hxxp://actionlogics[.]ai

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19/03/2024, 10:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://actionlogics.ai

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133553184615587298"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4848	chrome.exe
4848	chrome.exe
3564	chrome.exe
3564	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4848	chrome.exe
Token: SeCreatePagefilePrivilege	4848	chrome.exe
Token: SeShutdownPrivilege	4848	chrome.exe
Token: SeCreatePagefilePrivilege	4848	chrome.exe
Token: SeShutdownPrivilege	4848	chrome.exe
Token: SeCreatePagefilePrivilege	4848	chrome.exe
Token: SeShutdownPrivilege	4848	chrome.exe
Token: SeCreatePagefilePrivilege	4848	chrome.exe
Token: SeShutdownPrivilege	4848	chrome.exe
Token: SeCreatePagefilePrivilege	4848	chrome.exe
Token: SeShutdownPrivilege	4848	chrome.exe
Token: SeCreatePagefilePrivilege	4848	chrome.exe
Token: SeShutdownPrivilege	4848	chrome.exe
Token: SeCreatePagefilePrivilege	4848	chrome.exe
Token: SeShutdownPrivilege	4848	chrome.exe
Token: SeCreatePagefilePrivilege	4848	chrome.exe
Token: SeShutdownPrivilege	4848	chrome.exe
Token: SeCreatePagefilePrivilege	4848	chrome.exe
Token: SeShutdownPrivilege	4848	chrome.exe
Token: SeCreatePagefilePrivilege	4848	chrome.exe
Token: SeShutdownPrivilege	4848	chrome.exe
Token: SeCreatePagefilePrivilege	4848	chrome.exe
Token: SeShutdownPrivilege	4848	chrome.exe
Token: SeCreatePagefilePrivilege	4848	chrome.exe
Token: SeShutdownPrivilege	4848	chrome.exe
Token: SeCreatePagefilePrivilege	4848	chrome.exe
Token: SeShutdownPrivilege	4848	chrome.exe
Token: SeCreatePagefilePrivilege	4848	chrome.exe
Token: SeShutdownPrivilege	4848	chrome.exe
Token: SeCreatePagefilePrivilege	4848	chrome.exe
Token: SeShutdownPrivilege	4848	chrome.exe
Token: SeCreatePagefilePrivilege	4848	chrome.exe
Token: SeShutdownPrivilege	4848	chrome.exe
Token: SeCreatePagefilePrivilege	4848	chrome.exe
Token: SeShutdownPrivilege	4848	chrome.exe
Token: SeCreatePagefilePrivilege	4848	chrome.exe
Token: SeShutdownPrivilege	4848	chrome.exe
Token: SeCreatePagefilePrivilege	4848	chrome.exe
Token: SeShutdownPrivilege	4848	chrome.exe
Token: SeCreatePagefilePrivilege	4848	chrome.exe
Token: SeShutdownPrivilege	4848	chrome.exe
Token: SeCreatePagefilePrivilege	4848	chrome.exe
Token: SeShutdownPrivilege	4848	chrome.exe
Token: SeCreatePagefilePrivilege	4848	chrome.exe
Token: SeShutdownPrivilege	4848	chrome.exe
Token: SeCreatePagefilePrivilege	4848	chrome.exe
Token: SeShutdownPrivilege	4848	chrome.exe
Token: SeCreatePagefilePrivilege	4848	chrome.exe
Token: SeShutdownPrivilege	4848	chrome.exe
Token: SeCreatePagefilePrivilege	4848	chrome.exe
Token: SeShutdownPrivilege	4848	chrome.exe
Token: SeCreatePagefilePrivilege	4848	chrome.exe
Token: SeShutdownPrivilege	4848	chrome.exe
Token: SeCreatePagefilePrivilege	4848	chrome.exe
Token: SeShutdownPrivilege	4848	chrome.exe
Token: SeCreatePagefilePrivilege	4848	chrome.exe
Token: SeShutdownPrivilege	4848	chrome.exe
Token: SeCreatePagefilePrivilege	4848	chrome.exe
Token: SeShutdownPrivilege	4848	chrome.exe
Token: SeCreatePagefilePrivilege	4848	chrome.exe
Token: SeShutdownPrivilege	4848	chrome.exe
Token: SeCreatePagefilePrivilege	4848	chrome.exe
Token: SeShutdownPrivilege	4848	chrome.exe
Token: SeCreatePagefilePrivilege	4848	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4848 wrote to memory of 4968	4848	chrome.exe	88
PID 4848 wrote to memory of 4968	4848	chrome.exe	88
PID 4848 wrote to memory of 5020	4848	chrome.exe	90
PID 4848 wrote to memory of 5020	4848	chrome.exe	90
PID 4848 wrote to memory of 5020	4848	chrome.exe	90
PID 4848 wrote to memory of 5020	4848	chrome.exe	90
PID 4848 wrote to memory of 5020	4848	chrome.exe	90
PID 4848 wrote to memory of 5020	4848	chrome.exe	90
PID 4848 wrote to memory of 5020	4848	chrome.exe	90
PID 4848 wrote to memory of 5020	4848	chrome.exe	90
PID 4848 wrote to memory of 5020	4848	chrome.exe	90
PID 4848 wrote to memory of 5020	4848	chrome.exe	90
PID 4848 wrote to memory of 5020	4848	chrome.exe	90
PID 4848 wrote to memory of 5020	4848	chrome.exe	90
PID 4848 wrote to memory of 5020	4848	chrome.exe	90
PID 4848 wrote to memory of 5020	4848	chrome.exe	90
PID 4848 wrote to memory of 5020	4848	chrome.exe	90
PID 4848 wrote to memory of 5020	4848	chrome.exe	90
PID 4848 wrote to memory of 5020	4848	chrome.exe	90
PID 4848 wrote to memory of 5020	4848	chrome.exe	90
PID 4848 wrote to memory of 5020	4848	chrome.exe	90
PID 4848 wrote to memory of 5020	4848	chrome.exe	90
PID 4848 wrote to memory of 5020	4848	chrome.exe	90
PID 4848 wrote to memory of 5020	4848	chrome.exe	90
PID 4848 wrote to memory of 5020	4848	chrome.exe	90
PID 4848 wrote to memory of 5020	4848	chrome.exe	90
PID 4848 wrote to memory of 5020	4848	chrome.exe	90
PID 4848 wrote to memory of 5020	4848	chrome.exe	90
PID 4848 wrote to memory of 5020	4848	chrome.exe	90
PID 4848 wrote to memory of 5020	4848	chrome.exe	90
PID 4848 wrote to memory of 5020	4848	chrome.exe	90
PID 4848 wrote to memory of 5020	4848	chrome.exe	90
PID 4848 wrote to memory of 5020	4848	chrome.exe	90
PID 4848 wrote to memory of 5020	4848	chrome.exe	90
PID 4848 wrote to memory of 5020	4848	chrome.exe	90
PID 4848 wrote to memory of 5020	4848	chrome.exe	90
PID 4848 wrote to memory of 5020	4848	chrome.exe	90
PID 4848 wrote to memory of 5020	4848	chrome.exe	90
PID 4848 wrote to memory of 5020	4848	chrome.exe	90
PID 4848 wrote to memory of 5020	4848	chrome.exe	90
PID 4848 wrote to memory of 440	4848	chrome.exe	91
PID 4848 wrote to memory of 440	4848	chrome.exe	91
PID 4848 wrote to memory of 1128	4848	chrome.exe	92
PID 4848 wrote to memory of 1128	4848	chrome.exe	92
PID 4848 wrote to memory of 1128	4848	chrome.exe	92
PID 4848 wrote to memory of 1128	4848	chrome.exe	92
PID 4848 wrote to memory of 1128	4848	chrome.exe	92
PID 4848 wrote to memory of 1128	4848	chrome.exe	92
PID 4848 wrote to memory of 1128	4848	chrome.exe	92
PID 4848 wrote to memory of 1128	4848	chrome.exe	92
PID 4848 wrote to memory of 1128	4848	chrome.exe	92
PID 4848 wrote to memory of 1128	4848	chrome.exe	92
PID 4848 wrote to memory of 1128	4848	chrome.exe	92
PID 4848 wrote to memory of 1128	4848	chrome.exe	92
PID 4848 wrote to memory of 1128	4848	chrome.exe	92
PID 4848 wrote to memory of 1128	4848	chrome.exe	92
PID 4848 wrote to memory of 1128	4848	chrome.exe	92
PID 4848 wrote to memory of 1128	4848	chrome.exe	92
PID 4848 wrote to memory of 1128	4848	chrome.exe	92
PID 4848 wrote to memory of 1128	4848	chrome.exe	92
PID 4848 wrote to memory of 1128	4848	chrome.exe	92
PID 4848 wrote to memory of 1128	4848	chrome.exe	92
PID 4848 wrote to memory of 1128	4848	chrome.exe	92
PID 4848 wrote to memory of 1128	4848	chrome.exe	92

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://actionlogics.ai
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd655b9758,0x7ffd655b9768,0x7ffd655b9778
  2⤵
  PID:4968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1792 --field-trial-handle=1872,i,4175293477088795754,3163995180513867321,131072 /prefetch:2
  2⤵
  PID:5020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1872,i,4175293477088795754,3163995180513867321,131072 /prefetch:8
  2⤵
  PID:440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2252 --field-trial-handle=1872,i,4175293477088795754,3163995180513867321,131072 /prefetch:8
  2⤵
  PID:1128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2996 --field-trial-handle=1872,i,4175293477088795754,3163995180513867321,131072 /prefetch:1
  2⤵
  PID:212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3008 --field-trial-handle=1872,i,4175293477088795754,3163995180513867321,131072 /prefetch:1
  2⤵
  PID:3240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4912 --field-trial-handle=1872,i,4175293477088795754,3163995180513867321,131072 /prefetch:1
  2⤵
  PID:2244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3372 --field-trial-handle=1872,i,4175293477088795754,3163995180513867321,131072 /prefetch:8
  2⤵
  PID:2456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3376 --field-trial-handle=1872,i,4175293477088795754,3163995180513867321,131072 /prefetch:8
  2⤵
  PID:3800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4880 --field-trial-handle=1872,i,4175293477088795754,3163995180513867321,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3564

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
24964ef47ac39be057bbfd1137ed7fd3

SHA1
348b9d18dbe1305b829547618101762ae823361d

SHA256
a27d44076d3e8e92a0070ff44c2a972eacaa10c5edbc6e7e470abc73e7b2f56b

SHA512
9797ad4e1bc06d2b9b5328fd4a8a6e085896c54c5832c5ad53d57b18b3482cacb7a305e7f0a9486b2f450fb523e55c3cf4365b88d4563afea74ae5efaf047777

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
bf16b0929569ff77bb86ea6c5f6906df

SHA1
e1d2223b353e064923ff54d4d4597976b693260d

SHA256
8513b73c1555451ec6714d5c4835d71ec3e452238eaf73f30f8c94ba84874f4b

SHA512
04eeda65a3cb1151e47165e49753532cbf63e5de271744baf52274c7378dd523d4a71ce64c29545fde3ed685a25b6f8ca84363271b63f267ab8e42e7ab33438f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
52dec8a5b6bb1ca436fc00604b5313e3

SHA1
374e02dedf37cc810c96b4515f5aac09372df3a4

SHA256
0cd7f4eda3a3c07c83440547528fd971137681fc06ae2796e73ddd4c68aadb7f

SHA512
d3cd13efda29041d15b624d9624ebacb69ae49e055a1d51f0c6bd4b56a47808edf85e6d99548f2d3a8a66bf4b0ebedceb4d36e924ca95839a2d8c309c8dc0ceb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
758930298e88933ba190c29195a4640b

SHA1
3b30919e2a5d2aac00d40f35c0c0905a2eb07c29

SHA256
b5db9bdd9f4c8d9387c34bac8b20088827cd60fecc38e8287df2b68b34255a7b

SHA512
4ceb32b3616e9bd7f4c241914af48abfe625451b8dca6c88cb3af2e6b5e188b049bcccaf1ddcb7000bf952cb8ab8e43437f62ec934c882d7de0eb686a146765a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
80541d02d57553f34f87bde2017655b4

SHA1
0a9d7a6b377471b91b6f3837c56984d3e8d687af

SHA256
b895ac146e27f5cc83405ac35f55cf39b5f620229ff88d866141dae4360b1333

SHA512
c032d5346c4c44e33c258a73fd1269ad63585de9eb637c2fc67e670fb9d095b62c382f29c1c557831849fd64b1f6bff11076952ab1c4d4c2062c6b9423d94cee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
c2cee5f6abff22c9e4c99057161f8c82

SHA1
0c1fdb21c94c2b8e44bfe2d3805034f5e6f57e9d

SHA256
7cafd891e404bbe6be4a7fa2fc5b52502cb74f5dc10076ac885d727197b73373

SHA512
c16263bde5a450701c6a8ee1b552eb0bdd4293428b74721f9a0cfa3fef00f3ad58e8b18cefabf489fd07b85930fec04252f4e1fe03b93ca608bade877ae0d2de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
afd0ee41670a592e6bca73cb59eb04f0

SHA1
7e8cf4f0544b324bcaeadb211031a389fb2af9f2

SHA256
938949d11c10f8c7af2cf6ebf2bd2094d3465efca2a295b8a99ef560b09589fd

SHA512
bbd8c8716a94f95d526797a048fe2ed796b026a65f48a8fabe06f6da9e5e83320e7a1c5a33432ab837f301cf8e94fcf3e36cf06f64ba1c52a46e359c5c2b1e8e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit