hxxp://www[.]qch[.]ge/01m[.]html

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26/03/2024, 07:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://www.qch.ge/01m.html

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133559107066792058"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4556	chrome.exe
4556	chrome.exe
3068	chrome.exe
3068	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4556 wrote to memory of 4000	4556	chrome.exe	94
PID 4556 wrote to memory of 4000	4556	chrome.exe	94
PID 4556 wrote to memory of 3100	4556	chrome.exe	97
PID 4556 wrote to memory of 3100	4556	chrome.exe	97
PID 4556 wrote to memory of 3100	4556	chrome.exe	97
PID 4556 wrote to memory of 3100	4556	chrome.exe	97
PID 4556 wrote to memory of 3100	4556	chrome.exe	97
PID 4556 wrote to memory of 3100	4556	chrome.exe	97
PID 4556 wrote to memory of 3100	4556	chrome.exe	97
PID 4556 wrote to memory of 3100	4556	chrome.exe	97
PID 4556 wrote to memory of 3100	4556	chrome.exe	97
PID 4556 wrote to memory of 3100	4556	chrome.exe	97
PID 4556 wrote to memory of 3100	4556	chrome.exe	97
PID 4556 wrote to memory of 3100	4556	chrome.exe	97
PID 4556 wrote to memory of 3100	4556	chrome.exe	97
PID 4556 wrote to memory of 3100	4556	chrome.exe	97
PID 4556 wrote to memory of 3100	4556	chrome.exe	97
PID 4556 wrote to memory of 3100	4556	chrome.exe	97
PID 4556 wrote to memory of 3100	4556	chrome.exe	97
PID 4556 wrote to memory of 3100	4556	chrome.exe	97
PID 4556 wrote to memory of 3100	4556	chrome.exe	97
PID 4556 wrote to memory of 3100	4556	chrome.exe	97
PID 4556 wrote to memory of 3100	4556	chrome.exe	97
PID 4556 wrote to memory of 3100	4556	chrome.exe	97
PID 4556 wrote to memory of 3100	4556	chrome.exe	97
PID 4556 wrote to memory of 3100	4556	chrome.exe	97
PID 4556 wrote to memory of 3100	4556	chrome.exe	97
PID 4556 wrote to memory of 3100	4556	chrome.exe	97
PID 4556 wrote to memory of 3100	4556	chrome.exe	97
PID 4556 wrote to memory of 3100	4556	chrome.exe	97
PID 4556 wrote to memory of 3100	4556	chrome.exe	97
PID 4556 wrote to memory of 3100	4556	chrome.exe	97
PID 4556 wrote to memory of 3100	4556	chrome.exe	97
PID 4556 wrote to memory of 3100	4556	chrome.exe	97
PID 4556 wrote to memory of 3100	4556	chrome.exe	97
PID 4556 wrote to memory of 3100	4556	chrome.exe	97
PID 4556 wrote to memory of 3100	4556	chrome.exe	97
PID 4556 wrote to memory of 3100	4556	chrome.exe	97
PID 4556 wrote to memory of 3100	4556	chrome.exe	97
PID 4556 wrote to memory of 3100	4556	chrome.exe	97
PID 4556 wrote to memory of 4496	4556	chrome.exe	98
PID 4556 wrote to memory of 4496	4556	chrome.exe	98
PID 4556 wrote to memory of 4308	4556	chrome.exe	99
PID 4556 wrote to memory of 4308	4556	chrome.exe	99
PID 4556 wrote to memory of 4308	4556	chrome.exe	99
PID 4556 wrote to memory of 4308	4556	chrome.exe	99
PID 4556 wrote to memory of 4308	4556	chrome.exe	99
PID 4556 wrote to memory of 4308	4556	chrome.exe	99
PID 4556 wrote to memory of 4308	4556	chrome.exe	99
PID 4556 wrote to memory of 4308	4556	chrome.exe	99
PID 4556 wrote to memory of 4308	4556	chrome.exe	99
PID 4556 wrote to memory of 4308	4556	chrome.exe	99
PID 4556 wrote to memory of 4308	4556	chrome.exe	99
PID 4556 wrote to memory of 4308	4556	chrome.exe	99
PID 4556 wrote to memory of 4308	4556	chrome.exe	99
PID 4556 wrote to memory of 4308	4556	chrome.exe	99
PID 4556 wrote to memory of 4308	4556	chrome.exe	99
PID 4556 wrote to memory of 4308	4556	chrome.exe	99
PID 4556 wrote to memory of 4308	4556	chrome.exe	99
PID 4556 wrote to memory of 4308	4556	chrome.exe	99
PID 4556 wrote to memory of 4308	4556	chrome.exe	99
PID 4556 wrote to memory of 4308	4556	chrome.exe	99
PID 4556 wrote to memory of 4308	4556	chrome.exe	99
PID 4556 wrote to memory of 4308	4556	chrome.exe	99

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://www.qch.ge/01m.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc9dd89758,0x7ffc9dd89768,0x7ffc9dd89778
  2⤵
  PID:4000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1756 --field-trial-handle=1880,i,14357673748538187785,13309225209172095647,131072 /prefetch:2
  2⤵
  PID:3100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=1880,i,14357673748538187785,13309225209172095647,131072 /prefetch:8
  2⤵
  PID:4496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1880,i,14357673748538187785,13309225209172095647,131072 /prefetch:8
  2⤵
  PID:4308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3016 --field-trial-handle=1880,i,14357673748538187785,13309225209172095647,131072 /prefetch:1
  2⤵
  PID:3096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3164 --field-trial-handle=1880,i,14357673748538187785,13309225209172095647,131072 /prefetch:1
  2⤵
  PID:5048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3972 --field-trial-handle=1880,i,14357673748538187785,13309225209172095647,131072 /prefetch:1
  2⤵
  PID:4676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 --field-trial-handle=1880,i,14357673748538187785,13309225209172095647,131072 /prefetch:8
  2⤵
  PID:1456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 --field-trial-handle=1880,i,14357673748538187785,13309225209172095647,131072 /prefetch:8
  2⤵
  PID:5180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1692 --field-trial-handle=1880,i,14357673748538187785,13309225209172095647,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3068

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4088 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8
1⤵
PID:6124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
360B

MD5
aa5aa7db0c4b99692116110c538666ef

SHA1
aaaf92b77ee3e84a6ca3fe2bcfd599d464341b6a

SHA256
ab4568cc017211e0b0700d2525b82fb98c456d00803d63a6614287b7a20573c1

SHA512
b10e0abd113bcc0076eef53f3443893300bb848924a434d7fdc914711c50fbe3735af07a59fe0a5678f27f32947d52c20d4249507ac03367297f88089fcd2a5e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
3a8cad16c45c6a7d91935530162422b2

SHA1
59af3b811152f2da3b98909661e4750f1732f1c9

SHA256
95d23bcbfab1f3392dea7ea43c0625abd883420c54e547db69de9442bd2f99d3

SHA512
be95d53ca67dbdf06468099ec70e4d2f13430a53e1ab90950323a811661bc370da83226981e99b3f86c4188a55c98d20a9b9249c8261c8846d6ccd112bba8285

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
871B

MD5
594bbc146692f31e3e1af4c0bfe51791

SHA1
5cd3035c80d233b65d805705234af3e7a36779ef

SHA256
903da14553f0f911224909d4a00b500d2b2c87591e02827f9cd4f8a3f35afe2e

SHA512
0233ee8bc2c1ab97818f97a6013dca19294d51fea29ac28ff33de82a7f0075d016c12a83fdc8b889e2cf7e5c77bc6288d7bed75b826fd2b3cb1ffea8dabb84c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
bd70872fcb83b4cf325a58a64880a15e

SHA1
83b7188083937387ae14141f0f086a2df7e7f375

SHA256
9d6cc3cdccadecf5ce324d2dbb881bb0348b56dc11d4adba0823f7e3593cc689

SHA512
a31a6da03e7389a839882c620f631a25fb520ce0a4717244841cbb11bc1edfc1532e5d830baa81b07269362fc7bec84e643f6e285f681f2bb9c8337eb9a8b85b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
7181bd250f5ff2079d026eaeb4b48df0

SHA1
f75e210afbc6a8534458324fddd51580cb8ec506

SHA256
30e0b44478fcaeeee4f6a71bfee7c4e3d603e692192158fa501b942184035d39

SHA512
3b07f2700f3e0d7318d4fab402f20e37f08a954b3186bc0dd343b2647c085146cc998cae39298d80dd9e4041ff33f2df3087c9a4ddcf25db0800331137e3d9c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
19f81da0e63adc0786551c14c3ec1c51

SHA1
b19c1a8988fef4ac36c97d18748edd92aa7ca755

SHA256
6ad73ee05d47cbab2e546506f74da80439147e64cbbe29ab043478e366299268

SHA512
80d7ba99ca5813ccda9e2efd9b5f180059d501523f6d7070fb4028f4e422f5a7958037bc5b58ff5bf1d8939f14fbe420e5a8bff38e0705a2ee816f2897430d35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit