hxxps://saratogachiro[.]com/

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2024, 00:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://saratogachiro.com/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133543307115099076"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
660	chrome.exe
660	chrome.exe
2476	chrome.exe
2476	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
660	chrome.exe
660	chrome.exe
660	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	660	chrome.exe
Token: SeCreatePagefilePrivilege	660	chrome.exe
Token: SeShutdownPrivilege	660	chrome.exe
Token: SeCreatePagefilePrivilege	660	chrome.exe
Token: SeShutdownPrivilege	660	chrome.exe
Token: SeCreatePagefilePrivilege	660	chrome.exe
Token: SeShutdownPrivilege	660	chrome.exe
Token: SeCreatePagefilePrivilege	660	chrome.exe
Token: SeShutdownPrivilege	660	chrome.exe
Token: SeCreatePagefilePrivilege	660	chrome.exe
Token: SeShutdownPrivilege	660	chrome.exe
Token: SeCreatePagefilePrivilege	660	chrome.exe
Token: SeShutdownPrivilege	660	chrome.exe
Token: SeCreatePagefilePrivilege	660	chrome.exe
Token: SeShutdownPrivilege	660	chrome.exe
Token: SeCreatePagefilePrivilege	660	chrome.exe
Token: SeShutdownPrivilege	660	chrome.exe
Token: SeCreatePagefilePrivilege	660	chrome.exe
Token: SeShutdownPrivilege	660	chrome.exe
Token: SeCreatePagefilePrivilege	660	chrome.exe
Token: SeShutdownPrivilege	660	chrome.exe
Token: SeCreatePagefilePrivilege	660	chrome.exe
Token: SeShutdownPrivilege	660	chrome.exe
Token: SeCreatePagefilePrivilege	660	chrome.exe
Token: SeShutdownPrivilege	660	chrome.exe
Token: SeCreatePagefilePrivilege	660	chrome.exe
Token: SeShutdownPrivilege	660	chrome.exe
Token: SeCreatePagefilePrivilege	660	chrome.exe
Token: SeShutdownPrivilege	660	chrome.exe
Token: SeCreatePagefilePrivilege	660	chrome.exe
Token: SeShutdownPrivilege	660	chrome.exe
Token: SeCreatePagefilePrivilege	660	chrome.exe
Token: SeShutdownPrivilege	660	chrome.exe
Token: SeCreatePagefilePrivilege	660	chrome.exe
Token: SeShutdownPrivilege	660	chrome.exe
Token: SeCreatePagefilePrivilege	660	chrome.exe
Token: SeShutdownPrivilege	660	chrome.exe
Token: SeCreatePagefilePrivilege	660	chrome.exe
Token: SeShutdownPrivilege	660	chrome.exe
Token: SeCreatePagefilePrivilege	660	chrome.exe
Token: SeShutdownPrivilege	660	chrome.exe
Token: SeCreatePagefilePrivilege	660	chrome.exe
Token: SeShutdownPrivilege	660	chrome.exe
Token: SeCreatePagefilePrivilege	660	chrome.exe
Token: SeShutdownPrivilege	660	chrome.exe
Token: SeCreatePagefilePrivilege	660	chrome.exe
Token: SeShutdownPrivilege	660	chrome.exe
Token: SeCreatePagefilePrivilege	660	chrome.exe
Token: SeShutdownPrivilege	660	chrome.exe
Token: SeCreatePagefilePrivilege	660	chrome.exe
Token: SeShutdownPrivilege	660	chrome.exe
Token: SeCreatePagefilePrivilege	660	chrome.exe
Token: SeShutdownPrivilege	660	chrome.exe
Token: SeCreatePagefilePrivilege	660	chrome.exe
Token: SeShutdownPrivilege	660	chrome.exe
Token: SeCreatePagefilePrivilege	660	chrome.exe
Token: SeShutdownPrivilege	660	chrome.exe
Token: SeCreatePagefilePrivilege	660	chrome.exe
Token: SeShutdownPrivilege	660	chrome.exe
Token: SeCreatePagefilePrivilege	660	chrome.exe
Token: SeShutdownPrivilege	660	chrome.exe
Token: SeCreatePagefilePrivilege	660	chrome.exe
Token: SeShutdownPrivilege	660	chrome.exe
Token: SeCreatePagefilePrivilege	660	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 660 wrote to memory of 4740	660	chrome.exe	93
PID 660 wrote to memory of 4740	660	chrome.exe	93
PID 660 wrote to memory of 3468	660	chrome.exe	97
PID 660 wrote to memory of 3468	660	chrome.exe	97
PID 660 wrote to memory of 3468	660	chrome.exe	97
PID 660 wrote to memory of 3468	660	chrome.exe	97
PID 660 wrote to memory of 3468	660	chrome.exe	97
PID 660 wrote to memory of 3468	660	chrome.exe	97
PID 660 wrote to memory of 3468	660	chrome.exe	97
PID 660 wrote to memory of 3468	660	chrome.exe	97
PID 660 wrote to memory of 3468	660	chrome.exe	97
PID 660 wrote to memory of 3468	660	chrome.exe	97
PID 660 wrote to memory of 3468	660	chrome.exe	97
PID 660 wrote to memory of 3468	660	chrome.exe	97
PID 660 wrote to memory of 3468	660	chrome.exe	97
PID 660 wrote to memory of 3468	660	chrome.exe	97
PID 660 wrote to memory of 3468	660	chrome.exe	97
PID 660 wrote to memory of 3468	660	chrome.exe	97
PID 660 wrote to memory of 3468	660	chrome.exe	97
PID 660 wrote to memory of 3468	660	chrome.exe	97
PID 660 wrote to memory of 3468	660	chrome.exe	97
PID 660 wrote to memory of 3468	660	chrome.exe	97
PID 660 wrote to memory of 3468	660	chrome.exe	97
PID 660 wrote to memory of 3468	660	chrome.exe	97
PID 660 wrote to memory of 3468	660	chrome.exe	97
PID 660 wrote to memory of 3468	660	chrome.exe	97
PID 660 wrote to memory of 3468	660	chrome.exe	97
PID 660 wrote to memory of 3468	660	chrome.exe	97
PID 660 wrote to memory of 3468	660	chrome.exe	97
PID 660 wrote to memory of 3468	660	chrome.exe	97
PID 660 wrote to memory of 3468	660	chrome.exe	97
PID 660 wrote to memory of 3468	660	chrome.exe	97
PID 660 wrote to memory of 3468	660	chrome.exe	97
PID 660 wrote to memory of 3468	660	chrome.exe	97
PID 660 wrote to memory of 3468	660	chrome.exe	97
PID 660 wrote to memory of 3468	660	chrome.exe	97
PID 660 wrote to memory of 3468	660	chrome.exe	97
PID 660 wrote to memory of 3468	660	chrome.exe	97
PID 660 wrote to memory of 3468	660	chrome.exe	97
PID 660 wrote to memory of 3468	660	chrome.exe	97
PID 660 wrote to memory of 4492	660	chrome.exe	99
PID 660 wrote to memory of 4492	660	chrome.exe	99
PID 660 wrote to memory of 1984	660	chrome.exe	100
PID 660 wrote to memory of 1984	660	chrome.exe	100
PID 660 wrote to memory of 1984	660	chrome.exe	100
PID 660 wrote to memory of 1984	660	chrome.exe	100
PID 660 wrote to memory of 1984	660	chrome.exe	100
PID 660 wrote to memory of 1984	660	chrome.exe	100
PID 660 wrote to memory of 1984	660	chrome.exe	100
PID 660 wrote to memory of 1984	660	chrome.exe	100
PID 660 wrote to memory of 1984	660	chrome.exe	100
PID 660 wrote to memory of 1984	660	chrome.exe	100
PID 660 wrote to memory of 1984	660	chrome.exe	100
PID 660 wrote to memory of 1984	660	chrome.exe	100
PID 660 wrote to memory of 1984	660	chrome.exe	100
PID 660 wrote to memory of 1984	660	chrome.exe	100
PID 660 wrote to memory of 1984	660	chrome.exe	100
PID 660 wrote to memory of 1984	660	chrome.exe	100
PID 660 wrote to memory of 1984	660	chrome.exe	100
PID 660 wrote to memory of 1984	660	chrome.exe	100
PID 660 wrote to memory of 1984	660	chrome.exe	100
PID 660 wrote to memory of 1984	660	chrome.exe	100
PID 660 wrote to memory of 1984	660	chrome.exe	100
PID 660 wrote to memory of 1984	660	chrome.exe	100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://saratogachiro.com/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc3e139758,0x7ffc3e139768,0x7ffc3e139778
  2⤵
  PID:4740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1864,i,14688604704000189367,18399226370166577853,131072 /prefetch:2
  2⤵
  PID:3468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 --field-trial-handle=1864,i,14688604704000189367,18399226370166577853,131072 /prefetch:8
  2⤵
  PID:4492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2196 --field-trial-handle=1864,i,14688604704000189367,18399226370166577853,131072 /prefetch:8
  2⤵
  PID:1984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3080 --field-trial-handle=1864,i,14688604704000189367,18399226370166577853,131072 /prefetch:1
  2⤵
  PID:3480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3188 --field-trial-handle=1864,i,14688604704000189367,18399226370166577853,131072 /prefetch:1
  2⤵
  PID:2408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4584 --field-trial-handle=1864,i,14688604704000189367,18399226370166577853,131072 /prefetch:8
  2⤵
  PID:3592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3744 --field-trial-handle=1864,i,14688604704000189367,18399226370166577853,131072 /prefetch:8
  2⤵
  PID:4404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4856 --field-trial-handle=1864,i,14688604704000189367,18399226370166577853,131072 /prefetch:1
  2⤵
  PID:5236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5164 --field-trial-handle=1864,i,14688604704000189367,18399226370166577853,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2476

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3896 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:8
1⤵
PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\72a037d3-ccbb-4611-a912-556ae672325b.tmp

Filesize
5KB

MD5
f04bdff447219b173b2bfba1e7153298

SHA1
a628d170b476cef43d815ec778c0b99bc0f911fe

SHA256
480a295897cf913c84c2f631a0e267a1ce3925b05c145906c37dd0ae0c96772b

SHA512
6c7a96556400d03c653e1d707702b57ed9f9151e82f398340302b9a6f122694e15568679c0a3c62bd77f9ef5d53fbfa6e244fec3a109ddd1de7625bfd46182ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
3c54471d421af8178c3475630c45613b

SHA1
f81c9e2c3d1bc6a7f7a42172c6fa3a8f95d10b09

SHA256
5dc632f21af62451b230ec4e5975edc026876ce80285ba1775a9af8a075dc44d

SHA512
ebc0b08b4e8c83b49d44c645e6567ee4550cb8add4cdcbca98550759f8b45a24f410e274f093ae577b552eec567830f2126a4a694f8ade1471085f097e76be46

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
986B

MD5
7b33f95d1aa784e89bfec482d2c1b460

SHA1
f23b3a0e243a59085832d15fa31f0673daec55fa

SHA256
3a5e5f3b5c8dab616950e452b4188c879a0d82da0319255327fdd31d3d7fda84

SHA512
e5e3844f535bd6e3e0f6d792f4c86d53b02b3466a2ba24b19eb0584ec1cfdfa9ecbfd09d74758fabd02fd3b05758dd34b64ddda48c18d23dfe449a84770edac7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
3d2b0e721a1e3c418eb99ff5d4da5caa

SHA1
28807eaca3d65a644f1b04a9ef4e6acd205fc6bc

SHA256
189893a58644ed33a620fd93c8805377a4edf5ad5905cf14ad20144556dfd58d

SHA512
8372176955824b2b7ba61e9dff523fc03f4a26aff8c6ea74e6407c57316ba01848a77fa66ce38665f955216cf74f1452679afb03a5b01e5853b5e28d7c135c15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
0fa7cb2985105aedad3e8327386d7163

SHA1
e4fb2f174134600989d37e6014b566e9be8afe26

SHA256
cb393bbd1f6a87762f46829350d41bfbf79df99539e682b9711fcb1914383506

SHA512
f5e13782206e53d2d98acdc47219953a790f469d0376dca9b9e82e12c42451e927863990ad308aae01d086e341db14fa7fce7be3efd75c2247bfccda6cb238b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
2c60c00fcbda1c7cbe7c87ac0c1bb8dd

SHA1
8fac74dd9a075cf94e985977dcf12339a12c2869

SHA256
a1824c1aa4897c2bdfb9e96443943265a353309754823ba5ec59ddc578357adc

SHA512
92e0c4fcf91f6321715d4e3882323f304682b4496b9099bc5b2380478e7e8be64e5aff078ca826ac541184ffda07fd5f05e8d46b12df8fa41d3a05fb88db17b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
7eea931522593923d19cabb1b16463b9

SHA1
2ae25f37a31a988ab1a2dcab62339aec551a18cf

SHA256
197826be2314f80fb377121d3759915690323ba34949f68f050a4a36bea1e185

SHA512
bb1159430220d8678e54475b07eab40aac130f9891761fc71bc7ccb10703a04bb0672ff83015c783420cd77c92582cb77282001dcf36e1b238e04571b15e8572

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit