Analysis
-
max time kernel
299s -
max time network
305s -
platform
windows10-1703_x64 -
resource
win10-20240221-es -
resource tags
arch:x64arch:x86image:win10-20240221-eslocale:es-esos:windows10-1703-x64systemwindows -
submitted
01/04/2024, 23:28
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://mail.laboratoriolih.com/
Resource
win10-20240221-es
General
-
Target
https://mail.laboratoriolih.com/
Malware Config
Signatures
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 37 ipinfo.io 38 api.ipify.org 34 api.ipify.org 35 ipinfo.io -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133564877531995384" chrome.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 5056 chrome.exe 5056 chrome.exe 2916 chrome.exe 2916 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
pid Process 5056 chrome.exe 5056 chrome.exe 5056 chrome.exe 5056 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 5056 chrome.exe Token: SeCreatePagefilePrivilege 5056 chrome.exe Token: SeShutdownPrivilege 5056 chrome.exe Token: SeCreatePagefilePrivilege 5056 chrome.exe Token: SeShutdownPrivilege 5056 chrome.exe Token: SeCreatePagefilePrivilege 5056 chrome.exe Token: SeShutdownPrivilege 5056 chrome.exe Token: SeCreatePagefilePrivilege 5056 chrome.exe Token: SeShutdownPrivilege 5056 chrome.exe Token: SeCreatePagefilePrivilege 5056 chrome.exe Token: SeShutdownPrivilege 5056 chrome.exe Token: SeCreatePagefilePrivilege 5056 chrome.exe Token: SeShutdownPrivilege 5056 chrome.exe Token: SeCreatePagefilePrivilege 5056 chrome.exe Token: SeShutdownPrivilege 5056 chrome.exe Token: SeCreatePagefilePrivilege 5056 chrome.exe Token: SeShutdownPrivilege 5056 chrome.exe Token: SeCreatePagefilePrivilege 5056 chrome.exe Token: SeShutdownPrivilege 5056 chrome.exe Token: SeCreatePagefilePrivilege 5056 chrome.exe Token: SeShutdownPrivilege 5056 chrome.exe Token: SeCreatePagefilePrivilege 5056 chrome.exe Token: SeShutdownPrivilege 5056 chrome.exe Token: SeCreatePagefilePrivilege 5056 chrome.exe Token: SeShutdownPrivilege 5056 chrome.exe Token: SeCreatePagefilePrivilege 5056 chrome.exe Token: SeShutdownPrivilege 5056 chrome.exe Token: SeCreatePagefilePrivilege 5056 chrome.exe Token: SeShutdownPrivilege 5056 chrome.exe Token: SeCreatePagefilePrivilege 5056 chrome.exe Token: SeShutdownPrivilege 5056 chrome.exe Token: SeCreatePagefilePrivilege 5056 chrome.exe Token: SeShutdownPrivilege 5056 chrome.exe Token: SeCreatePagefilePrivilege 5056 chrome.exe Token: SeShutdownPrivilege 5056 chrome.exe Token: SeCreatePagefilePrivilege 5056 chrome.exe Token: SeShutdownPrivilege 5056 chrome.exe Token: SeCreatePagefilePrivilege 5056 chrome.exe Token: SeShutdownPrivilege 5056 chrome.exe Token: SeCreatePagefilePrivilege 5056 chrome.exe Token: SeShutdownPrivilege 5056 chrome.exe Token: SeCreatePagefilePrivilege 5056 chrome.exe Token: SeShutdownPrivilege 5056 chrome.exe Token: SeCreatePagefilePrivilege 5056 chrome.exe Token: SeShutdownPrivilege 5056 chrome.exe Token: SeCreatePagefilePrivilege 5056 chrome.exe Token: SeShutdownPrivilege 5056 chrome.exe Token: SeCreatePagefilePrivilege 5056 chrome.exe Token: SeShutdownPrivilege 5056 chrome.exe Token: SeCreatePagefilePrivilege 5056 chrome.exe Token: SeShutdownPrivilege 5056 chrome.exe Token: SeCreatePagefilePrivilege 5056 chrome.exe Token: SeShutdownPrivilege 5056 chrome.exe Token: SeCreatePagefilePrivilege 5056 chrome.exe Token: SeShutdownPrivilege 5056 chrome.exe Token: SeCreatePagefilePrivilege 5056 chrome.exe Token: SeShutdownPrivilege 5056 chrome.exe Token: SeCreatePagefilePrivilege 5056 chrome.exe Token: SeShutdownPrivilege 5056 chrome.exe Token: SeCreatePagefilePrivilege 5056 chrome.exe Token: SeShutdownPrivilege 5056 chrome.exe Token: SeCreatePagefilePrivilege 5056 chrome.exe Token: SeShutdownPrivilege 5056 chrome.exe Token: SeCreatePagefilePrivilege 5056 chrome.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 5056 chrome.exe 5056 chrome.exe 5056 chrome.exe 5056 chrome.exe 5056 chrome.exe 5056 chrome.exe 5056 chrome.exe 5056 chrome.exe 5056 chrome.exe 5056 chrome.exe 5056 chrome.exe 5056 chrome.exe 5056 chrome.exe 5056 chrome.exe 5056 chrome.exe 5056 chrome.exe 5056 chrome.exe 5056 chrome.exe 5056 chrome.exe 5056 chrome.exe 5056 chrome.exe 5056 chrome.exe 5056 chrome.exe 5056 chrome.exe 5056 chrome.exe 5056 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 5056 chrome.exe 5056 chrome.exe 5056 chrome.exe 5056 chrome.exe 5056 chrome.exe 5056 chrome.exe 5056 chrome.exe 5056 chrome.exe 5056 chrome.exe 5056 chrome.exe 5056 chrome.exe 5056 chrome.exe 5056 chrome.exe 5056 chrome.exe 5056 chrome.exe 5056 chrome.exe 5056 chrome.exe 5056 chrome.exe 5056 chrome.exe 5056 chrome.exe 5056 chrome.exe 5056 chrome.exe 5056 chrome.exe 5056 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5056 wrote to memory of 5080 5056 chrome.exe 72 PID 5056 wrote to memory of 5080 5056 chrome.exe 72 PID 5056 wrote to memory of 4252 5056 chrome.exe 74 PID 5056 wrote to memory of 4252 5056 chrome.exe 74 PID 5056 wrote to memory of 4252 5056 chrome.exe 74 PID 5056 wrote to memory of 4252 5056 chrome.exe 74 PID 5056 wrote to memory of 4252 5056 chrome.exe 74 PID 5056 wrote to memory of 4252 5056 chrome.exe 74 PID 5056 wrote to memory of 4252 5056 chrome.exe 74 PID 5056 wrote to memory of 4252 5056 chrome.exe 74 PID 5056 wrote to memory of 4252 5056 chrome.exe 74 PID 5056 wrote to memory of 4252 5056 chrome.exe 74 PID 5056 wrote to memory of 4252 5056 chrome.exe 74 PID 5056 wrote to memory of 4252 5056 chrome.exe 74 PID 5056 wrote to memory of 4252 5056 chrome.exe 74 PID 5056 wrote to memory of 4252 5056 chrome.exe 74 PID 5056 wrote to memory of 4252 5056 chrome.exe 74 PID 5056 wrote to memory of 4252 5056 chrome.exe 74 PID 5056 wrote to memory of 4252 5056 chrome.exe 74 PID 5056 wrote to memory of 4252 5056 chrome.exe 74 PID 5056 wrote to memory of 4252 5056 chrome.exe 74 PID 5056 wrote to memory of 4252 5056 chrome.exe 74 PID 5056 wrote to memory of 4252 5056 chrome.exe 74 PID 5056 wrote to memory of 4252 5056 chrome.exe 74 PID 5056 wrote to memory of 4252 5056 chrome.exe 74 PID 5056 wrote to memory of 4252 5056 chrome.exe 74 PID 5056 wrote to memory of 4252 5056 chrome.exe 74 PID 5056 wrote to memory of 4252 5056 chrome.exe 74 PID 5056 wrote to memory of 4252 5056 chrome.exe 74 PID 5056 wrote to memory of 4252 5056 chrome.exe 74 PID 5056 wrote to memory of 4252 5056 chrome.exe 74 PID 5056 wrote to memory of 4252 5056 chrome.exe 74 PID 5056 wrote to memory of 4252 5056 chrome.exe 74 PID 5056 wrote to memory of 4252 5056 chrome.exe 74 PID 5056 wrote to memory of 4252 5056 chrome.exe 74 PID 5056 wrote to memory of 4252 5056 chrome.exe 74 PID 5056 wrote to memory of 4252 5056 chrome.exe 74 PID 5056 wrote to memory of 4252 5056 chrome.exe 74 PID 5056 wrote to memory of 4252 5056 chrome.exe 74 PID 5056 wrote to memory of 4252 5056 chrome.exe 74 PID 5056 wrote to memory of 4132 5056 chrome.exe 75 PID 5056 wrote to memory of 4132 5056 chrome.exe 75 PID 5056 wrote to memory of 5116 5056 chrome.exe 76 PID 5056 wrote to memory of 5116 5056 chrome.exe 76 PID 5056 wrote to memory of 5116 5056 chrome.exe 76 PID 5056 wrote to memory of 5116 5056 chrome.exe 76 PID 5056 wrote to memory of 5116 5056 chrome.exe 76 PID 5056 wrote to memory of 5116 5056 chrome.exe 76 PID 5056 wrote to memory of 5116 5056 chrome.exe 76 PID 5056 wrote to memory of 5116 5056 chrome.exe 76 PID 5056 wrote to memory of 5116 5056 chrome.exe 76 PID 5056 wrote to memory of 5116 5056 chrome.exe 76 PID 5056 wrote to memory of 5116 5056 chrome.exe 76 PID 5056 wrote to memory of 5116 5056 chrome.exe 76 PID 5056 wrote to memory of 5116 5056 chrome.exe 76 PID 5056 wrote to memory of 5116 5056 chrome.exe 76 PID 5056 wrote to memory of 5116 5056 chrome.exe 76 PID 5056 wrote to memory of 5116 5056 chrome.exe 76 PID 5056 wrote to memory of 5116 5056 chrome.exe 76 PID 5056 wrote to memory of 5116 5056 chrome.exe 76 PID 5056 wrote to memory of 5116 5056 chrome.exe 76 PID 5056 wrote to memory of 5116 5056 chrome.exe 76 PID 5056 wrote to memory of 5116 5056 chrome.exe 76 PID 5056 wrote to memory of 5116 5056 chrome.exe 76
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://mail.laboratoriolih.com/1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffc31239758,0x7ffc31239768,0x7ffc312397782⤵PID:5080
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1536 --field-trial-handle=1812,i,759743548398933198,12957160354028713892,131072 /prefetch:22⤵PID:4252
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1796 --field-trial-handle=1812,i,759743548398933198,12957160354028713892,131072 /prefetch:82⤵PID:4132
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1680 --field-trial-handle=1812,i,759743548398933198,12957160354028713892,131072 /prefetch:82⤵PID:5116
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2952 --field-trial-handle=1812,i,759743548398933198,12957160354028713892,131072 /prefetch:12⤵PID:3552
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2980 --field-trial-handle=1812,i,759743548398933198,12957160354028713892,131072 /prefetch:12⤵PID:4020
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4428 --field-trial-handle=1812,i,759743548398933198,12957160354028713892,131072 /prefetch:12⤵PID:4528
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3872 --field-trial-handle=1812,i,759743548398933198,12957160354028713892,131072 /prefetch:82⤵PID:4892
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3148 --field-trial-handle=1812,i,759743548398933198,12957160354028713892,131072 /prefetch:82⤵PID:4944
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3872 --field-trial-handle=1812,i,759743548398933198,12957160354028713892,131072 /prefetch:12⤵PID:1632
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2052 --field-trial-handle=1812,i,759743548398933198,12957160354028713892,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2916
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:2356
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96B
MD52fc6bb12f9153ffa25851d86de8b9b1b
SHA15569c29bd898a5b28ab36939b94dd4f202afa31b
SHA256170b59163351c6fcc535c9c7e1a4040f555986b0d18d83cba805cf1030654b1a
SHA512131c1d11de9c4750999563156f61fe165888c9f8bad7e085dfd6939cb5fb604a88893b4a25e1d3450651db3103e9cbecb5aea167394a3e65f92054c949c8b2e9
-
Filesize
1KB
MD5531ad8bf66f24b185b479cafce8c7389
SHA19ad48fdc9b2e5d6abb7e069f2cd8dfb923f2118f
SHA2567115d2eeabd4d1663ad17684792aaabc7e39e5f75e8df8ff5da0c5f2a96f38a4
SHA512a17f275f1b03b9445124a8e81b62ecc22f8ec2237bb46f86f883eeddfbf023e39966e2a97cb9f3b9f8b5d81bb25bdadbe518be8b129bfe7a4830e626f51529da
-
Filesize
702B
MD52c64c3c62cc8ca49229e51c1476c3818
SHA1b2c53c772f5c9c7f19ea233ac58b685d30d0e0dc
SHA2565a1abca75c7d3400d00cd7f34f4709901969882ef6db94a29620a4c5d5656440
SHA512190627210a650deeeb432c3e66cc18614ff8152a5413a13abbdeaadcc823cdf679487617ab961d959ca0b0d93a72b108b5db02cc3e9b334bee3a7bdc5f0b324a
-
Filesize
6KB
MD524ffc2e2a6fc0d831b2d5350b4785127
SHA1f8f5212b120b81cd88b7985baf34c26e265ee8db
SHA256004892d6e3e124e5624e398aa2e1ad46e4bccf9cc6475ae937237cc6b5a4327e
SHA51280ad5659c94138978a1ad76e29b7eca367645cb4f9d4f6a19df53556798a09de061d04dfc0462b9765740ccffcc5a3903e0577fdecdca4cf7971576d72b896c1
-
Filesize
5KB
MD50f01f1bcac9f0a5f36693708bb6b5c2f
SHA19995e418dcbd0921d66475cb0430874bf3eddbd2
SHA256b06b02f9747103a9fbd20a6c1e4bb4682af90a02e70c337463b38ca7047e738c
SHA51222deb82934791ca8d73a9aef9fa5df750cd9f5af9f49f8d4b92e5303eb1d5131f780a0875c05bc34797d3981581951cd55bfd4d568947287140dec299fbe243b
-
Filesize
6KB
MD5ae15880d22c36f8bfba4908fe15b5c44
SHA15280a5278fec0a55b0a4c1d47b572121957d8926
SHA2562f65538d38b0ad69eff355ac7b5d0c33d35f87d9962e289a6a1463ac806d7593
SHA512152699ef7657e6f0d446da1d1f59efba324ba065dfe8de14005b0b8d384073cc6fda56f84945a3f112dd99796e17c889839f50612505e6380793c64db24ba265
-
Filesize
130KB
MD596e30aab35a8ca4fe94a0f520d04ae8f
SHA11324d4ea61d82fe346588c87ffa02534950dc521
SHA256cd2d8fdb6d9d34d83dc997ed3c34b63d094ad079d373e226aef84070caaf33b7
SHA51265ea4a2f15630c22df697b3d8e3d505af2e153584222646c2c5c6d93943affaff48fa413ccea194977cbde69bedff345bff04db075133f2d9e1de7e01dbb9b4d
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd