hxxps://crypt[.]single-sign-on[.]password[.]land/XL3FYTVY3THg4K0dlRU9iSUcvMkdYejQvR25lQWR3ZFh1dk1HbVdrYkdpN3I3M3EwVVpzU1lqdkdzS3F5Q1FmeHBIWnNWb0V3RXVhZzNxa0h5NG5TaEU1SUZYc1R2Q2NNUUlwSFd0d3BpYk1UdlY2V2RmZE5FK1RrVG8rTzhkUDA3dlg0emdjenRMeDNVZkR5aWtKZ1hybUN0OWFoWWFpYW9aaEl1Zkk0Ry9TSG1SUU9JR2kxaEE9PS0taUZZZVU2K0lyTyt5OHNuYS0tcWlhd01FOGR0RDFrNUJURjhkQmJsdz09?cid=1953050333

Analysis

max time kernel
18s
max time network
19s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
14/03/2024, 09:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://crypt.single-sign-on.password.land/XL3FYTVY3THg4K0dlRU9iSUcvMkdYejQvR25lQWR3ZFh1dk1HbVdrYkdpN3I3M3EwVVpzU1lqdkdzS3F5Q1FmeHBIWnNWb0V3RXVhZzNxa0h5NG5TaEU1SUZYc1R2Q2NNUUlwSFd0d3BpYk1UdlY2V2RmZE5FK1RrVG8rTzhkUDA3dlg0emdjenRMeDNVZkR5aWtKZ1hybUN0OWFoWWFpYW9aaEl1Zkk0Ry9TSG1SUU9JR2kxaEE9PS0taUZZZVU2K0lyTyt5OHNuYS0tcWlhd01FOGR0RDFrNUJURjhkQmJsdz09?cid=1953050333

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133548818719971132"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4092	chrome.exe
4092	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4092 wrote to memory of 3672	4092	chrome.exe	86
PID 4092 wrote to memory of 3672	4092	chrome.exe	86
PID 4092 wrote to memory of 3524	4092	chrome.exe	88
PID 4092 wrote to memory of 3524	4092	chrome.exe	88
PID 4092 wrote to memory of 3524	4092	chrome.exe	88
PID 4092 wrote to memory of 3524	4092	chrome.exe	88
PID 4092 wrote to memory of 3524	4092	chrome.exe	88
PID 4092 wrote to memory of 3524	4092	chrome.exe	88
PID 4092 wrote to memory of 3524	4092	chrome.exe	88
PID 4092 wrote to memory of 3524	4092	chrome.exe	88
PID 4092 wrote to memory of 3524	4092	chrome.exe	88
PID 4092 wrote to memory of 3524	4092	chrome.exe	88
PID 4092 wrote to memory of 3524	4092	chrome.exe	88
PID 4092 wrote to memory of 3524	4092	chrome.exe	88
PID 4092 wrote to memory of 3524	4092	chrome.exe	88
PID 4092 wrote to memory of 3524	4092	chrome.exe	88
PID 4092 wrote to memory of 3524	4092	chrome.exe	88
PID 4092 wrote to memory of 3524	4092	chrome.exe	88
PID 4092 wrote to memory of 3524	4092	chrome.exe	88
PID 4092 wrote to memory of 3524	4092	chrome.exe	88
PID 4092 wrote to memory of 3524	4092	chrome.exe	88
PID 4092 wrote to memory of 3524	4092	chrome.exe	88
PID 4092 wrote to memory of 3524	4092	chrome.exe	88
PID 4092 wrote to memory of 3524	4092	chrome.exe	88
PID 4092 wrote to memory of 3524	4092	chrome.exe	88
PID 4092 wrote to memory of 3524	4092	chrome.exe	88
PID 4092 wrote to memory of 3524	4092	chrome.exe	88
PID 4092 wrote to memory of 3524	4092	chrome.exe	88
PID 4092 wrote to memory of 3524	4092	chrome.exe	88
PID 4092 wrote to memory of 3524	4092	chrome.exe	88
PID 4092 wrote to memory of 3524	4092	chrome.exe	88
PID 4092 wrote to memory of 3524	4092	chrome.exe	88
PID 4092 wrote to memory of 3524	4092	chrome.exe	88
PID 4092 wrote to memory of 3524	4092	chrome.exe	88
PID 4092 wrote to memory of 3524	4092	chrome.exe	88
PID 4092 wrote to memory of 3524	4092	chrome.exe	88
PID 4092 wrote to memory of 3524	4092	chrome.exe	88
PID 4092 wrote to memory of 3524	4092	chrome.exe	88
PID 4092 wrote to memory of 3524	4092	chrome.exe	88
PID 4092 wrote to memory of 3524	4092	chrome.exe	88
PID 4092 wrote to memory of 5088	4092	chrome.exe	89
PID 4092 wrote to memory of 5088	4092	chrome.exe	89
PID 4092 wrote to memory of 2276	4092	chrome.exe	90
PID 4092 wrote to memory of 2276	4092	chrome.exe	90
PID 4092 wrote to memory of 2276	4092	chrome.exe	90
PID 4092 wrote to memory of 2276	4092	chrome.exe	90
PID 4092 wrote to memory of 2276	4092	chrome.exe	90
PID 4092 wrote to memory of 2276	4092	chrome.exe	90
PID 4092 wrote to memory of 2276	4092	chrome.exe	90
PID 4092 wrote to memory of 2276	4092	chrome.exe	90
PID 4092 wrote to memory of 2276	4092	chrome.exe	90
PID 4092 wrote to memory of 2276	4092	chrome.exe	90
PID 4092 wrote to memory of 2276	4092	chrome.exe	90
PID 4092 wrote to memory of 2276	4092	chrome.exe	90
PID 4092 wrote to memory of 2276	4092	chrome.exe	90
PID 4092 wrote to memory of 2276	4092	chrome.exe	90
PID 4092 wrote to memory of 2276	4092	chrome.exe	90
PID 4092 wrote to memory of 2276	4092	chrome.exe	90
PID 4092 wrote to memory of 2276	4092	chrome.exe	90
PID 4092 wrote to memory of 2276	4092	chrome.exe	90
PID 4092 wrote to memory of 2276	4092	chrome.exe	90
PID 4092 wrote to memory of 2276	4092	chrome.exe	90
PID 4092 wrote to memory of 2276	4092	chrome.exe	90
PID 4092 wrote to memory of 2276	4092	chrome.exe	90

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://crypt.single-sign-on.password.land/XL3FYTVY3THg4K0dlRU9iSUcvMkdYejQvR25lQWR3ZFh1dk1HbVdrYkdpN3I3M3EwVVpzU1lqdkdzS3F5Q1FmeHBIWnNWb0V3RXVhZzNxa0h5NG5TaEU1SUZYc1R2Q2NNUUlwSFd0d3BpYk1UdlY2V2RmZE5FK1RrVG8rTzhkUDA3dlg0emdjenRMeDNVZkR5aWtKZ1hybUN0OWFoWWFpYW9aaEl1Zkk0Ry9TSG1SUU9JR2kxaEE9PS0taUZZZVU2K0lyTyt5OHNuYS0tcWlhd01FOGR0RDFrNUJURjhkQmJsdz09?cid=1953050333
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe19a29758,0x7ffe19a29768,0x7ffe19a29778
  2⤵
  PID:3672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=308 --field-trial-handle=1900,i,996243990023167808,1430534615293099277,131072 /prefetch:2
  2⤵
  PID:3524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 --field-trial-handle=1900,i,996243990023167808,1430534615293099277,131072 /prefetch:8
  2⤵
  PID:5088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2212 --field-trial-handle=1900,i,996243990023167808,1430534615293099277,131072 /prefetch:8
  2⤵
  PID:2276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2968 --field-trial-handle=1900,i,996243990023167808,1430534615293099277,131072 /prefetch:1
  2⤵
  PID:2280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2980 --field-trial-handle=1900,i,996243990023167808,1430534615293099277,131072 /prefetch:1
  2⤵
  PID:3652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4588 --field-trial-handle=1900,i,996243990023167808,1430534615293099277,131072 /prefetch:1
  2⤵
  PID:2128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5280 --field-trial-handle=1900,i,996243990023167808,1430534615293099277,131072 /prefetch:8
  2⤵
  PID:2736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5616 --field-trial-handle=1900,i,996243990023167808,1430534615293099277,131072 /prefetch:8
  2⤵
  PID:2244

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
b86bfc88562b281cd1e3a1bc40863930

SHA1
fec1b3d6fbbceb8d0375b3dc93a00d0a28292ef1

SHA256
06d1e4ce0d732fb3e4f404871cbc0191270d3653b34439421714ab176290d98b

SHA512
90db45e6b99dcb3deac4a482cea64ba835a0ce0e3080f04ae6db689e7dc229b2d3fb21596b8fa9c2599b5440fc753e0a872a1cb73ec979fbb1255da68119681d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
ba6ce7af4d559c85e012a417cf5af6c2

SHA1
cc231b1d0d7e1d0df5f504791d42263ac7215894

SHA256
c5bd53b89e9f2981576f0d64ff73400df0d2ef349dd41e4973c09fc4542245d0

SHA512
36720d19d6ff4efdabfed5eec76b8995fc403ae45582e0423ec13fed56ea3b0c83da309935b92b6b08c33b2b2d86ba8feeae1904ff1bb532741fdb63847e2dda

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
97aefdd6606623de5b1ac91ec5afe0c8

SHA1
c438e860e5270a805aed79b2f97762f3ffcfb1cb

SHA256
3ee837e44dd0a84bf11b114874cd1a1fbbea98a1dd2708c55f0f57dc71bff6eb

SHA512
53fca94d963e8f93b8aed453fccbad161e30a8cde046b99a9f03cce839a24b1246f09328df44dbeb4f4f090bc900b4338d909fc8101705a5d4590a052da2885b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
0d25acd1ad9974b67df44e6b0c14528f

SHA1
f17c86fa181ea1bb57111b0ba04bcce7f23cbbcf

SHA256
eb2d100577f6f8d086f3ce77073e8a26cf9bc4f9abfb8b5838fb24824087cd18

SHA512
3a747947c5f514007451f8b6a089a9ec3f3c2e8fa06366830446f328578278f85a90c736cbcc38cb5adeb18a7bea063cef619660cdfc778e41851cf92f64ecfb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit