hxxps://m[.]exactag[.]com/ai[.]aspx?tc=d96NUMBERbc40b07205bbd26a23a8d2e6b6b4f9&url=hxxp[:]socialgraces[.]ai/nu[//]will[.]iambro@gmail[.]com

Analysis

max time kernel
59s
max time network
44s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
08/04/2024, 18:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://m.exactag.com/ai.aspx?tc=d96NUMBERbc40b07205bbd26a23a8d2e6b6b4f9&url=hxxp:socialgraces.ai/nu//[email protected]

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133570742610957889"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4880	chrome.exe
4880	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4880	chrome.exe
4880	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4880 wrote to memory of 4588	4880	chrome.exe	73
PID 4880 wrote to memory of 4588	4880	chrome.exe	73
PID 4880 wrote to memory of 712	4880	chrome.exe	75
PID 4880 wrote to memory of 712	4880	chrome.exe	75
PID 4880 wrote to memory of 712	4880	chrome.exe	75
PID 4880 wrote to memory of 712	4880	chrome.exe	75
PID 4880 wrote to memory of 712	4880	chrome.exe	75
PID 4880 wrote to memory of 712	4880	chrome.exe	75
PID 4880 wrote to memory of 712	4880	chrome.exe	75
PID 4880 wrote to memory of 712	4880	chrome.exe	75
PID 4880 wrote to memory of 712	4880	chrome.exe	75
PID 4880 wrote to memory of 712	4880	chrome.exe	75
PID 4880 wrote to memory of 712	4880	chrome.exe	75
PID 4880 wrote to memory of 712	4880	chrome.exe	75
PID 4880 wrote to memory of 712	4880	chrome.exe	75
PID 4880 wrote to memory of 712	4880	chrome.exe	75
PID 4880 wrote to memory of 712	4880	chrome.exe	75
PID 4880 wrote to memory of 712	4880	chrome.exe	75
PID 4880 wrote to memory of 712	4880	chrome.exe	75
PID 4880 wrote to memory of 712	4880	chrome.exe	75
PID 4880 wrote to memory of 712	4880	chrome.exe	75
PID 4880 wrote to memory of 712	4880	chrome.exe	75
PID 4880 wrote to memory of 712	4880	chrome.exe	75
PID 4880 wrote to memory of 712	4880	chrome.exe	75
PID 4880 wrote to memory of 712	4880	chrome.exe	75
PID 4880 wrote to memory of 712	4880	chrome.exe	75
PID 4880 wrote to memory of 712	4880	chrome.exe	75
PID 4880 wrote to memory of 712	4880	chrome.exe	75
PID 4880 wrote to memory of 712	4880	chrome.exe	75
PID 4880 wrote to memory of 712	4880	chrome.exe	75
PID 4880 wrote to memory of 712	4880	chrome.exe	75
PID 4880 wrote to memory of 712	4880	chrome.exe	75
PID 4880 wrote to memory of 712	4880	chrome.exe	75
PID 4880 wrote to memory of 712	4880	chrome.exe	75
PID 4880 wrote to memory of 712	4880	chrome.exe	75
PID 4880 wrote to memory of 712	4880	chrome.exe	75
PID 4880 wrote to memory of 712	4880	chrome.exe	75
PID 4880 wrote to memory of 712	4880	chrome.exe	75
PID 4880 wrote to memory of 712	4880	chrome.exe	75
PID 4880 wrote to memory of 712	4880	chrome.exe	75
PID 4880 wrote to memory of 3112	4880	chrome.exe	76
PID 4880 wrote to memory of 3112	4880	chrome.exe	76
PID 4880 wrote to memory of 2008	4880	chrome.exe	77
PID 4880 wrote to memory of 2008	4880	chrome.exe	77
PID 4880 wrote to memory of 2008	4880	chrome.exe	77
PID 4880 wrote to memory of 2008	4880	chrome.exe	77
PID 4880 wrote to memory of 2008	4880	chrome.exe	77
PID 4880 wrote to memory of 2008	4880	chrome.exe	77
PID 4880 wrote to memory of 2008	4880	chrome.exe	77
PID 4880 wrote to memory of 2008	4880	chrome.exe	77
PID 4880 wrote to memory of 2008	4880	chrome.exe	77
PID 4880 wrote to memory of 2008	4880	chrome.exe	77
PID 4880 wrote to memory of 2008	4880	chrome.exe	77
PID 4880 wrote to memory of 2008	4880	chrome.exe	77
PID 4880 wrote to memory of 2008	4880	chrome.exe	77
PID 4880 wrote to memory of 2008	4880	chrome.exe	77
PID 4880 wrote to memory of 2008	4880	chrome.exe	77
PID 4880 wrote to memory of 2008	4880	chrome.exe	77
PID 4880 wrote to memory of 2008	4880	chrome.exe	77
PID 4880 wrote to memory of 2008	4880	chrome.exe	77
PID 4880 wrote to memory of 2008	4880	chrome.exe	77
PID 4880 wrote to memory of 2008	4880	chrome.exe	77
PID 4880 wrote to memory of 2008	4880	chrome.exe	77
PID 4880 wrote to memory of 2008	4880	chrome.exe	77

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://m.exactag.com/ai.aspx?tc=d96NUMBERbc40b07205bbd26a23a8d2e6b6b4f9&url=hxxp:socialgraces.ai/nu//[email protected]
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffa74989758,0x7ffa74989768,0x7ffa74989778
  2⤵
  PID:4588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1540 --field-trial-handle=1660,i,1836145343412665909,9268372635012144741,131072 /prefetch:2
  2⤵
  PID:712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1896 --field-trial-handle=1660,i,1836145343412665909,9268372635012144741,131072 /prefetch:8
  2⤵
  PID:3112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2076 --field-trial-handle=1660,i,1836145343412665909,9268372635012144741,131072 /prefetch:8
  2⤵
  PID:2008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2928 --field-trial-handle=1660,i,1836145343412665909,9268372635012144741,131072 /prefetch:1
  2⤵
  PID:32
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2940 --field-trial-handle=1660,i,1836145343412665909,9268372635012144741,131072 /prefetch:1
  2⤵
  PID:3728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4692 --field-trial-handle=1660,i,1836145343412665909,9268372635012144741,131072 /prefetch:8
  2⤵
  PID:1240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4788 --field-trial-handle=1660,i,1836145343412665909,9268372635012144741,131072 /prefetch:8
  2⤵
  PID:4288

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
93df9333207ec73a7fddc3895f943c3f

SHA1
3f49d759c29a0d60cc5c2ae5876fa24f59fe4a2c

SHA256
9372a48cb1aa82cab22b1d88ba747a1283ee445bbb53386daf767876d6862a99

SHA512
a09a63a35f56be0c028b653be40bf1162216eba28ef063968817e45b4b9b2a6d60ad24d628ed6dadf3e0d04e69ebc5c5df3e2cf38e9d6b0a97b4e5e7b4cbc8a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
9791b5b25ef3c152011934291edcd09b

SHA1
b4186abdb5d8b992fb09b56e0224c02985e405f0

SHA256
4148915d6c9f52a7a24c7dcdf876e8814251df61272d89578bad284188c5a593

SHA512
725e7a37279a196d0fef3aadf1498b5f175535b90ad2a4ae4aebddec8def27c1e39d404f40940c940510d35bf1437fd490e90ab36f22117fbfbcedf402bde5f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
0ddac12e87b31200bfee520b19250de6

SHA1
f4348d396c52fbad89f6e8a5ee252d6faee1d87b

SHA256
0baed946350278f3243b6282b01c11b879ecae1dbcf714f1426f7919205ed1ab

SHA512
033e2b74fed5ae73ceb5a0ee337955a1f926133eab513ed8285ce03ab1f76ec3ab7b90f3703b7a2741f826ed6105271a0abc0b3da5af9c08d71e105da69fa45d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
767aed8be5f46153f273e549d8f8ea3e

SHA1
46e7f52cea3304b126f16f8c0361e767f039970d

SHA256
3e1cfba6003426a6b93a4bdb6ccf2c7a16002a979d7d1cec985a30b5e7b0a61e

SHA512
3366d511c2355e59759331ecd2acb47cad19e593e13d66c4c48d4d0a50ca84238cad997e9b314529c4cc3d74a4c86b1a5210ddae98057fd4885b07eb6efababd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit