Analysis
-
max time kernel
599s -
max time network
562s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
05/04/2024, 20:55
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://www.nexus-creative-solutions.com/login/?xcstoken=RDJHWFlpVkR5UTFhQWZ3ZVI4T0M3dHVtK29VejVoRjlpSVF3ZFRIdEJlUkRiTlVvRXErUU1aZjhYUE1naDFjeQ==&[email protected]
Resource
win10v2004-20240226-en
General
-
Target
https://www.nexus-creative-solutions.com/login/?xcstoken=RDJHWFlpVkR5UTFhQWZ3ZVI4T0M3dHVtK29VejVoRjlpSVF3ZFRIdEJlUkRiTlVvRXErUU1aZjhYUE1naDFjeQ==&[email protected]
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133568241610300699" chrome.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 5052 chrome.exe 5052 chrome.exe 372 chrome.exe 372 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 5052 chrome.exe 5052 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 5052 chrome.exe Token: SeCreatePagefilePrivilege 5052 chrome.exe Token: SeShutdownPrivilege 5052 chrome.exe Token: SeCreatePagefilePrivilege 5052 chrome.exe Token: SeShutdownPrivilege 5052 chrome.exe Token: SeCreatePagefilePrivilege 5052 chrome.exe Token: SeShutdownPrivilege 5052 chrome.exe Token: SeCreatePagefilePrivilege 5052 chrome.exe Token: SeShutdownPrivilege 5052 chrome.exe Token: SeCreatePagefilePrivilege 5052 chrome.exe Token: SeShutdownPrivilege 5052 chrome.exe Token: SeCreatePagefilePrivilege 5052 chrome.exe Token: SeShutdownPrivilege 5052 chrome.exe Token: SeCreatePagefilePrivilege 5052 chrome.exe Token: SeShutdownPrivilege 5052 chrome.exe Token: SeCreatePagefilePrivilege 5052 chrome.exe Token: SeShutdownPrivilege 5052 chrome.exe Token: SeCreatePagefilePrivilege 5052 chrome.exe Token: SeShutdownPrivilege 5052 chrome.exe Token: SeCreatePagefilePrivilege 5052 chrome.exe Token: SeShutdownPrivilege 5052 chrome.exe Token: SeCreatePagefilePrivilege 5052 chrome.exe Token: SeShutdownPrivilege 5052 chrome.exe Token: SeCreatePagefilePrivilege 5052 chrome.exe Token: SeShutdownPrivilege 5052 chrome.exe Token: SeCreatePagefilePrivilege 5052 chrome.exe Token: SeShutdownPrivilege 5052 chrome.exe Token: SeCreatePagefilePrivilege 5052 chrome.exe Token: SeShutdownPrivilege 5052 chrome.exe Token: SeCreatePagefilePrivilege 5052 chrome.exe Token: SeShutdownPrivilege 5052 chrome.exe Token: SeCreatePagefilePrivilege 5052 chrome.exe Token: SeShutdownPrivilege 5052 chrome.exe Token: SeCreatePagefilePrivilege 5052 chrome.exe Token: SeShutdownPrivilege 5052 chrome.exe Token: SeCreatePagefilePrivilege 5052 chrome.exe Token: SeShutdownPrivilege 5052 chrome.exe Token: SeCreatePagefilePrivilege 5052 chrome.exe Token: SeShutdownPrivilege 5052 chrome.exe Token: SeCreatePagefilePrivilege 5052 chrome.exe Token: SeShutdownPrivilege 5052 chrome.exe Token: SeCreatePagefilePrivilege 5052 chrome.exe Token: SeShutdownPrivilege 5052 chrome.exe Token: SeCreatePagefilePrivilege 5052 chrome.exe Token: SeShutdownPrivilege 5052 chrome.exe Token: SeCreatePagefilePrivilege 5052 chrome.exe Token: SeShutdownPrivilege 5052 chrome.exe Token: SeCreatePagefilePrivilege 5052 chrome.exe Token: SeShutdownPrivilege 5052 chrome.exe Token: SeCreatePagefilePrivilege 5052 chrome.exe Token: SeShutdownPrivilege 5052 chrome.exe Token: SeCreatePagefilePrivilege 5052 chrome.exe Token: SeShutdownPrivilege 5052 chrome.exe Token: SeCreatePagefilePrivilege 5052 chrome.exe Token: SeShutdownPrivilege 5052 chrome.exe Token: SeCreatePagefilePrivilege 5052 chrome.exe Token: SeShutdownPrivilege 5052 chrome.exe Token: SeCreatePagefilePrivilege 5052 chrome.exe Token: SeShutdownPrivilege 5052 chrome.exe Token: SeCreatePagefilePrivilege 5052 chrome.exe Token: SeShutdownPrivilege 5052 chrome.exe Token: SeCreatePagefilePrivilege 5052 chrome.exe Token: SeShutdownPrivilege 5052 chrome.exe Token: SeCreatePagefilePrivilege 5052 chrome.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5052 wrote to memory of 3464 5052 chrome.exe 85 PID 5052 wrote to memory of 3464 5052 chrome.exe 85 PID 5052 wrote to memory of 804 5052 chrome.exe 88 PID 5052 wrote to memory of 804 5052 chrome.exe 88 PID 5052 wrote to memory of 804 5052 chrome.exe 88 PID 5052 wrote to memory of 804 5052 chrome.exe 88 PID 5052 wrote to memory of 804 5052 chrome.exe 88 PID 5052 wrote to memory of 804 5052 chrome.exe 88 PID 5052 wrote to memory of 804 5052 chrome.exe 88 PID 5052 wrote to memory of 804 5052 chrome.exe 88 PID 5052 wrote to memory of 804 5052 chrome.exe 88 PID 5052 wrote to memory of 804 5052 chrome.exe 88 PID 5052 wrote to memory of 804 5052 chrome.exe 88 PID 5052 wrote to memory of 804 5052 chrome.exe 88 PID 5052 wrote to memory of 804 5052 chrome.exe 88 PID 5052 wrote to memory of 804 5052 chrome.exe 88 PID 5052 wrote to memory of 804 5052 chrome.exe 88 PID 5052 wrote to memory of 804 5052 chrome.exe 88 PID 5052 wrote to memory of 804 5052 chrome.exe 88 PID 5052 wrote to memory of 804 5052 chrome.exe 88 PID 5052 wrote to memory of 804 5052 chrome.exe 88 PID 5052 wrote to memory of 804 5052 chrome.exe 88 PID 5052 wrote to memory of 804 5052 chrome.exe 88 PID 5052 wrote to memory of 804 5052 chrome.exe 88 PID 5052 wrote to memory of 804 5052 chrome.exe 88 PID 5052 wrote to memory of 804 5052 chrome.exe 88 PID 5052 wrote to memory of 804 5052 chrome.exe 88 PID 5052 wrote to memory of 804 5052 chrome.exe 88 PID 5052 wrote to memory of 804 5052 chrome.exe 88 PID 5052 wrote to memory of 804 5052 chrome.exe 88 PID 5052 wrote to memory of 804 5052 chrome.exe 88 PID 5052 wrote to memory of 804 5052 chrome.exe 88 PID 5052 wrote to memory of 804 5052 chrome.exe 88 PID 5052 wrote to memory of 804 5052 chrome.exe 88 PID 5052 wrote to memory of 804 5052 chrome.exe 88 PID 5052 wrote to memory of 804 5052 chrome.exe 88 PID 5052 wrote to memory of 804 5052 chrome.exe 88 PID 5052 wrote to memory of 804 5052 chrome.exe 88 PID 5052 wrote to memory of 804 5052 chrome.exe 88 PID 5052 wrote to memory of 804 5052 chrome.exe 88 PID 5052 wrote to memory of 3000 5052 chrome.exe 89 PID 5052 wrote to memory of 3000 5052 chrome.exe 89 PID 5052 wrote to memory of 1892 5052 chrome.exe 90 PID 5052 wrote to memory of 1892 5052 chrome.exe 90 PID 5052 wrote to memory of 1892 5052 chrome.exe 90 PID 5052 wrote to memory of 1892 5052 chrome.exe 90 PID 5052 wrote to memory of 1892 5052 chrome.exe 90 PID 5052 wrote to memory of 1892 5052 chrome.exe 90 PID 5052 wrote to memory of 1892 5052 chrome.exe 90 PID 5052 wrote to memory of 1892 5052 chrome.exe 90 PID 5052 wrote to memory of 1892 5052 chrome.exe 90 PID 5052 wrote to memory of 1892 5052 chrome.exe 90 PID 5052 wrote to memory of 1892 5052 chrome.exe 90 PID 5052 wrote to memory of 1892 5052 chrome.exe 90 PID 5052 wrote to memory of 1892 5052 chrome.exe 90 PID 5052 wrote to memory of 1892 5052 chrome.exe 90 PID 5052 wrote to memory of 1892 5052 chrome.exe 90 PID 5052 wrote to memory of 1892 5052 chrome.exe 90 PID 5052 wrote to memory of 1892 5052 chrome.exe 90 PID 5052 wrote to memory of 1892 5052 chrome.exe 90 PID 5052 wrote to memory of 1892 5052 chrome.exe 90 PID 5052 wrote to memory of 1892 5052 chrome.exe 90 PID 5052 wrote to memory of 1892 5052 chrome.exe 90 PID 5052 wrote to memory of 1892 5052 chrome.exe 90
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.nexus-creative-solutions.com/login/?xcstoken=RDJHWFlpVkR5UTFhQWZ3ZVI4T0M3dHVtK29VejVoRjlpSVF3ZFRIdEJlUkRiTlVvRXErUU1aZjhYUE1naDFjeQ==&[email protected]1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe3c549758,0x7ffe3c549768,0x7ffe3c5497782⤵PID:3464
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1724 --field-trial-handle=1884,i,3764637180997526647,2153819913690701442,131072 /prefetch:22⤵PID:804
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1948 --field-trial-handle=1884,i,3764637180997526647,2153819913690701442,131072 /prefetch:82⤵PID:3000
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1884,i,3764637180997526647,2153819913690701442,131072 /prefetch:82⤵PID:1892
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2824 --field-trial-handle=1884,i,3764637180997526647,2153819913690701442,131072 /prefetch:12⤵PID:1608
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2832 --field-trial-handle=1884,i,3764637180997526647,2153819913690701442,131072 /prefetch:12⤵PID:3048
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5068 --field-trial-handle=1884,i,3764637180997526647,2153819913690701442,131072 /prefetch:82⤵PID:3828
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 --field-trial-handle=1884,i,3764637180997526647,2153819913690701442,131072 /prefetch:82⤵PID:372
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4816 --field-trial-handle=1884,i,3764637180997526647,2153819913690701442,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:372
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:2952
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:4136
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵PID:2384
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
528B
MD5f4c9e176630075abb09607bcb894d329
SHA193455b6fbf59d9700820dc1d24045ef209bcb1f4
SHA2561a1f7b8fe53d5a7866d4d6fb2f2a7b7ad32d770b63312b0219348d421ccd23d9
SHA51287bdd642aa073186c36f5ac5ce6b34b1a918218e24fa8e53be330e950b62210293478283514343e6b7c0d170998374cb0998153dbf195ee01272fa76176bba10
-
Filesize
2KB
MD5f4b19af24c0207962e579c1c36166e06
SHA1273fa61a5f48e4917b56b04a30e481d7daca3844
SHA256be117185cf6bdc937267b02c5c7057053c6915711d4c0688f82997e08ae4aa49
SHA51285543d58e0e3053421296772e830e133365fb46ffda3420eecf7c75209cd5095c6cb98818072879463f12d3adc70b05b079585504377e597becf50a02bf1718b
-
Filesize
701B
MD51e8b2dbbb958400d2e31a5b630e22e23
SHA159a46e4f04044d77b32b2213013bc1b5f4202bdb
SHA256319bfcf425cddbc98be70699bcd74bddc04bbca8087282475473c9822adbf15f
SHA512b7bd1e283980a52d60a86edbe256322461b9cb11d970f9fcbf5a0fb55702ee04373d1e0aab2408ce86eafd6b09eca97e37ec8041b88bcd9470f260ad4b307f5b
-
Filesize
6KB
MD5aea2884cc7a9429df12d4418873ef2e5
SHA129da21ad41d03b6aae807e1b8ea27bdd01ebbd0f
SHA256b8c8cdffc39fe423d10a87357fc8c451ede239c1a82ff4d0a2f72837ed45ed1e
SHA512eb3e21ba52ed1bb0f6a08e1d0b42953665ad26da4abefbc471993b32e74293e501f19202fb89d5a3d45a39671218f91fa23a9b6be244897068964fa616b6328e
-
Filesize
128KB
MD54ddb2f0c4d5a43b2263c0f8a35a91690
SHA15d2f03786928ce9ce3ec05c0a4a9d9ebe4f73e0e
SHA25686b5262b74666432e2b9ddfa66a5cd8b2e972c0201db9ed4882e4d4c120a45e6
SHA51252bd5841ec6a2c8dec7ccec0dbee1ad60f890abc476f3a6980bf10dd0bdcff00e0b28fb831812c9bf052bdb5092103b011e502ea5d3b811ed97f0fc007aaceee
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd