hxxp://hemmlocksociety[.]site

Analysis

max time kernel
1800s
max time network
1802s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13/03/2024, 11:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://hemmlocksociety.site

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133548022908924466"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4364	chrome.exe
4364	chrome.exe
964	chrome.exe
964	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4364 wrote to memory of 3856	4364	chrome.exe	94
PID 4364 wrote to memory of 3856	4364	chrome.exe	94
PID 4364 wrote to memory of 4524	4364	chrome.exe	96
PID 4364 wrote to memory of 4524	4364	chrome.exe	96
PID 4364 wrote to memory of 4524	4364	chrome.exe	96
PID 4364 wrote to memory of 4524	4364	chrome.exe	96
PID 4364 wrote to memory of 4524	4364	chrome.exe	96
PID 4364 wrote to memory of 4524	4364	chrome.exe	96
PID 4364 wrote to memory of 4524	4364	chrome.exe	96
PID 4364 wrote to memory of 4524	4364	chrome.exe	96
PID 4364 wrote to memory of 4524	4364	chrome.exe	96
PID 4364 wrote to memory of 4524	4364	chrome.exe	96
PID 4364 wrote to memory of 4524	4364	chrome.exe	96
PID 4364 wrote to memory of 4524	4364	chrome.exe	96
PID 4364 wrote to memory of 4524	4364	chrome.exe	96
PID 4364 wrote to memory of 4524	4364	chrome.exe	96
PID 4364 wrote to memory of 4524	4364	chrome.exe	96
PID 4364 wrote to memory of 4524	4364	chrome.exe	96
PID 4364 wrote to memory of 4524	4364	chrome.exe	96
PID 4364 wrote to memory of 4524	4364	chrome.exe	96
PID 4364 wrote to memory of 4524	4364	chrome.exe	96
PID 4364 wrote to memory of 4524	4364	chrome.exe	96
PID 4364 wrote to memory of 4524	4364	chrome.exe	96
PID 4364 wrote to memory of 4524	4364	chrome.exe	96
PID 4364 wrote to memory of 4524	4364	chrome.exe	96
PID 4364 wrote to memory of 4524	4364	chrome.exe	96
PID 4364 wrote to memory of 4524	4364	chrome.exe	96
PID 4364 wrote to memory of 4524	4364	chrome.exe	96
PID 4364 wrote to memory of 4524	4364	chrome.exe	96
PID 4364 wrote to memory of 4524	4364	chrome.exe	96
PID 4364 wrote to memory of 4524	4364	chrome.exe	96
PID 4364 wrote to memory of 4524	4364	chrome.exe	96
PID 4364 wrote to memory of 4524	4364	chrome.exe	96
PID 4364 wrote to memory of 4524	4364	chrome.exe	96
PID 4364 wrote to memory of 4524	4364	chrome.exe	96
PID 4364 wrote to memory of 4524	4364	chrome.exe	96
PID 4364 wrote to memory of 4524	4364	chrome.exe	96
PID 4364 wrote to memory of 4524	4364	chrome.exe	96
PID 4364 wrote to memory of 4524	4364	chrome.exe	96
PID 4364 wrote to memory of 4524	4364	chrome.exe	96
PID 4364 wrote to memory of 4104	4364	chrome.exe	97
PID 4364 wrote to memory of 4104	4364	chrome.exe	97
PID 4364 wrote to memory of 3772	4364	chrome.exe	98
PID 4364 wrote to memory of 3772	4364	chrome.exe	98
PID 4364 wrote to memory of 3772	4364	chrome.exe	98
PID 4364 wrote to memory of 3772	4364	chrome.exe	98
PID 4364 wrote to memory of 3772	4364	chrome.exe	98
PID 4364 wrote to memory of 3772	4364	chrome.exe	98
PID 4364 wrote to memory of 3772	4364	chrome.exe	98
PID 4364 wrote to memory of 3772	4364	chrome.exe	98
PID 4364 wrote to memory of 3772	4364	chrome.exe	98
PID 4364 wrote to memory of 3772	4364	chrome.exe	98
PID 4364 wrote to memory of 3772	4364	chrome.exe	98
PID 4364 wrote to memory of 3772	4364	chrome.exe	98
PID 4364 wrote to memory of 3772	4364	chrome.exe	98
PID 4364 wrote to memory of 3772	4364	chrome.exe	98
PID 4364 wrote to memory of 3772	4364	chrome.exe	98
PID 4364 wrote to memory of 3772	4364	chrome.exe	98
PID 4364 wrote to memory of 3772	4364	chrome.exe	98
PID 4364 wrote to memory of 3772	4364	chrome.exe	98
PID 4364 wrote to memory of 3772	4364	chrome.exe	98
PID 4364 wrote to memory of 3772	4364	chrome.exe	98
PID 4364 wrote to memory of 3772	4364	chrome.exe	98
PID 4364 wrote to memory of 3772	4364	chrome.exe	98

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://hemmlocksociety.site
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe6e6b9758,0x7ffe6e6b9768,0x7ffe6e6b9778
  2⤵
  PID:3856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1708 --field-trial-handle=1860,i,4391700814710480024,6580614292060299306,131072 /prefetch:2
  2⤵
  PID:4524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1860,i,4391700814710480024,6580614292060299306,131072 /prefetch:8
  2⤵
  PID:4104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2220 --field-trial-handle=1860,i,4391700814710480024,6580614292060299306,131072 /prefetch:8
  2⤵
  PID:3772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2932 --field-trial-handle=1860,i,4391700814710480024,6580614292060299306,131072 /prefetch:1
  2⤵
  PID:1564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3076 --field-trial-handle=1860,i,4391700814710480024,6580614292060299306,131072 /prefetch:1
  2⤵
  PID:1924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4516 --field-trial-handle=1860,i,4391700814710480024,6580614292060299306,131072 /prefetch:1
  2⤵
  PID:2236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5080 --field-trial-handle=1860,i,4391700814710480024,6580614292060299306,131072 /prefetch:8
  2⤵
  PID:452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 --field-trial-handle=1860,i,4391700814710480024,6580614292060299306,131072 /prefetch:8
  2⤵
  PID:4628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4680 --field-trial-handle=1860,i,4391700814710480024,6580614292060299306,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:964

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4104 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
1⤵
PID:6060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3756 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
1⤵
PID:6128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
09603d0b2c11310910a3afd14c491667

SHA1
691968052efc391e4bf03cb6a8a59730af444ddb

SHA256
c6107d6a1b11fe5cf8e681ad6c414d3727662ff36c4b6214f8934a069a83232f

SHA512
e12dc8e5734da1a51274a050890bdbb06c42ad31059e62388c95bf8a4866020b88047578453025abec14da4bb9bbe26b4c5c558a02428818f8c5cc6e9069ee51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
7452190c2aa6f2fd39eaff310f2cfc44

SHA1
0a0e166810b1792ac0bdbca67d8995f4ad0023db

SHA256
c73f0510fabfd7bc840a9ced384e5b8a1c70632de05f1ec445c980302553cbae

SHA512
f0b42e09abb0364daee7509146c2c6658929688e3a2613abe9f9b25cd89e639fdde153ab206336e6eb324ba76ccc79d3fc39a449190df5760399dd2d58875f25

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
0dd9cfa519ccc19305f959052890f79f

SHA1
4a34689ee72a09380ca62a041f014d47835b9002

SHA256
51781e3a05c6330de047b647a43d19b3451c51bde6fa8f0e951973e1dd65f3fe

SHA512
4d7347590bf4bfe68f0ca6f61904c25f3c42a409e2d1f4ed5a50acee0590f959abe37874aaa6c18338868dfb742d39bee244bee7476599b90a68676b5de32a17

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
24799eef730bc55c46eeab8feff73848

SHA1
d139d18e5de1aa962ad0d5838d7ab3596cb5698e

SHA256
7b5ede444767f72cb33ff918c35c05c48dc304a9f1ce5a11d263e5de166c3cb1

SHA512
3af9f583dd0d2b9b1d08c5bf1c948b3f04a5bf4746770ba803aea9fe951b141818064b459e23c8610a67fc9dd1d5b24578f5215802ac02e2e59cbf8d03056a6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
a027efd60de32cf40baa4e87b143c69d

SHA1
fcd2060eb6a77395753d96b3ba68332de5b9ad86

SHA256
8ef93290d9642c6a6e17c05e51ec9da9df9c1291415dba85ff17400d811064cc

SHA512
0b44c826615ebf430cfbdca35b22c62dfcf24fabd49e850bf208a14f1f569bc5f8d76cbd61fdf946750b38a146c1e1a210cb36e112143fa3ccf0d1d6577cefde

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit