536	1348	chrome.exe	91
PID 1348 wrote to memory of 3536	1348	chrome.exe	91
PID 1348 wrote to memory of 3536	1348	chrome.exe	91
PID 1348 wrote to memory of 3536	1348	chrome.exe	91
PID 1348 wrote to memory of 3536	1348	chrome.exe	91
PID 1348 wrote to memory of 3536	1348	chrome.exe	91
PID 1348 wrote to memory of 3536	1348	chrome.exe	91
PID 1348 wrote to memory of 3536	1348	chrome.exe	91
PID 1348 wrote to memory of 3536	1348	chrome.exe	91
PID 1348 wrote to memory of 3536	1348	chrome.exe	91
PID 1348 wrote to memory of 3536	1348	chrome.exe	91
PID 1348 wrote to memory of 3536	1348	chrome.exe	91
PID 1348 wrote to memory of 3536	1348	chrome.exe	91
PID 1348 wrote to memory of 3536	1348	chrome.exe	91
PID 1348 wrote to memory of 3536	1348	chrome.exe	91
PID 1348 wrote to memory of 3536	1348	chrome.exe	91
PID 1348 wrote to memory of 3536	1348	chrome.exe	91
PID 1348 wrote to memory of 3536	1348	chrome.exe	91
PID 1348 wrote to memory of 3536	1348	chrome.exe	91
PID 1348 wrote to memory of 3536	1348	chrome.exe	91
PID 1348 wrote to memory of 3536	1348	chrome.exe	91
PID 1348 wrote to memory of 3536	1348	chrome.exe	91
PID 1348 wrote to memory of 3536	1348	chrome.exe	91
PID 1348 wrote to memory of 3536	1348	chrome.exe	91
PID 1348 wrote to memory of 3536	1348	chrome.exe	91
PID 1348 wrote to memory of 3536	1348	chrome.exe	91
PID 1348 wrote to memory of 3536	1348	chrome.exe	91
PID 1348 wrote to memory of 3536	1348	chrome.exe	91
PID 1348 wrote to memory of 3536	1348	chrome.exe	91
PID 1348 wrote to memory of 3536	1348	chrome.exe	91
PID 1348 wrote to memory of 1952	1348	chrome.exe	92
PID 1348 wrote to memory of 1952	1348	chrome.exe	92
PID 1348 wrote to memory of 4628	1348	chrome.exe	93
PID 1348 wrote to memory of 4628	1348	chrome.exe	93
PID 1348 wrote to memory of 4628	1348	chrome.exe	93
PID 1348 wrote to memory of 4628	1348	chrome.exe	93
PID 1348 wrote to memory of 4628	1348	chrome.exe	93
PID 1348 wrote to memory of 4628	1348	chrome.exe	93
PID 1348 wrote to memory of 4628	1348	chrome.exe	93
PID 1348 wrote to memory of 4628	1348	chrome.exe	93
PID 1348 wrote to memory of 4628	1348	chrome.exe	93
PID 1348 wrote to memory of 4628	1348	chrome.exe	93
PID 1348 wrote to memory of 4628	1348	chrome.exe	93
PID 1348 wrote to memory of 4628	1348	chrome.exe	93
PID 1348 wrote to memory of 4628	1348	chrome.exe	93
PID 1348 wrote to memory of 4628	1348	chrome.exe	93
PID 1348 wrote to memory of 4628	1348	chrome.exe	93
PID 1348 wrote to memory of 4628	1348	chrome.exe	93
PID 1348 wrote to memory of 4628	1348	chrome.exe	93
PID 1348 wrote to memory of 4628	1348	chrome.exe	93
PID 1348 wrote to memory of 4628	1348	chrome.exe	93
PID 1348 wrote to memory of 4628	1348	chrome.exe	93
PID 1348 wrote to memory of 4628	1348	chrome.exe	93
PID 1348 wrote to memory of 4628	1348	chrome.exe	93

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://ateneacrea.com/index.php?DbQPq=6d5febaafa37c4916afb91149203d6dc&QxHm
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd06d29758,0x7ffd06d29768,0x7ffd06d29778
  2⤵
  PID:1600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1784 --field-trial-handle=1836,i,4458903231903768553,9626155462557659313,131072 /prefetch:2
  2⤵
  PID:3536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1836,i,4458903231903768553,9626155462557659313,131072 /prefetch:8
  2⤵
  PID:1952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2192 --field-trial-handle=1836,i,4458903231903768553,9626155462557659313,131072 /prefetch:8
  2⤵
  PID:4628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2944 --field-trial-handle=1836,i,4458903231903768553,9626155462557659313,131072 /prefetch:1
  2⤵
  PID:560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2952 --field-trial-handle=1836,i,4458903231903768553,9626155462557659313,131072 /prefetch:1
  2⤵
  PID:2284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3928 --field-trial-handle=1836,i,4458903231903768553,9626155462557659313,131072 /prefetch:1
  2⤵
  PID:1804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4844 --field-trial-handle=1836,i,4458903231903768553,9626155462557659313,131072 /prefetch:8
  2⤵
  PID:4412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4948 --field-trial-handle=1836,i,4458903231903768553,9626155462557659313,131072 /prefetch:8
  2⤵
  PID:4080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2268 --field-trial-handle=1836,i,4458903231903768553,9626155462557659313,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5480

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
a7eea79372ca4c96dcd44150649edcef

SHA1
7e34820d5904229054d7ee7241480cf4a0caec71

SHA256
a2cb00d6767601a72c422a29d2a443211628187f342870e8e8197f3d4654b162

SHA512
18c6cba5e2b3b7a90126d647c761abba46e18005227a68a236e40961422f31c8ccf30d707bbb5bf7784a9c595e2186650978cd290c0c9febdc2cb1f83fd5d584

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
335e1b8e376e6dd1dc2b9f3c2a7321d3

SHA1
2bcccdea4dab79dce3a35ad5241293e6347e1f3a

SHA256
d3bdd4ea5fa35e326816f55f358efd340466a14ebeac3b44654d52bb9d9a6c12

SHA512
f48cd247f9b96cb20fc3901447955df9c3c515ce086ea5e38fd298e78cd4eb146e029c804ed23c7713aae0b64c56b91e9494f6c640050b969512918309ca2f10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
2ae1523c1d7c153be1f706f07f23ee09

SHA1
c0070c346456c529e6e68f083a6389ed16c5ac3d

SHA256
4671abec543d151d39a334f7644d6ef4fef71f28023f3cf01080ee3f946a54f3

SHA512
03ba10c7c95d1e4907f754f7ad8fecf834fd68e27e5920bf9d75daadf1e11450f72fbd82950bfed76fbb08785abed44c9fd5ebf4d9e87a4bbeecbaef8b963f86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
8dfa300e7e6bd50bc081870116822e7b

SHA1
d4ae2fadae40f5c83a049a51509f6a6ec19466e4

SHA256
069436bacd2444548192b5ba9d63941d4d9803e63cc5cbcb412ca50e86f52f4b

SHA512
e6a03dd62dd64be1b158396ad328e7106cbd6a177a379ebd0e3f0d8c40af79cdf9d775ef42586ab2443ac29d0b3a956d8e3585f93f0301cfbae50b0b36109b5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit