Analysis
-
max time kernel
600s -
max time network
485s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
05/04/2024, 21:13
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://www.nexus-creative-solutions.com/login/?xcstoken=RDJHWFlpVkR5UTFhQWZ3ZVI4T0M3dHVtK29VejVoRjlpSVF3ZFRIdEJlUkRiTlVvRXErUU1aZjhYUE1naDFjeQ==&[email protected]
Resource
win10v2004-20231215-en
General
-
Target
https://www.nexus-creative-solutions.com/login/?xcstoken=RDJHWFlpVkR5UTFhQWZ3ZVI4T0M3dHVtK29VejVoRjlpSVF3ZFRIdEJlUkRiTlVvRXErUU1aZjhYUE1naDFjeQ==&[email protected]
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133568261362502336" chrome.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1740 chrome.exe 1740 chrome.exe 1004 chrome.exe 1004 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 1740 chrome.exe 1740 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1740 chrome.exe Token: SeCreatePagefilePrivilege 1740 chrome.exe Token: SeShutdownPrivilege 1740 chrome.exe Token: SeCreatePagefilePrivilege 1740 chrome.exe Token: SeShutdownPrivilege 1740 chrome.exe Token: SeCreatePagefilePrivilege 1740 chrome.exe Token: SeShutdownPrivilege 1740 chrome.exe Token: SeCreatePagefilePrivilege 1740 chrome.exe Token: SeShutdownPrivilege 1740 chrome.exe Token: SeCreatePagefilePrivilege 1740 chrome.exe Token: SeShutdownPrivilege 1740 chrome.exe Token: SeCreatePagefilePrivilege 1740 chrome.exe Token: SeShutdownPrivilege 1740 chrome.exe Token: SeCreatePagefilePrivilege 1740 chrome.exe Token: SeShutdownPrivilege 1740 chrome.exe Token: SeCreatePagefilePrivilege 1740 chrome.exe Token: SeShutdownPrivilege 1740 chrome.exe Token: SeCreatePagefilePrivilege 1740 chrome.exe Token: SeShutdownPrivilege 1740 chrome.exe Token: SeCreatePagefilePrivilege 1740 chrome.exe Token: SeShutdownPrivilege 1740 chrome.exe Token: SeCreatePagefilePrivilege 1740 chrome.exe Token: SeShutdownPrivilege 1740 chrome.exe Token: SeCreatePagefilePrivilege 1740 chrome.exe Token: SeShutdownPrivilege 1740 chrome.exe Token: SeCreatePagefilePrivilege 1740 chrome.exe Token: SeShutdownPrivilege 1740 chrome.exe Token: SeCreatePagefilePrivilege 1740 chrome.exe Token: SeShutdownPrivilege 1740 chrome.exe Token: SeCreatePagefilePrivilege 1740 chrome.exe Token: SeShutdownPrivilege 1740 chrome.exe Token: SeCreatePagefilePrivilege 1740 chrome.exe Token: SeShutdownPrivilege 1740 chrome.exe Token: SeCreatePagefilePrivilege 1740 chrome.exe Token: SeShutdownPrivilege 1740 chrome.exe Token: SeCreatePagefilePrivilege 1740 chrome.exe Token: SeShutdownPrivilege 1740 chrome.exe Token: SeCreatePagefilePrivilege 1740 chrome.exe Token: SeShutdownPrivilege 1740 chrome.exe Token: SeCreatePagefilePrivilege 1740 chrome.exe Token: SeShutdownPrivilege 1740 chrome.exe Token: SeCreatePagefilePrivilege 1740 chrome.exe Token: SeShutdownPrivilege 1740 chrome.exe Token: SeCreatePagefilePrivilege 1740 chrome.exe Token: SeShutdownPrivilege 1740 chrome.exe Token: SeCreatePagefilePrivilege 1740 chrome.exe Token: SeShutdownPrivilege 1740 chrome.exe Token: SeCreatePagefilePrivilege 1740 chrome.exe Token: SeShutdownPrivilege 1740 chrome.exe Token: SeCreatePagefilePrivilege 1740 chrome.exe Token: SeShutdownPrivilege 1740 chrome.exe Token: SeCreatePagefilePrivilege 1740 chrome.exe Token: SeShutdownPrivilege 1740 chrome.exe Token: SeCreatePagefilePrivilege 1740 chrome.exe Token: SeShutdownPrivilege 1740 chrome.exe Token: SeCreatePagefilePrivilege 1740 chrome.exe Token: SeShutdownPrivilege 1740 chrome.exe Token: SeCreatePagefilePrivilege 1740 chrome.exe Token: SeShutdownPrivilege 1740 chrome.exe Token: SeCreatePagefilePrivilege 1740 chrome.exe Token: SeShutdownPrivilege 1740 chrome.exe Token: SeCreatePagefilePrivilege 1740 chrome.exe Token: SeShutdownPrivilege 1740 chrome.exe Token: SeCreatePagefilePrivilege 1740 chrome.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 1740 chrome.exe 1740 chrome.exe 1740 chrome.exe 1740 chrome.exe 1740 chrome.exe 1740 chrome.exe 1740 chrome.exe 1740 chrome.exe 1740 chrome.exe 1740 chrome.exe 1740 chrome.exe 1740 chrome.exe 1740 chrome.exe 1740 chrome.exe 1740 chrome.exe 1740 chrome.exe 1740 chrome.exe 1740 chrome.exe 1740 chrome.exe 1740 chrome.exe 1740 chrome.exe 1740 chrome.exe 1740 chrome.exe 1740 chrome.exe 1740 chrome.exe 1740 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1740 chrome.exe 1740 chrome.exe 1740 chrome.exe 1740 chrome.exe 1740 chrome.exe 1740 chrome.exe 1740 chrome.exe 1740 chrome.exe 1740 chrome.exe 1740 chrome.exe 1740 chrome.exe 1740 chrome.exe 1740 chrome.exe 1740 chrome.exe 1740 chrome.exe 1740 chrome.exe 1740 chrome.exe 1740 chrome.exe 1740 chrome.exe 1740 chrome.exe 1740 chrome.exe 1740 chrome.exe 1740 chrome.exe 1740 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1740 wrote to memory of 4536 1740 chrome.exe 84 PID 1740 wrote to memory of 4536 1740 chrome.exe 84 PID 1740 wrote to memory of 4080 1740 chrome.exe 86 PID 1740 wrote to memory of 4080 1740 chrome.exe 86 PID 1740 wrote to memory of 4080 1740 chrome.exe 86 PID 1740 wrote to memory of 4080 1740 chrome.exe 86 PID 1740 wrote to memory of 4080 1740 chrome.exe 86 PID 1740 wrote to memory of 4080 1740 chrome.exe 86 PID 1740 wrote to memory of 4080 1740 chrome.exe 86 PID 1740 wrote to memory of 4080 1740 chrome.exe 86 PID 1740 wrote to memory of 4080 1740 chrome.exe 86 PID 1740 wrote to memory of 4080 1740 chrome.exe 86 PID 1740 wrote to memory of 4080 1740 chrome.exe 86 PID 1740 wrote to memory of 4080 1740 chrome.exe 86 PID 1740 wrote to memory of 4080 1740 chrome.exe 86 PID 1740 wrote to memory of 4080 1740 chrome.exe 86 PID 1740 wrote to memory of 4080 1740 chrome.exe 86 PID 1740 wrote to memory of 4080 1740 chrome.exe 86 PID 1740 wrote to memory of 4080 1740 chrome.exe 86 PID 1740 wrote to memory of 4080 1740 chrome.exe 86 PID 1740 wrote to memory of 4080 1740 chrome.exe 86 PID 1740 wrote to memory of 4080 1740 chrome.exe 86 PID 1740 wrote to memory of 4080 1740 chrome.exe 86 PID 1740 wrote to memory of 4080 1740 chrome.exe 86 PID 1740 wrote to memory of 4080 1740 chrome.exe 86 PID 1740 wrote to memory of 4080 1740 chrome.exe 86 PID 1740 wrote to memory of 4080 1740 chrome.exe 86 PID 1740 wrote to memory of 4080 1740 chrome.exe 86 PID 1740 wrote to memory of 4080 1740 chrome.exe 86 PID 1740 wrote to memory of 4080 1740 chrome.exe 86 PID 1740 wrote to memory of 4080 1740 chrome.exe 86 PID 1740 wrote to memory of 4080 1740 chrome.exe 86 PID 1740 wrote to memory of 4080 1740 chrome.exe 86 PID 1740 wrote to memory of 4080 1740 chrome.exe 86 PID 1740 wrote to memory of 4080 1740 chrome.exe 86 PID 1740 wrote to memory of 4080 1740 chrome.exe 86 PID 1740 wrote to memory of 4080 1740 chrome.exe 86 PID 1740 wrote to memory of 4080 1740 chrome.exe 86 PID 1740 wrote to memory of 4080 1740 chrome.exe 86 PID 1740 wrote to memory of 4080 1740 chrome.exe 86 PID 1740 wrote to memory of 1676 1740 chrome.exe 87 PID 1740 wrote to memory of 1676 1740 chrome.exe 87 PID 1740 wrote to memory of 2040 1740 chrome.exe 88 PID 1740 wrote to memory of 2040 1740 chrome.exe 88 PID 1740 wrote to memory of 2040 1740 chrome.exe 88 PID 1740 wrote to memory of 2040 1740 chrome.exe 88 PID 1740 wrote to memory of 2040 1740 chrome.exe 88 PID 1740 wrote to memory of 2040 1740 chrome.exe 88 PID 1740 wrote to memory of 2040 1740 chrome.exe 88 PID 1740 wrote to memory of 2040 1740 chrome.exe 88 PID 1740 wrote to memory of 2040 1740 chrome.exe 88 PID 1740 wrote to memory of 2040 1740 chrome.exe 88 PID 1740 wrote to memory of 2040 1740 chrome.exe 88 PID 1740 wrote to memory of 2040 1740 chrome.exe 88 PID 1740 wrote to memory of 2040 1740 chrome.exe 88 PID 1740 wrote to memory of 2040 1740 chrome.exe 88 PID 1740 wrote to memory of 2040 1740 chrome.exe 88 PID 1740 wrote to memory of 2040 1740 chrome.exe 88 PID 1740 wrote to memory of 2040 1740 chrome.exe 88 PID 1740 wrote to memory of 2040 1740 chrome.exe 88 PID 1740 wrote to memory of 2040 1740 chrome.exe 88 PID 1740 wrote to memory of 2040 1740 chrome.exe 88 PID 1740 wrote to memory of 2040 1740 chrome.exe 88 PID 1740 wrote to memory of 2040 1740 chrome.exe 88
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.nexus-creative-solutions.com/login/?xcstoken=RDJHWFlpVkR5UTFhQWZ3ZVI4T0M3dHVtK29VejVoRjlpSVF3ZFRIdEJlUkRiTlVvRXErUU1aZjhYUE1naDFjeQ==&[email protected]1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcc7149758,0x7ffcc7149768,0x7ffcc71497782⤵PID:4536
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 --field-trial-handle=1972,i,12846893046655177027,16285275656851083276,131072 /prefetch:22⤵PID:4080
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1904 --field-trial-handle=1972,i,12846893046655177027,16285275656851083276,131072 /prefetch:82⤵PID:1676
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2240 --field-trial-handle=1972,i,12846893046655177027,16285275656851083276,131072 /prefetch:82⤵PID:2040
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2888 --field-trial-handle=1972,i,12846893046655177027,16285275656851083276,131072 /prefetch:12⤵PID:3304
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2896 --field-trial-handle=1972,i,12846893046655177027,16285275656851083276,131072 /prefetch:12⤵PID:4616
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4604 --field-trial-handle=1972,i,12846893046655177027,16285275656851083276,131072 /prefetch:82⤵PID:3076
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 --field-trial-handle=1972,i,12846893046655177027,16285275656851083276,131072 /prefetch:82⤵PID:4456
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1768 --field-trial-handle=1972,i,12846893046655177027,16285275656851083276,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1004
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:3580
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
528B
MD5ba9cecc52e16970b736dc4afcad3d295
SHA1e9d6c69af569602ff81de3806b516ebfa6945184
SHA25626d9b16a298a18f624b08aeda74960db198265ee4296c0b46a80eb528578b8da
SHA51201d707e47003d79167eab16df900576eb8acb40762dd164e96cf87eaaace04ca88d0bd96ef50be6f0d6e6475f6336d7bdef50fa4456c87840d148ca05318f0d3
-
Filesize
2KB
MD5e69fca9036e12836276620f434003b3a
SHA188878d7d41bd2d4e777011f184676dc5a7af5427
SHA25613bb94fedf1901454aab45002b25d69d8d7910179faf17538bdc014e028e735a
SHA512d430e0f17ab80d1c1f8f36a1218984f181623e136b2584aa0fac63703572c94524929155b0195581ba2b24903b01e9beac3645a308ec75f772058df62d15c844
-
Filesize
705B
MD5bbfa6244ce86336dd242dc4a4ca8daf4
SHA1b001f6b2e355d7bd5183c3344f7b182238c92fca
SHA256b2c608445e29f425100e14da207988ff82b41a2e2d0903ef5f04413c1718976e
SHA51281b8a59efa028db501b5ca4f844861eb8a00defb61ec998e50ddc10bf7f0c43c592567c10a4847322205712657e7f878cbea429e7a667d3934b8b32380f9d0e9
-
Filesize
6KB
MD56bf8760ee952cf55fdc586e079d518b0
SHA1921eb72061213de71765b5003d61eefd8706ab7f
SHA2565467b9da0af9c3d567fe37119c9e1ef47c066d5a17375c0ba8348aa6a54452ee
SHA512129a132d1bcaee3efe4fc9712573b89ae61bfdb8a65caed20b764d0b2a0d52d054061d29387b3bfbe4bacf88fe4b19a665db5ef0698a50eaa98fe0a2fcc03b7f
-
Filesize
114KB
MD55ed92fe3c67a96c74cd282dc0a6eed27
SHA1ef2b6a7cb6ebad11683a4c485e2918ff07a30bdf
SHA2569508529b5f3dbc8c72764c5be9745b29adb22a467117816241f4800683e653c7
SHA5120e5c6a473b0ffd6dd22e46cf474bc5b929e12b83b09d40d4c7681f1c327da8c20f6ed17124f00f6328e351d7e556df9828261734524c5731cef366387e1e6f99
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd