hxxps://wa[.]me/+375259112693

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
14-03-2024 16:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://wa.me/+375259112693

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133549085411653664"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3420	chrome.exe
3420	chrome.exe
1784	chrome.exe
1784	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3420 wrote to memory of 2328	3420	chrome.exe	85
PID 3420 wrote to memory of 2328	3420	chrome.exe	85
PID 3420 wrote to memory of 1688	3420	chrome.exe	87
PID 3420 wrote to memory of 1688	3420	chrome.exe	87
PID 3420 wrote to memory of 1688	3420	chrome.exe	87
PID 3420 wrote to memory of 1688	3420	chrome.exe	87
PID 3420 wrote to memory of 1688	3420	chrome.exe	87
PID 3420 wrote to memory of 1688	3420	chrome.exe	87
PID 3420 wrote to memory of 1688	3420	chrome.exe	87
PID 3420 wrote to memory of 1688	3420	chrome.exe	87
PID 3420 wrote to memory of 1688	3420	chrome.exe	87
PID 3420 wrote to memory of 1688	3420	chrome.exe	87
PID 3420 wrote to memory of 1688	3420	chrome.exe	87
PID 3420 wrote to memory of 1688	3420	chrome.exe	87
PID 3420 wrote to memory of 1688	3420	chrome.exe	87
PID 3420 wrote to memory of 1688	3420	chrome.exe	87
PID 3420 wrote to memory of 1688	3420	chrome.exe	87
PID 3420 wrote to memory of 1688	3420	chrome.exe	87
PID 3420 wrote to memory of 1688	3420	chrome.exe	87
PID 3420 wrote to memory of 1688	3420	chrome.exe	87
PID 3420 wrote to memory of 1688	3420	chrome.exe	87
PID 3420 wrote to memory of 1688	3420	chrome.exe	87
PID 3420 wrote to memory of 1688	3420	chrome.exe	87
PID 3420 wrote to memory of 1688	3420	chrome.exe	87
PID 3420 wrote to memory of 1688	3420	chrome.exe	87
PID 3420 wrote to memory of 1688	3420	chrome.exe	87
PID 3420 wrote to memory of 1688	3420	chrome.exe	87
PID 3420 wrote to memory of 1688	3420	chrome.exe	87
PID 3420 wrote to memory of 1688	3420	chrome.exe	87
PID 3420 wrote to memory of 1688	3420	chrome.exe	87
PID 3420 wrote to memory of 1688	3420	chrome.exe	87
PID 3420 wrote to memory of 1688	3420	chrome.exe	87
PID 3420 wrote to memory of 1688	3420	chrome.exe	87
PID 3420 wrote to memory of 1688	3420	chrome.exe	87
PID 3420 wrote to memory of 1688	3420	chrome.exe	87
PID 3420 wrote to memory of 1688	3420	chrome.exe	87
PID 3420 wrote to memory of 1688	3420	chrome.exe	87
PID 3420 wrote to memory of 1688	3420	chrome.exe	87
PID 3420 wrote to memory of 1688	3420	chrome.exe	87
PID 3420 wrote to memory of 1688	3420	chrome.exe	87
PID 3420 wrote to memory of 4652	3420	chrome.exe	88
PID 3420 wrote to memory of 4652	3420	chrome.exe	88
PID 3420 wrote to memory of 4620	3420	chrome.exe	89
PID 3420 wrote to memory of 4620	3420	chrome.exe	89
PID 3420 wrote to memory of 4620	3420	chrome.exe	89
PID 3420 wrote to memory of 4620	3420	chrome.exe	89
PID 3420 wrote to memory of 4620	3420	chrome.exe	89
PID 3420 wrote to memory of 4620	3420	chrome.exe	89
PID 3420 wrote to memory of 4620	3420	chrome.exe	89
PID 3420 wrote to memory of 4620	3420	chrome.exe	89
PID 3420 wrote to memory of 4620	3420	chrome.exe	89
PID 3420 wrote to memory of 4620	3420	chrome.exe	89
PID 3420 wrote to memory of 4620	3420	chrome.exe	89
PID 3420 wrote to memory of 4620	3420	chrome.exe	89
PID 3420 wrote to memory of 4620	3420	chrome.exe	89
PID 3420 wrote to memory of 4620	3420	chrome.exe	89
PID 3420 wrote to memory of 4620	3420	chrome.exe	89
PID 3420 wrote to memory of 4620	3420	chrome.exe	89
PID 3420 wrote to memory of 4620	3420	chrome.exe	89
PID 3420 wrote to memory of 4620	3420	chrome.exe	89
PID 3420 wrote to memory of 4620	3420	chrome.exe	89
PID 3420 wrote to memory of 4620	3420	chrome.exe	89
PID 3420 wrote to memory of 4620	3420	chrome.exe	89
PID 3420 wrote to memory of 4620	3420	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://wa.me/+375259112693
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffed2ea9758,0x7ffed2ea9768,0x7ffed2ea9778
  2⤵
  PID:2328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1728 --field-trial-handle=1816,i,15758003886557868123,1875052397343951821,131072 /prefetch:2
  2⤵
  PID:1688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 --field-trial-handle=1816,i,15758003886557868123,1875052397343951821,131072 /prefetch:8
  2⤵
  PID:4652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2220 --field-trial-handle=1816,i,15758003886557868123,1875052397343951821,131072 /prefetch:8
  2⤵
  PID:4620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3080 --field-trial-handle=1816,i,15758003886557868123,1875052397343951821,131072 /prefetch:1
  2⤵
  PID:1896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3088 --field-trial-handle=1816,i,15758003886557868123,1875052397343951821,131072 /prefetch:1
  2⤵
  PID:1048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4684 --field-trial-handle=1816,i,15758003886557868123,1875052397343951821,131072 /prefetch:1
  2⤵
  PID:4364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4856 --field-trial-handle=1816,i,15758003886557868123,1875052397343951821,131072 /prefetch:1
  2⤵
  PID:3324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4132 --field-trial-handle=1816,i,15758003886557868123,1875052397343951821,131072 /prefetch:8
  2⤵
  PID:2672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4976 --field-trial-handle=1816,i,15758003886557868123,1875052397343951821,131072 /prefetch:8
  2⤵
  PID:4968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4156 --field-trial-handle=1816,i,15758003886557868123,1875052397343951821,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1784

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
c938fa5dadba2de38aca63f71fc488f3

SHA1
c9622d63a9ae43d173f87defbeb7b17265fb8bd6

SHA256
3dc6519307d19838e7d82df98305d52af0b7b32c339562c66b7ed0ebbd536e49

SHA512
c3411fd36ce602fe50004414a2bc86ea3218bdc8f8b95f1ebc8d318d91d927326fb6e5e4a584c17053814456c451fbe1563d8a0cf308c07f3c7298d3debb5ca5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
799a8fe80d8a5502458845d7c86e66de

SHA1
8b3cb3b69f69ca296728bbf5c6884b6dda891cf3

SHA256
e81ddfc61152097490ea72e2a8704c9c7ca82d72d7965acd669782b920b1a976

SHA512
45d5bd1b23e402b0fa56cdb0dfc4e5952d2583f59b5b04b1e9524f4d9bddad1dccfce72ec1a569a172428b5482113189a9c5de720fd01566422f863ad85e31e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
705B

MD5
18eacee0222bb516b06ee09a01a84355

SHA1
b3207a8f29dc9d220723fece76f60bd6734b32bc

SHA256
1d97a8e52135629bad54b197373d81b24ad8d32d9a8f5f5760448fa48ff0e24f

SHA512
cb35d5598ce0879b8f256e97f7a7164b115b75eea295c191bcf60ef858d0a28315702a8c342ad7f73dd15fbc7533e52dcc83f16f6ac896edd727bcc41d045ae4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
705B

MD5
da6f3081c06c486aac943c1add372283

SHA1
bab5d65a628c363692fa35a236c218b84c4b8423

SHA256
7595aaaf1d9a4df249858879b25b4da94d990cb55439248ce1c7ccf8d3a1971c

SHA512
2e8cefcc6787d16dacb486b8ea3a312a896abb7441798e2bd8cea5c9aef802b50cfabc368c39c0ef44c2b660f79ab98d813e8e306738719afc5d53984a4381dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
705B

MD5
3bb5eed606eb857464259a1850563c98

SHA1
937bd50d7e1258c54d959d296c53e747846d5193

SHA256
9bcf6bf1bf780e5d5e67125d5e11900adc48e7a1feeb2e31acd8978451e15885

SHA512
8e6773226ae02dc1117a954a30e5744df8b03091c63e9ed806652ed82d9d085f3e514ca8a482ce4782c46bdf6f44f09c11ae454bddee3c237fcd7a99f1f09a5f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
5badd2d75bea028159397094b4b455d9

SHA1
20f4ff3fabdced4876c7dcdac151ecae007c243e

SHA256
a29633f8f407c86670f4c9c06a1c98007b6996ec1ef32441c9962203e2806ec0

SHA512
6d9491b50276da0835f8f399534c84ac36e55cdcc14ca2a4592ab7ac6d4d8d2b7f5ce4ae3de57ff9215be5ced9799e870ba88f864f7438de1db4ab8d3d3d8ed0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
af527569ba13615a630f104047e96fbd

SHA1
d59cde3c806d7d5757215caa795d46700460e2ec

SHA256
57d0fea489fd1c633d96f0259865d29de25c153e08094a3ae1c1c20ba5555f20

SHA512
b994191563f998b289fe0adf099f30f29c73ce7f67ab34545d8788b4c1a22844a55466ff2ecae248f2bd59093b9a739c6c82b1c42dc525e788c32386d14c6b39

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit