hxxps://www[.]eventcreate[.]com/e/book-552041

Analysis

max time kernel
39s
max time network
41s
platform
windows11-21h2_x64
resource
win11-20240214-en
resource tags

arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system
submitted
12-03-2024 19:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.eventcreate.com/e/book-552041

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133547464630779666"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1740	chrome.exe
1740	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 5084	1740	chrome.exe	77
PID 1740 wrote to memory of 5084	1740	chrome.exe	77
PID 1740 wrote to memory of 2092	1740	chrome.exe	79
PID 1740 wrote to memory of 2092	1740	chrome.exe	79
PID 1740 wrote to memory of 2092	1740	chrome.exe	79
PID 1740 wrote to memory of 2092	1740	chrome.exe	79
PID 1740 wrote to memory of 2092	1740	chrome.exe	79
PID 1740 wrote to memory of 2092	1740	chrome.exe	79
PID 1740 wrote to memory of 2092	1740	chrome.exe	79
PID 1740 wrote to memory of 2092	1740	chrome.exe	79
PID 1740 wrote to memory of 2092	1740	chrome.exe	79
PID 1740 wrote to memory of 2092	1740	chrome.exe	79
PID 1740 wrote to memory of 2092	1740	chrome.exe	79
PID 1740 wrote to memory of 2092	1740	chrome.exe	79
PID 1740 wrote to memory of 2092	1740	chrome.exe	79
PID 1740 wrote to memory of 2092	1740	chrome.exe	79
PID 1740 wrote to memory of 2092	1740	chrome.exe	79
PID 1740 wrote to memory of 2092	1740	chrome.exe	79
PID 1740 wrote to memory of 2092	1740	chrome.exe	79
PID 1740 wrote to memory of 2092	1740	chrome.exe	79
PID 1740 wrote to memory of 2092	1740	chrome.exe	79
PID 1740 wrote to memory of 2092	1740	chrome.exe	79
PID 1740 wrote to memory of 2092	1740	chrome.exe	79
PID 1740 wrote to memory of 2092	1740	chrome.exe	79
PID 1740 wrote to memory of 2092	1740	chrome.exe	79
PID 1740 wrote to memory of 2092	1740	chrome.exe	79
PID 1740 wrote to memory of 2092	1740	chrome.exe	79
PID 1740 wrote to memory of 2092	1740	chrome.exe	79
PID 1740 wrote to memory of 2092	1740	chrome.exe	79
PID 1740 wrote to memory of 2092	1740	chrome.exe	79
PID 1740 wrote to memory of 2092	1740	chrome.exe	79
PID 1740 wrote to memory of 2092	1740	chrome.exe	79
PID 1740 wrote to memory of 2092	1740	chrome.exe	79
PID 1740 wrote to memory of 2092	1740	chrome.exe	79
PID 1740 wrote to memory of 2092	1740	chrome.exe	79
PID 1740 wrote to memory of 2092	1740	chrome.exe	79
PID 1740 wrote to memory of 2092	1740	chrome.exe	79
PID 1740 wrote to memory of 2092	1740	chrome.exe	79
PID 1740 wrote to memory of 2092	1740	chrome.exe	79
PID 1740 wrote to memory of 2092	1740	chrome.exe	79
PID 1740 wrote to memory of 1980	1740	chrome.exe	80
PID 1740 wrote to memory of 1980	1740	chrome.exe	80
PID 1740 wrote to memory of 2528	1740	chrome.exe	81
PID 1740 wrote to memory of 2528	1740	chrome.exe	81
PID 1740 wrote to memory of 2528	1740	chrome.exe	81
PID 1740 wrote to memory of 2528	1740	chrome.exe	81
PID 1740 wrote to memory of 2528	1740	chrome.exe	81
PID 1740 wrote to memory of 2528	1740	chrome.exe	81
PID 1740 wrote to memory of 2528	1740	chrome.exe	81
PID 1740 wrote to memory of 2528	1740	chrome.exe	81
PID 1740 wrote to memory of 2528	1740	chrome.exe	81
PID 1740 wrote to memory of 2528	1740	chrome.exe	81
PID 1740 wrote to memory of 2528	1740	chrome.exe	81
PID 1740 wrote to memory of 2528	1740	chrome.exe	81
PID 1740 wrote to memory of 2528	1740	chrome.exe	81
PID 1740 wrote to memory of 2528	1740	chrome.exe	81
PID 1740 wrote to memory of 2528	1740	chrome.exe	81
PID 1740 wrote to memory of 2528	1740	chrome.exe	81
PID 1740 wrote to memory of 2528	1740	chrome.exe	81
PID 1740 wrote to memory of 2528	1740	chrome.exe	81
PID 1740 wrote to memory of 2528	1740	chrome.exe	81
PID 1740 wrote to memory of 2528	1740	chrome.exe	81
PID 1740 wrote to memory of 2528	1740	chrome.exe	81
PID 1740 wrote to memory of 2528	1740	chrome.exe	81

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.eventcreate.com/e/book-552041
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xe0,0x10c,0x7ffe7fe09758,0x7ffe7fe09768,0x7ffe7fe09778
  2⤵
  PID:5084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=312 --field-trial-handle=1760,i,14641578686564133141,5299186866630247691,131072 /prefetch:2
  2⤵
  PID:2092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2060 --field-trial-handle=1760,i,14641578686564133141,5299186866630247691,131072 /prefetch:8
  2⤵
  PID:1980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2132 --field-trial-handle=1760,i,14641578686564133141,5299186866630247691,131072 /prefetch:8
  2⤵
  PID:2528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2960 --field-trial-handle=1760,i,14641578686564133141,5299186866630247691,131072 /prefetch:1
  2⤵
  PID:4104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2968 --field-trial-handle=1760,i,14641578686564133141,5299186866630247691,131072 /prefetch:1
  2⤵
  PID:2044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=5128 --field-trial-handle=1760,i,14641578686564133141,5299186866630247691,131072 /prefetch:1
  2⤵
  PID:1080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5504 --field-trial-handle=1760,i,14641578686564133141,5299186866630247691,131072 /prefetch:8
  2⤵
  PID:2312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5592 --field-trial-handle=1760,i,14641578686564133141,5299186866630247691,131072 /prefetch:8
  2⤵
  PID:2248

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
b25352eef8b18e7ba0d7f26ab3464105

SHA1
03ac8673848d908ec0c69f6d30b6b0ba4bf408b4

SHA256
a020a8878607467063b825cb55eb2fac392bcb323605863ab92f0b12edac40a9

SHA512
dee244f0f9f5768a3e6e9771aa1cf844c9205fcbd63a46e88149567c43034eec974528affd679b961be6b0a848910b55195941aeb4716c812ec83995a3c02962

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
d9620f3ce614fb620f8075b9a82edf7a

SHA1
6c67cb2f53ed0387eda7b952fefa5c7bcd1e02a3

SHA256
05d52bef605928ded37e91c9512e0af68c8e222e277ea7981c50f683f3f88e34

SHA512
833fa42dbb6edd8ce2c7d6f29e61244470fa09eafa6957094f37091abe98a705caec55e45b56068341e624158d0f49ba88391bb0b35bbf73522e9b0df3205740

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
dd67317145b99179f770fc3fce5c3826

SHA1
479ea469ef93754268ecc85d7ac3300ba73057d2

SHA256
7fb7ed7316663eeabf33d7e9c7161fe1296c6f51eb6180a95856e57ea432e4e0

SHA512
b28895150d897dfbe257b6703760b49f6bf3d9ea57e945866a3e67b2a14018c04dc691b5305d7c11ddbcc84a2a519f389e601bf0582062185587ca7d34d05fe2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
c90e7c73c92227212f30611620eb1213

SHA1
7a803ec1410c7ebd91cf126df2a2188b1eabcb75

SHA256
659ac7bb730fe761f87dbce5dcad3d3b5f7d1746e153d6857da0de43ff1eacc9

SHA512
efcc3c691f111c9c62b97fd681f588054aab279b9d65a546c92a13d08bc67223d28b8bb6b07776ce25257aa8767ccb1045b77b7bac234feeee4a046622a1bacb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
280ac0c97790557a8e1cc2843fafc4c8

SHA1
ab55844ac81748777ea5e8b6184847ecaf1cf884

SHA256
98d1f8d8b26f5598de3cd38764bcf262772445bbe4b6071ed2e89df03153e4b0

SHA512
4337a0da01a245b6ddd233c5888411b8256273c54fd0d451528584db6f498f95972e634528aa98622852bba04d157a8a0dc48202151fe27a4b2c52defe29c30c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
9fbba8f027deaf0273420e4c71a0532f

SHA1
51c3b5112be067bc8f4d8dfd95385bd95570819f

SHA256
588649996d141065bf1a342c6fe9c06c8e99402f5b5f29c32cf9b11e5de1daa9

SHA512
fb609a8d91f9f6e3533a1c774f0f64bbfbaf3b459d300be21ab8304d20c282ec415ef16f800e1ec3d1820a25f26d2a0a208d89c4e3803306a9365dfb486b7b75

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
093c269d4c68e2ce60ae34e441087e80

SHA1
3b13078569961245b7cb9b2ef804d7c470a5b63e

SHA256
e5803427c7b1547a0ce48e0181576a2cbeefa2676f8367fe4047495c0d83add2

SHA512
21b7c8fcab02793d78286d58d80092acfb2b8bf5d63f28d81400ce8146c738b2bec15599e9922d90de3529523a2ac2c9dd185f59593b4ff4e71d68432a2ca491

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
129KB

MD5
74689c0baa7c087341be7ce5472bdfba

SHA1
ea3ea288c1565f0215b549d956e9cf24fbf18eb4

SHA256
cc90ec0f498e62faef271e14e02b0e434c6c115f91f33d076b38127686b61bb5

SHA512
74056b497bf17a2c1a7e9cceb8b5c8581a4f9d7d1f1c8524fdab777e53b141717acd031e206f4c7317ff5cc9f9633aea148c42af7cbe6d348356e24af73fc3d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit