Analysis
-
max time kernel
22s -
max time network
23s -
platform
windows11-21h2_x64 -
resource
win11-20240319-en -
resource tags
arch:x64arch:x86image:win11-20240319-enlocale:en-usos:windows11-21h2-x64system -
submitted
02/04/2024, 00:13
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://r20.rs6.net/tn.jsp?f=001iVpaGUxb18QqT7NMqVWOuL5qZz_prp7d76NmocSv64NoyH534QjIxMzTremfFgGmtmMW12uf5dxp6xOPKN9o2XSW0zVpur3FB9yjPuS_CRxPOq27F_BvWcvAZcbQS3qFRL8Rc_h-tWHyw-hvjI3Haw==&c=S-8Cd1JvaJsn4cSeE8KoWXXPSbN8Y_TY-vai-_q42g2B3BN38E5mcg==&ch=D_AIiYXfNPVf8CqYgpcaJxqYsSQRRwgooyhM2zRBCYgKRJURf0zbvA==/ssl/cess/file/MD6/7CHAR/#c2VjdXJpdHlAZXNhYi5jb20=
Resource
win11-20240319-en
General
-
Target
https://r20.rs6.net/tn.jsp?f=001iVpaGUxb18QqT7NMqVWOuL5qZz_prp7d76NmocSv64NoyH534QjIxMzTremfFgGmtmMW12uf5dxp6xOPKN9o2XSW0zVpur3FB9yjPuS_CRxPOq27F_BvWcvAZcbQS3qFRL8Rc_h-tWHyw-hvjI3Haw==&c=S-8Cd1JvaJsn4cSeE8KoWXXPSbN8Y_TY-vai-_q42g2B3BN38E5mcg==&ch=D_AIiYXfNPVf8CqYgpcaJxqYsSQRRwgooyhM2zRBCYgKRJURf0zbvA==/ssl/cess/file/MD6/7CHAR/#c2VjdXJpdHlAZXNhYi5jb20=
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 2 cloudflare-ipfs.com 12 cloudflare-ipfs.com -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133564904217203146" chrome.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 956 chrome.exe 956 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 956 chrome.exe 956 chrome.exe 956 chrome.exe -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeShutdownPrivilege 956 chrome.exe Token: SeCreatePagefilePrivilege 956 chrome.exe Token: SeShutdownPrivilege 956 chrome.exe Token: SeCreatePagefilePrivilege 956 chrome.exe Token: SeShutdownPrivilege 956 chrome.exe Token: SeCreatePagefilePrivilege 956 chrome.exe Token: SeShutdownPrivilege 956 chrome.exe Token: SeCreatePagefilePrivilege 956 chrome.exe Token: SeShutdownPrivilege 956 chrome.exe Token: SeCreatePagefilePrivilege 956 chrome.exe Token: SeShutdownPrivilege 956 chrome.exe Token: SeCreatePagefilePrivilege 956 chrome.exe Token: SeShutdownPrivilege 956 chrome.exe Token: SeCreatePagefilePrivilege 956 chrome.exe Token: SeShutdownPrivilege 956 chrome.exe Token: SeCreatePagefilePrivilege 956 chrome.exe Token: SeShutdownPrivilege 956 chrome.exe Token: SeCreatePagefilePrivilege 956 chrome.exe Token: SeShutdownPrivilege 956 chrome.exe Token: SeCreatePagefilePrivilege 956 chrome.exe Token: SeShutdownPrivilege 956 chrome.exe Token: SeCreatePagefilePrivilege 956 chrome.exe Token: SeShutdownPrivilege 956 chrome.exe Token: SeCreatePagefilePrivilege 956 chrome.exe Token: SeShutdownPrivilege 956 chrome.exe Token: SeCreatePagefilePrivilege 956 chrome.exe Token: SeShutdownPrivilege 956 chrome.exe Token: SeCreatePagefilePrivilege 956 chrome.exe Token: SeShutdownPrivilege 956 chrome.exe Token: SeCreatePagefilePrivilege 956 chrome.exe Token: SeShutdownPrivilege 956 chrome.exe Token: SeCreatePagefilePrivilege 956 chrome.exe Token: SeShutdownPrivilege 956 chrome.exe Token: SeCreatePagefilePrivilege 956 chrome.exe Token: SeShutdownPrivilege 956 chrome.exe Token: SeCreatePagefilePrivilege 956 chrome.exe Token: SeShutdownPrivilege 956 chrome.exe Token: SeCreatePagefilePrivilege 956 chrome.exe Token: SeShutdownPrivilege 956 chrome.exe Token: SeCreatePagefilePrivilege 956 chrome.exe Token: SeShutdownPrivilege 956 chrome.exe Token: SeCreatePagefilePrivilege 956 chrome.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 956 chrome.exe 956 chrome.exe 956 chrome.exe 956 chrome.exe 956 chrome.exe 956 chrome.exe 956 chrome.exe 956 chrome.exe 956 chrome.exe 956 chrome.exe 956 chrome.exe 956 chrome.exe 956 chrome.exe 956 chrome.exe 956 chrome.exe 956 chrome.exe 956 chrome.exe 956 chrome.exe 956 chrome.exe 956 chrome.exe 956 chrome.exe 956 chrome.exe 956 chrome.exe 956 chrome.exe 956 chrome.exe 956 chrome.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 956 chrome.exe 956 chrome.exe 956 chrome.exe 956 chrome.exe 956 chrome.exe 956 chrome.exe 956 chrome.exe 956 chrome.exe 956 chrome.exe 956 chrome.exe 956 chrome.exe 956 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 956 wrote to memory of 1300 956 chrome.exe 80 PID 956 wrote to memory of 1300 956 chrome.exe 80 PID 956 wrote to memory of 2368 956 chrome.exe 83 PID 956 wrote to memory of 2368 956 chrome.exe 83 PID 956 wrote to memory of 2368 956 chrome.exe 83 PID 956 wrote to memory of 2368 956 chrome.exe 83 PID 956 wrote to memory of 2368 956 chrome.exe 83 PID 956 wrote to memory of 2368 956 chrome.exe 83 PID 956 wrote to memory of 2368 956 chrome.exe 83 PID 956 wrote to memory of 2368 956 chrome.exe 83 PID 956 wrote to memory of 2368 956 chrome.exe 83 PID 956 wrote to memory of 2368 956 chrome.exe 83 PID 956 wrote to memory of 2368 956 chrome.exe 83 PID 956 wrote to memory of 2368 956 chrome.exe 83 PID 956 wrote to memory of 2368 956 chrome.exe 83 PID 956 wrote to memory of 2368 956 chrome.exe 83 PID 956 wrote to memory of 2368 956 chrome.exe 83 PID 956 wrote to memory of 2368 956 chrome.exe 83 PID 956 wrote to memory of 2368 956 chrome.exe 83 PID 956 wrote to memory of 2368 956 chrome.exe 83 PID 956 wrote to memory of 2368 956 chrome.exe 83 PID 956 wrote to memory of 2368 956 chrome.exe 83 PID 956 wrote to memory of 2368 956 chrome.exe 83 PID 956 wrote to memory of 2368 956 chrome.exe 83 PID 956 wrote to memory of 2368 956 chrome.exe 83 PID 956 wrote to memory of 2368 956 chrome.exe 83 PID 956 wrote to memory of 2368 956 chrome.exe 83 PID 956 wrote to memory of 2368 956 chrome.exe 83 PID 956 wrote to memory of 2368 956 chrome.exe 83 PID 956 wrote to memory of 2368 956 chrome.exe 83 PID 956 wrote to memory of 2368 956 chrome.exe 83 PID 956 wrote to memory of 2368 956 chrome.exe 83 PID 956 wrote to memory of 2368 956 chrome.exe 83 PID 956 wrote to memory of 2368 956 chrome.exe 83 PID 956 wrote to memory of 2368 956 chrome.exe 83 PID 956 wrote to memory of 2368 956 chrome.exe 83 PID 956 wrote to memory of 2368 956 chrome.exe 83 PID 956 wrote to memory of 2368 956 chrome.exe 83 PID 956 wrote to memory of 2368 956 chrome.exe 83 PID 956 wrote to memory of 2368 956 chrome.exe 83 PID 956 wrote to memory of 868 956 chrome.exe 84 PID 956 wrote to memory of 868 956 chrome.exe 84 PID 956 wrote to memory of 460 956 chrome.exe 85 PID 956 wrote to memory of 460 956 chrome.exe 85 PID 956 wrote to memory of 460 956 chrome.exe 85 PID 956 wrote to memory of 460 956 chrome.exe 85 PID 956 wrote to memory of 460 956 chrome.exe 85 PID 956 wrote to memory of 460 956 chrome.exe 85 PID 956 wrote to memory of 460 956 chrome.exe 85 PID 956 wrote to memory of 460 956 chrome.exe 85 PID 956 wrote to memory of 460 956 chrome.exe 85 PID 956 wrote to memory of 460 956 chrome.exe 85 PID 956 wrote to memory of 460 956 chrome.exe 85 PID 956 wrote to memory of 460 956 chrome.exe 85 PID 956 wrote to memory of 460 956 chrome.exe 85 PID 956 wrote to memory of 460 956 chrome.exe 85 PID 956 wrote to memory of 460 956 chrome.exe 85 PID 956 wrote to memory of 460 956 chrome.exe 85 PID 956 wrote to memory of 460 956 chrome.exe 85 PID 956 wrote to memory of 460 956 chrome.exe 85 PID 956 wrote to memory of 460 956 chrome.exe 85 PID 956 wrote to memory of 460 956 chrome.exe 85 PID 956 wrote to memory of 460 956 chrome.exe 85 PID 956 wrote to memory of 460 956 chrome.exe 85
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://r20.rs6.net/tn.jsp?f=001iVpaGUxb18QqT7NMqVWOuL5qZz_prp7d76NmocSv64NoyH534QjIxMzTremfFgGmtmMW12uf5dxp6xOPKN9o2XSW0zVpur3FB9yjPuS_CRxPOq27F_BvWcvAZcbQS3qFRL8Rc_h-tWHyw-hvjI3Haw==&c=S-8Cd1JvaJsn4cSeE8KoWXXPSbN8Y_TY-vai-_q42g2B3BN38E5mcg==&ch=D_AIiYXfNPVf8CqYgpcaJxqYsSQRRwgooyhM2zRBCYgKRJURf0zbvA==/ssl/cess/file/MD6/7CHAR/#c2VjdXJpdHlAZXNhYi5jb20=1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8e17b9758,0x7ff8e17b9768,0x7ff8e17b97782⤵PID:1300
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1648 --field-trial-handle=1812,i,234078146599779311,13296032034207092711,131072 /prefetch:22⤵PID:2368
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1812,i,234078146599779311,13296032034207092711,131072 /prefetch:82⤵PID:868
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2184 --field-trial-handle=1812,i,234078146599779311,13296032034207092711,131072 /prefetch:82⤵PID:460
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2968 --field-trial-handle=1812,i,234078146599779311,13296032034207092711,131072 /prefetch:12⤵PID:3800
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3096 --field-trial-handle=1812,i,234078146599779311,13296032034207092711,131072 /prefetch:12⤵PID:2108
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4596 --field-trial-handle=1812,i,234078146599779311,13296032034207092711,131072 /prefetch:12⤵PID:2180
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3112 --field-trial-handle=1812,i,234078146599779311,13296032034207092711,131072 /prefetch:82⤵PID:2356
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3148 --field-trial-handle=1812,i,234078146599779311,13296032034207092711,131072 /prefetch:82⤵PID:4896
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:4952
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD59a1952c66dbf0ca4ca7fa539818a1ff6
SHA1bf81b01536b77be7607a15a57acb3128fa6fb64d
SHA2560053fd7c2920549429d67bcb36b1f825771bf148dd98141f4b714d86ccb4262d
SHA512eed46adf42a68d160cc59d3c04ee3c89c7d0e0304a659063af9e3cfa49e7a988e4696bffbbe5559718d011d9ce408f445c17d6e87cfea6b2254cddfe67c393fc
-
Filesize
134KB
MD577e694900abaad2fdd70519c8285c7e8
SHA1f387b2063ffa8e0025dd4b9aa8218c9d64da2004
SHA256a1fc25930b46c9f7e504366178f7d592d96e335a7b31e202517cfdaed3a7bff8
SHA5128d909850a02a8bc50b1401644699fdb2c457d74c74d297589e0b06fbdfd3427175f05763fdebc5841c1ed34eb89b97095c58a66da45843967bcf1211b618ecab
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd