hxxps://paint[.]crowndecoratingcentres[.]co[.]uk/576A-10EX7-1C09AC4C1839229B4SH449FF26A4DCEA39CB89/uauto[.]aspx

Analysis

max time kernel
149s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29-03-2024 06:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://paint.crowndecoratingcentres.co.uk/576A-10EX7-1C09AC4C1839229B4SH449FF26A4DCEA39CB89/uauto.aspx

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133561672288714274"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4948	chrome.exe
4948	chrome.exe
2924	chrome.exe
2924	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4948	chrome.exe
4948	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4948 wrote to memory of 1456	4948	chrome.exe	86
PID 4948 wrote to memory of 1456	4948	chrome.exe	86
PID 4948 wrote to memory of 4624	4948	chrome.exe	89
PID 4948 wrote to memory of 4624	4948	chrome.exe	89
PID 4948 wrote to memory of 4624	4948	chrome.exe	89
PID 4948 wrote to memory of 4624	4948	chrome.exe	89
PID 4948 wrote to memory of 4624	4948	chrome.exe	89
PID 4948 wrote to memory of 4624	4948	chrome.exe	89
PID 4948 wrote to memory of 4624	4948	chrome.exe	89
PID 4948 wrote to memory of 4624	4948	chrome.exe	89
PID 4948 wrote to memory of 4624	4948	chrome.exe	89
PID 4948 wrote to memory of 4624	4948	chrome.exe	89
PID 4948 wrote to memory of 4624	4948	chrome.exe	89
PID 4948 wrote to memory of 4624	4948	chrome.exe	89
PID 4948 wrote to memory of 4624	4948	chrome.exe	89
PID 4948 wrote to memory of 4624	4948	chrome.exe	89
PID 4948 wrote to memory of 4624	4948	chrome.exe	89
PID 4948 wrote to memory of 4624	4948	chrome.exe	89
PID 4948 wrote to memory of 4624	4948	chrome.exe	89
PID 4948 wrote to memory of 4624	4948	chrome.exe	89
PID 4948 wrote to memory of 4624	4948	chrome.exe	89
PID 4948 wrote to memory of 4624	4948	chrome.exe	89
PID 4948 wrote to memory of 4624	4948	chrome.exe	89
PID 4948 wrote to memory of 4624	4948	chrome.exe	89
PID 4948 wrote to memory of 4624	4948	chrome.exe	89
PID 4948 wrote to memory of 4624	4948	chrome.exe	89
PID 4948 wrote to memory of 4624	4948	chrome.exe	89
PID 4948 wrote to memory of 4624	4948	chrome.exe	89
PID 4948 wrote to memory of 4624	4948	chrome.exe	89
PID 4948 wrote to memory of 4624	4948	chrome.exe	89
PID 4948 wrote to memory of 4624	4948	chrome.exe	89
PID 4948 wrote to memory of 4624	4948	chrome.exe	89
PID 4948 wrote to memory of 4624	4948	chrome.exe	89
PID 4948 wrote to memory of 4624	4948	chrome.exe	89
PID 4948 wrote to memory of 4624	4948	chrome.exe	89
PID 4948 wrote to memory of 4624	4948	chrome.exe	89
PID 4948 wrote to memory of 4624	4948	chrome.exe	89
PID 4948 wrote to memory of 4624	4948	chrome.exe	89
PID 4948 wrote to memory of 4624	4948	chrome.exe	89
PID 4948 wrote to memory of 4624	4948	chrome.exe	89
PID 4948 wrote to memory of 4984	4948	chrome.exe	90
PID 4948 wrote to memory of 4984	4948	chrome.exe	90
PID 4948 wrote to memory of 1056	4948	chrome.exe	91
PID 4948 wrote to memory of 1056	4948	chrome.exe	91
PID 4948 wrote to memory of 1056	4948	chrome.exe	91
PID 4948 wrote to memory of 1056	4948	chrome.exe	91
PID 4948 wrote to memory of 1056	4948	chrome.exe	91
PID 4948 wrote to memory of 1056	4948	chrome.exe	91
PID 4948 wrote to memory of 1056	4948	chrome.exe	91
PID 4948 wrote to memory of 1056	4948	chrome.exe	91
PID 4948 wrote to memory of 1056	4948	chrome.exe	91
PID 4948 wrote to memory of 1056	4948	chrome.exe	91
PID 4948 wrote to memory of 1056	4948	chrome.exe	91
PID 4948 wrote to memory of 1056	4948	chrome.exe	91
PID 4948 wrote to memory of 1056	4948	chrome.exe	91
PID 4948 wrote to memory of 1056	4948	chrome.exe	91
PID 4948 wrote to memory of 1056	4948	chrome.exe	91
PID 4948 wrote to memory of 1056	4948	chrome.exe	91
PID 4948 wrote to memory of 1056	4948	chrome.exe	91
PID 4948 wrote to memory of 1056	4948	chrome.exe	91
PID 4948 wrote to memory of 1056	4948	chrome.exe	91
PID 4948 wrote to memory of 1056	4948	chrome.exe	91
PID 4948 wrote to memory of 1056	4948	chrome.exe	91
PID 4948 wrote to memory of 1056	4948	chrome.exe	91

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://paint.crowndecoratingcentres.co.uk/576A-10EX7-1C09AC4C1839229B4SH449FF26A4DCEA39CB89/uauto.aspx
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffabd689758,0x7ffabd689768,0x7ffabd689778
  2⤵
  PID:1456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1716 --field-trial-handle=1676,i,6619494088188611964,568454740317302697,131072 /prefetch:2
  2⤵
  PID:4624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1676,i,6619494088188611964,568454740317302697,131072 /prefetch:8
  2⤵
  PID:4984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2192 --field-trial-handle=1676,i,6619494088188611964,568454740317302697,131072 /prefetch:8
  2⤵
  PID:1056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3008 --field-trial-handle=1676,i,6619494088188611964,568454740317302697,131072 /prefetch:1
  2⤵
  PID:3088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3016 --field-trial-handle=1676,i,6619494088188611964,568454740317302697,131072 /prefetch:1
  2⤵
  PID:1340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4896 --field-trial-handle=1676,i,6619494088188611964,568454740317302697,131072 /prefetch:8
  2⤵
  PID:4536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4848 --field-trial-handle=1676,i,6619494088188611964,568454740317302697,131072 /prefetch:8
  2⤵
  PID:3216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2312 --field-trial-handle=1676,i,6619494088188611964,568454740317302697,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2924

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
e4228cf1a2be896d8dc87a29a8102430

SHA1
4c86956d9ab933bf7e17946520dee346b619e8f9

SHA256
7c20f08a51b8854fbfbc7ecebd47915eda753da89c3ed2a4b48338c726b6067e

SHA512
2b0078e52737252ce39a5fa6a7f186ad02e7be9cae32e92835c20e1b1f698e6661c5c55e167ab926e6bce5b820c6623450a105698ad7efa8842fe11053040a4d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
918B

MD5
1f206076de8ba28a7b9c8c492755099e

SHA1
d8e4fc74827a62b3998624a73ab6e6088faeca22

SHA256
7852a3a954f4e15893295dcaff70fc58d5a69b80515a1caaa9c65b23b36fea2d

SHA512
ba1a2f132239322a180a549d240ff10c8330b799b26400b0dfcbf75185a9ee80e9a7728cec041645e934af0d9418f0becb15ae1dea80848005619e1a7c4c735f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
423b3e29af8cd9d7291b5f847d5170d2

SHA1
c87c736c9ae0b994475433408af556f65c2cb6bb

SHA256
d20c842083d86e6843a8e5d3b3d22bae6dcd8f6804874ead600021e48e60dd64

SHA512
ea165059c56e64bb29eb0982a96cde10333fe35401d511f51a44ec0185bdf8e218f90d7710302e6f3d6d31d71461f2eb3923f3bc93079171ec61ade84d61e2bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e83cfbcabe41b93f39f066fbd8515726

SHA1
8e4ba43030774824d63d41ad80c1c88c85c5451d

SHA256
9932bdd7616ebdf1df3719f121597d24530440dcb6737685d111bd7b857d47f8

SHA512
035e2f7c4b448ab92bf8eb9942f55eae882b0fab6311274d11edd2b8eda501ae6de81bdf5da510f2ab46f3db6878248e3984e30021376ba06855f2301c8e5b22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
99edb395af7f1daab94cc7cb163b0cd5

SHA1
60851725f78022878fdc5eb0360de5921c473a46

SHA256
590903436af1f9d2264b5974a49678e6dc3144a24e43a2ed96b9e1718d51c7c9

SHA512
6f58be2a4a1b26a1880c530b0a6b98ff6d5cc503887b5f72e7a14ccee4f4840c477406c056445113e92622e89751317e9638bda68dcb58c651fdad982e2991a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit