hxxp://89[.]208[.]106[.]112

Resubmissions

05/04/2024, 16:33

240405-t2vj3sgh7w 1

05/04/2024, 16:22

240405-tvha6sgf91 1

Analysis

max time kernel
300s
max time network
276s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/04/2024, 16:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://89.208.106.112

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133568084401517256"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
552	chrome.exe
552	chrome.exe
2632	chrome.exe
2632	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
552	chrome.exe
552	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	552	chrome.exe
Token: SeCreatePagefilePrivilege	552	chrome.exe
Token: SeShutdownPrivilege	552	chrome.exe
Token: SeCreatePagefilePrivilege	552	chrome.exe
Token: SeShutdownPrivilege	552	chrome.exe
Token: SeCreatePagefilePrivilege	552	chrome.exe
Token: SeShutdownPrivilege	552	chrome.exe
Token: SeCreatePagefilePrivilege	552	chrome.exe
Token: SeShutdownPrivilege	552	chrome.exe
Token: SeCreatePagefilePrivilege	552	chrome.exe
Token: SeShutdownPrivilege	552	chrome.exe
Token: SeCreatePagefilePrivilege	552	chrome.exe
Token: SeShutdownPrivilege	552	chrome.exe
Token: SeCreatePagefilePrivilege	552	chrome.exe
Token: SeShutdownPrivilege	552	chrome.exe
Token: SeCreatePagefilePrivilege	552	chrome.exe
Token: SeShutdownPrivilege	552	chrome.exe
Token: SeCreatePagefilePrivilege	552	chrome.exe
Token: SeShutdownPrivilege	552	chrome.exe
Token: SeCreatePagefilePrivilege	552	chrome.exe
Token: SeShutdownPrivilege	552	chrome.exe
Token: SeCreatePagefilePrivilege	552	chrome.exe
Token: SeShutdownPrivilege	552	chrome.exe
Token: SeCreatePagefilePrivilege	552	chrome.exe
Token: SeShutdownPrivilege	552	chrome.exe
Token: SeCreatePagefilePrivilege	552	chrome.exe
Token: SeShutdownPrivilege	552	chrome.exe
Token: SeCreatePagefilePrivilege	552	chrome.exe
Token: SeShutdownPrivilege	552	chrome.exe
Token: SeCreatePagefilePrivilege	552	chrome.exe
Token: SeShutdownPrivilege	552	chrome.exe
Token: SeCreatePagefilePrivilege	552	chrome.exe
Token: SeShutdownPrivilege	552	chrome.exe
Token: SeCreatePagefilePrivilege	552	chrome.exe
Token: SeShutdownPrivilege	552	chrome.exe
Token: SeCreatePagefilePrivilege	552	chrome.exe
Token: SeShutdownPrivilege	552	chrome.exe
Token: SeCreatePagefilePrivilege	552	chrome.exe
Token: SeShutdownPrivilege	552	chrome.exe
Token: SeCreatePagefilePrivilege	552	chrome.exe
Token: SeShutdownPrivilege	552	chrome.exe
Token: SeCreatePagefilePrivilege	552	chrome.exe
Token: SeShutdownPrivilege	552	chrome.exe
Token: SeCreatePagefilePrivilege	552	chrome.exe
Token: SeShutdownPrivilege	552	chrome.exe
Token: SeCreatePagefilePrivilege	552	chrome.exe
Token: SeShutdownPrivilege	552	chrome.exe
Token: SeCreatePagefilePrivilege	552	chrome.exe
Token: SeShutdownPrivilege	552	chrome.exe
Token: SeCreatePagefilePrivilege	552	chrome.exe
Token: SeShutdownPrivilege	552	chrome.exe
Token: SeCreatePagefilePrivilege	552	chrome.exe
Token: SeShutdownPrivilege	552	chrome.exe
Token: SeCreatePagefilePrivilege	552	chrome.exe
Token: SeShutdownPrivilege	552	chrome.exe
Token: SeCreatePagefilePrivilege	552	chrome.exe
Token: SeShutdownPrivilege	552	chrome.exe
Token: SeCreatePagefilePrivilege	552	chrome.exe
Token: SeShutdownPrivilege	552	chrome.exe
Token: SeCreatePagefilePrivilege	552	chrome.exe
Token: SeShutdownPrivilege	552	chrome.exe
Token: SeCreatePagefilePrivilege	552	chrome.exe
Token: SeShutdownPrivilege	552	chrome.exe
Token: SeCreatePagefilePrivilege	552	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 552 wrote to memory of 2356	552	chrome.exe	88
PID 552 wrote to memory of 2356	552	chrome.exe	88
PID 552 wrote to memory of 1876	552	chrome.exe	91
PID 552 wrote to memory of 1876	552	chrome.exe	91
PID 552 wrote to memory of 1876	552	chrome.exe	91
PID 552 wrote to memory of 1876	552	chrome.exe	91
PID 552 wrote to memory of 1876	552	chrome.exe	91
PID 552 wrote to memory of 1876	552	chrome.exe	91
PID 552 wrote to memory of 1876	552	chrome.exe	91
PID 552 wrote to memory of 1876	552	chrome.exe	91
PID 552 wrote to memory of 1876	552	chrome.exe	91
PID 552 wrote to memory of 1876	552	chrome.exe	91
PID 552 wrote to memory of 1876	552	chrome.exe	91
PID 552 wrote to memory of 1876	552	chrome.exe	91
PID 552 wrote to memory of 1876	552	chrome.exe	91
PID 552 wrote to memory of 1876	552	chrome.exe	91
PID 552 wrote to memory of 1876	552	chrome.exe	91
PID 552 wrote to memory of 1876	552	chrome.exe	91
PID 552 wrote to memory of 1876	552	chrome.exe	91
PID 552 wrote to memory of 1876	552	chrome.exe	91
PID 552 wrote to memory of 1876	552	chrome.exe	91
PID 552 wrote to memory of 1876	552	chrome.exe	91
PID 552 wrote to memory of 1876	552	chrome.exe	91
PID 552 wrote to memory of 1876	552	chrome.exe	91
PID 552 wrote to memory of 1876	552	chrome.exe	91
PID 552 wrote to memory of 1876	552	chrome.exe	91
PID 552 wrote to memory of 1876	552	chrome.exe	91
PID 552 wrote to memory of 1876	552	chrome.exe	91
PID 552 wrote to memory of 1876	552	chrome.exe	91
PID 552 wrote to memory of 1876	552	chrome.exe	91
PID 552 wrote to memory of 1876	552	chrome.exe	91
PID 552 wrote to memory of 1876	552	chrome.exe	91
PID 552 wrote to memory of 1876	552	chrome.exe	91
PID 552 wrote to memory of 1876	552	chrome.exe	91
PID 552 wrote to memory of 1876	552	chrome.exe	91
PID 552 wrote to memory of 1876	552	chrome.exe	91
PID 552 wrote to memory of 1876	552	chrome.exe	91
PID 552 wrote to memory of 1876	552	chrome.exe	91
PID 552 wrote to memory of 1876	552	chrome.exe	91
PID 552 wrote to memory of 1876	552	chrome.exe	91
PID 552 wrote to memory of 4372	552	chrome.exe	92
PID 552 wrote to memory of 4372	552	chrome.exe	92
PID 552 wrote to memory of 4396	552	chrome.exe	93
PID 552 wrote to memory of 4396	552	chrome.exe	93
PID 552 wrote to memory of 4396	552	chrome.exe	93
PID 552 wrote to memory of 4396	552	chrome.exe	93
PID 552 wrote to memory of 4396	552	chrome.exe	93
PID 552 wrote to memory of 4396	552	chrome.exe	93
PID 552 wrote to memory of 4396	552	chrome.exe	93
PID 552 wrote to memory of 4396	552	chrome.exe	93
PID 552 wrote to memory of 4396	552	chrome.exe	93
PID 552 wrote to memory of 4396	552	chrome.exe	93
PID 552 wrote to memory of 4396	552	chrome.exe	93
PID 552 wrote to memory of 4396	552	chrome.exe	93
PID 552 wrote to memory of 4396	552	chrome.exe	93
PID 552 wrote to memory of 4396	552	chrome.exe	93
PID 552 wrote to memory of 4396	552	chrome.exe	93
PID 552 wrote to memory of 4396	552	chrome.exe	93
PID 552 wrote to memory of 4396	552	chrome.exe	93
PID 552 wrote to memory of 4396	552	chrome.exe	93
PID 552 wrote to memory of 4396	552	chrome.exe	93
PID 552 wrote to memory of 4396	552	chrome.exe	93
PID 552 wrote to memory of 4396	552	chrome.exe	93
PID 552 wrote to memory of 4396	552	chrome.exe	93

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://89.208.106.112
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7ffb07359758,0x7ffb07359768,0x7ffb07359778
  2⤵
  PID:2356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1712 --field-trial-handle=1888,i,9514297786397119436,16688818176540787608,131072 /prefetch:2
  2⤵
  PID:1876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1888,i,9514297786397119436,16688818176540787608,131072 /prefetch:8
  2⤵
  PID:4372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2172 --field-trial-handle=1888,i,9514297786397119436,16688818176540787608,131072 /prefetch:8
  2⤵
  PID:4396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2908 --field-trial-handle=1888,i,9514297786397119436,16688818176540787608,131072 /prefetch:1
  2⤵
  PID:4944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2916 --field-trial-handle=1888,i,9514297786397119436,16688818176540787608,131072 /prefetch:1
  2⤵
  PID:3904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4700 --field-trial-handle=1888,i,9514297786397119436,16688818176540787608,131072 /prefetch:8
  2⤵
  PID:316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3888 --field-trial-handle=1888,i,9514297786397119436,16688818176540787608,131072 /prefetch:8
  2⤵
  PID:768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2752 --field-trial-handle=1888,i,9514297786397119436,16688818176540787608,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2632

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
d32f7607111cde603cbd9faf70b77cd9

SHA1
4ff17267974be87451f0ddea094f32558856f2e2

SHA256
9a0c632e13df780a442ef7445f03757ace26b346d5c014b6627c034b389e1029

SHA512
c3ab6059f8b3ef058514a3b92cf3339f57b814e8a5998b122c028b58dfac41a86381b4f315de354d46b05b1f2ad6604d74e85d37df635ef64a6bba01b4edd386

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
884B

MD5
74bc71677bdbf17bbaa5a8cdc32289e6

SHA1
85f8702d0a70029367b9286a58f346baef0610df

SHA256
e31af18a3d0335f7d075b4499c5f5e7419d93c79005d55bc3e71f1c7f9a064dd

SHA512
3c298c6c8c77cd0ea60eec0f3b4f49dec4daabe866cb4acf036eb7fce85e6b412ae0484007f9ff51d92eb178109d2c6fd1487711444e4efe74ba584c59a2dba5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
9a6b9f6c23a1cc57ad88401d70451fa4

SHA1
c7cf55588ffec5bffde7f403fac1139826ef2a55

SHA256
920c783f37f8d31ada4646e6e54b46c750e3d6e0bd3def4fda083d15bb3a2950

SHA512
4dc1fc0685bc3421764ff23c1248ca6e553bfc752cee8409b7aaf7b12d4e880f4055f84de895ab2ecab20acf2fbf88d125b299a405df3cfb5a8783eeb6d107f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
ee02f212ac4a0fca23688871cc01ba9a

SHA1
36c12f11318f55e80e96d6a1cd86a71510a028f3

SHA256
f0719cb840363d10582a20dfaad01f838130b20633f7d669a03d0cbb69b0dbab

SHA512
6791f3266d3cd1914d899882272211dcf0206cf61950c012630831d402cbdb93c1b351ff9b11879b22ccf579510ced0937d0938dc35df8f808c0e12a41200ea5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
86d6fb3ae35bf574694f335fd26facea

SHA1
d09ffdd0a5cc6e7073917a931afa9c78e6451ca3

SHA256
b15e42de9a80ed8099b8d88fef90e5fa66debe82dab5f173f6524093e2245266

SHA512
871b9e9c7f1b5779c296465e04a97221abe478ed3160de1a36ed8bfed619c207bd5c839a48c0e7605254dd72f011a5a422078ea438c809f64bc571b8a4198085

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit