hxxps://r5g488rgrfgd[.]s3[.]amazonaws[.]com/knth2ojth[.]html

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19-03-2024 21:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://r5g488rgrfgd.s3.amazonaws.com/knth2ojth.html

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133553590420211207"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1172	chrome.exe
1172	chrome.exe
2280	chrome.exe
2280	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1172	chrome.exe
Token: SeCreatePagefilePrivilege	1172	chrome.exe
Token: SeShutdownPrivilege	1172	chrome.exe
Token: SeCreatePagefilePrivilege	1172	chrome.exe
Token: SeShutdownPrivilege	1172	chrome.exe
Token: SeCreatePagefilePrivilege	1172	chrome.exe
Token: SeShutdownPrivilege	1172	chrome.exe
Token: SeCreatePagefilePrivilege	1172	chrome.exe
Token: SeShutdownPrivilege	1172	chrome.exe
Token: SeCreatePagefilePrivilege	1172	chrome.exe
Token: SeShutdownPrivilege	1172	chrome.exe
Token: SeCreatePagefilePrivilege	1172	chrome.exe
Token: SeShutdownPrivilege	1172	chrome.exe
Token: SeCreatePagefilePrivilege	1172	chrome.exe
Token: SeShutdownPrivilege	1172	chrome.exe
Token: SeCreatePagefilePrivilege	1172	chrome.exe
Token: SeShutdownPrivilege	1172	chrome.exe
Token: SeCreatePagefilePrivilege	1172	chrome.exe
Token: SeShutdownPrivilege	1172	chrome.exe
Token: SeCreatePagefilePrivilege	1172	chrome.exe
Token: SeShutdownPrivilege	1172	chrome.exe
Token: SeCreatePagefilePrivilege	1172	chrome.exe
Token: SeShutdownPrivilege	1172	chrome.exe
Token: SeCreatePagefilePrivilege	1172	chrome.exe
Token: SeShutdownPrivilege	1172	chrome.exe
Token: SeCreatePagefilePrivilege	1172	chrome.exe
Token: SeShutdownPrivilege	1172	chrome.exe
Token: SeCreatePagefilePrivilege	1172	chrome.exe
Token: SeShutdownPrivilege	1172	chrome.exe
Token: SeCreatePagefilePrivilege	1172	chrome.exe
Token: SeShutdownPrivilege	1172	chrome.exe
Token: SeCreatePagefilePrivilege	1172	chrome.exe
Token: SeShutdownPrivilege	1172	chrome.exe
Token: SeCreatePagefilePrivilege	1172	chrome.exe
Token: SeShutdownPrivilege	1172	chrome.exe
Token: SeCreatePagefilePrivilege	1172	chrome.exe
Token: SeShutdownPrivilege	1172	chrome.exe
Token: SeCreatePagefilePrivilege	1172	chrome.exe
Token: SeShutdownPrivilege	1172	chrome.exe
Token: SeCreatePagefilePrivilege	1172	chrome.exe
Token: SeShutdownPrivilege	1172	chrome.exe
Token: SeCreatePagefilePrivilege	1172	chrome.exe
Token: SeShutdownPrivilege	1172	chrome.exe
Token: SeCreatePagefilePrivilege	1172	chrome.exe
Token: SeShutdownPrivilege	1172	chrome.exe
Token: SeCreatePagefilePrivilege	1172	chrome.exe
Token: SeShutdownPrivilege	1172	chrome.exe
Token: SeCreatePagefilePrivilege	1172	chrome.exe
Token: SeShutdownPrivilege	1172	chrome.exe
Token: SeCreatePagefilePrivilege	1172	chrome.exe
Token: SeShutdownPrivilege	1172	chrome.exe
Token: SeCreatePagefilePrivilege	1172	chrome.exe
Token: SeShutdownPrivilege	1172	chrome.exe
Token: SeCreatePagefilePrivilege	1172	chrome.exe
Token: SeShutdownPrivilege	1172	chrome.exe
Token: SeCreatePagefilePrivilege	1172	chrome.exe
Token: SeShutdownPrivilege	1172	chrome.exe
Token: SeCreatePagefilePrivilege	1172	chrome.exe
Token: SeShutdownPrivilege	1172	chrome.exe
Token: SeCreatePagefilePrivilege	1172	chrome.exe
Token: SeShutdownPrivilege	1172	chrome.exe
Token: SeCreatePagefilePrivilege	1172	chrome.exe
Token: SeShutdownPrivilege	1172	chrome.exe
Token: SeCreatePagefilePrivilege	1172	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1172 wrote to memory of 5044	1172	chrome.exe	85
PID 1172 wrote to memory of 5044	1172	chrome.exe	85
PID 1172 wrote to memory of 2740	1172	chrome.exe	91
PID 1172 wrote to memory of 2740	1172	chrome.exe	91
PID 1172 wrote to memory of 2740	1172	chrome.exe	91
PID 1172 wrote to memory of 2740	1172	chrome.exe	91
PID 1172 wrote to memory of 2740	1172	chrome.exe	91
PID 1172 wrote to memory of 2740	1172	chrome.exe	91
PID 1172 wrote to memory of 2740	1172	chrome.exe	91
PID 1172 wrote to memory of 2740	1172	chrome.exe	91
PID 1172 wrote to memory of 2740	1172	chrome.exe	91
PID 1172 wrote to memory of 2740	1172	chrome.exe	91
PID 1172 wrote to memory of 2740	1172	chrome.exe	91
PID 1172 wrote to memory of 2740	1172	chrome.exe	91
PID 1172 wrote to memory of 2740	1172	chrome.exe	91
PID 1172 wrote to memory of 2740	1172	chrome.exe	91
PID 1172 wrote to memory of 2740	1172	chrome.exe	91
PID 1172 wrote to memory of 2740	1172	chrome.exe	91
PID 1172 wrote to memory of 2740	1172	chrome.exe	91
PID 1172 wrote to memory of 2740	1172	chrome.exe	91
PID 1172 wrote to memory of 2740	1172	chrome.exe	91
PID 1172 wrote to memory of 2740	1172	chrome.exe	91
PID 1172 wrote to memory of 2740	1172	chrome.exe	91
PID 1172 wrote to memory of 2740	1172	chrome.exe	91
PID 1172 wrote to memory of 2740	1172	chrome.exe	91
PID 1172 wrote to memory of 2740	1172	chrome.exe	91
PID 1172 wrote to memory of 2740	1172	chrome.exe	91
PID 1172 wrote to memory of 2740	1172	chrome.exe	91
PID 1172 wrote to memory of 2740	1172	chrome.exe	91
PID 1172 wrote to memory of 2740	1172	chrome.exe	91
PID 1172 wrote to memory of 2740	1172	chrome.exe	91
PID 1172 wrote to memory of 2740	1172	chrome.exe	91
PID 1172 wrote to memory of 2740	1172	chrome.exe	91
PID 1172 wrote to memory of 2740	1172	chrome.exe	91
PID 1172 wrote to memory of 2740	1172	chrome.exe	91
PID 1172 wrote to memory of 2740	1172	chrome.exe	91
PID 1172 wrote to memory of 2740	1172	chrome.exe	91
PID 1172 wrote to memory of 2740	1172	chrome.exe	91
PID 1172 wrote to memory of 2740	1172	chrome.exe	91
PID 1172 wrote to memory of 2740	1172	chrome.exe	91
PID 1172 wrote to memory of 4928	1172	chrome.exe	92
PID 1172 wrote to memory of 4928	1172	chrome.exe	92
PID 1172 wrote to memory of 4636	1172	chrome.exe	93
PID 1172 wrote to memory of 4636	1172	chrome.exe	93
PID 1172 wrote to memory of 4636	1172	chrome.exe	93
PID 1172 wrote to memory of 4636	1172	chrome.exe	93
PID 1172 wrote to memory of 4636	1172	chrome.exe	93
PID 1172 wrote to memory of 4636	1172	chrome.exe	93
PID 1172 wrote to memory of 4636	1172	chrome.exe	93
PID 1172 wrote to memory of 4636	1172	chrome.exe	93
PID 1172 wrote to memory of 4636	1172	chrome.exe	93
PID 1172 wrote to memory of 4636	1172	chrome.exe	93
PID 1172 wrote to memory of 4636	1172	chrome.exe	93
PID 1172 wrote to memory of 4636	1172	chrome.exe	93
PID 1172 wrote to memory of 4636	1172	chrome.exe	93
PID 1172 wrote to memory of 4636	1172	chrome.exe	93
PID 1172 wrote to memory of 4636	1172	chrome.exe	93
PID 1172 wrote to memory of 4636	1172	chrome.exe	93
PID 1172 wrote to memory of 4636	1172	chrome.exe	93
PID 1172 wrote to memory of 4636	1172	chrome.exe	93
PID 1172 wrote to memory of 4636	1172	chrome.exe	93
PID 1172 wrote to memory of 4636	1172	chrome.exe	93
PID 1172 wrote to memory of 4636	1172	chrome.exe	93
PID 1172 wrote to memory of 4636	1172	chrome.exe	93

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://r5g488rgrfgd.s3.amazonaws.com/knth2ojth.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb261d9758,0x7ffb261d9768,0x7ffb261d9778
  2⤵
  PID:5044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1708 --field-trial-handle=1948,i,12021970783149409978,9406235790070596262,131072 /prefetch:2
  2⤵
  PID:2740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1912 --field-trial-handle=1948,i,12021970783149409978,9406235790070596262,131072 /prefetch:8
  2⤵
  PID:4928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2240 --field-trial-handle=1948,i,12021970783149409978,9406235790070596262,131072 /prefetch:8
  2⤵
  PID:4636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2936 --field-trial-handle=1948,i,12021970783149409978,9406235790070596262,131072 /prefetch:1
  2⤵
  PID:2428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2944 --field-trial-handle=1948,i,12021970783149409978,9406235790070596262,131072 /prefetch:1
  2⤵
  PID:1808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4608 --field-trial-handle=1948,i,12021970783149409978,9406235790070596262,131072 /prefetch:1
  2⤵
  PID:4104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3948 --field-trial-handle=1948,i,12021970783149409978,9406235790070596262,131072 /prefetch:1
  2⤵
  PID:1332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3344 --field-trial-handle=1948,i,12021970783149409978,9406235790070596262,131072 /prefetch:1
  2⤵
  PID:3464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 --field-trial-handle=1948,i,12021970783149409978,9406235790070596262,131072 /prefetch:8
  2⤵
  PID:3992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 --field-trial-handle=1948,i,12021970783149409978,9406235790070596262,131072 /prefetch:8
  2⤵
  PID:3008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4928 --field-trial-handle=1948,i,12021970783149409978,9406235790070596262,131072 /prefetch:1
  2⤵
  PID:1876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2732 --field-trial-handle=1948,i,12021970783149409978,9406235790070596262,131072 /prefetch:1
  2⤵
  PID:2388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5196 --field-trial-handle=1948,i,12021970783149409978,9406235790070596262,131072 /prefetch:1
  2⤵
  PID:3168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4496 --field-trial-handle=1948,i,12021970783149409978,9406235790070596262,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2280

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
68328bb5bacec6279bcd78206df265c6

SHA1
233ab74c6c907c1c7d89fb21926aca052c21ce54

SHA256
2e6b6c4da3c7e597440710017bb69cb936f32958c5acee481e5dae4d267624e0

SHA512
df1671dd08d3c0a6734465659ba94e5ce80765e0f1acaeefa915dd75fece09c3178c48d6308ee61b2899f9ef78a59dd44544f19a6d1e756c1ec2372da941987c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
37a5653527b99a301a4a2bb7daecd907

SHA1
f89e9c45404563ff532e694dacf094a3f9cc6612

SHA256
3e63973423db4a9dbbf63afa8d6147502ef519f8e4eb7ae4d7d772920f00a92a

SHA512
89abe7510a680a24aa5b535460a0d6b06192e56cb484d24a268467becf5e9e1237981a693bf97d0ed9d5a72170376fdf618dbab52dc38dd24998520efafb33e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
1604026e1bc7d2b5ca6cecda470180fc

SHA1
0dea40db2e02a4996ef4fa6558eccbe1b41162b3

SHA256
134a0e7a8212eebf138fb23b74140f4af44dd2dc465da0f8e0edeffa72b6c6ef

SHA512
a6a79d207e16ce432d1b653cb3aae7d4f0fb47f04ac0f72fd397d42cd6b2a0c13b1ae37c689b04b4e26beaea3296f1484e5f1485cc31425cbf625ae03dc7d89d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit