hxxps://www[.]timesheetz[.]net/EtzWeb/u/a1e979fc54

Analysis

max time kernel
299s
max time network
273s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 07:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.timesheetz.net/EtzWeb/u/a1e979fc54

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133571225447686458"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3020	chrome.exe
3020	chrome.exe
4788	chrome.exe
4788	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3020	chrome.exe
3020	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3020	chrome.exe
Token: SeCreatePagefilePrivilege	3020	chrome.exe
Token: SeShutdownPrivilege	3020	chrome.exe
Token: SeCreatePagefilePrivilege	3020	chrome.exe
Token: SeShutdownPrivilege	3020	chrome.exe
Token: SeCreatePagefilePrivilege	3020	chrome.exe
Token: SeShutdownPrivilege	3020	chrome.exe
Token: SeCreatePagefilePrivilege	3020	chrome.exe
Token: SeShutdownPrivilege	3020	chrome.exe
Token: SeCreatePagefilePrivilege	3020	chrome.exe
Token: SeShutdownPrivilege	3020	chrome.exe
Token: SeCreatePagefilePrivilege	3020	chrome.exe
Token: SeShutdownPrivilege	3020	chrome.exe
Token: SeCreatePagefilePrivilege	3020	chrome.exe
Token: SeShutdownPrivilege	3020	chrome.exe
Token: SeCreatePagefilePrivilege	3020	chrome.exe
Token: SeShutdownPrivilege	3020	chrome.exe
Token: SeCreatePagefilePrivilege	3020	chrome.exe
Token: SeShutdownPrivilege	3020	chrome.exe
Token: SeCreatePagefilePrivilege	3020	chrome.exe
Token: SeShutdownPrivilege	3020	chrome.exe
Token: SeCreatePagefilePrivilege	3020	chrome.exe
Token: SeShutdownPrivilege	3020	chrome.exe
Token: SeCreatePagefilePrivilege	3020	chrome.exe
Token: SeShutdownPrivilege	3020	chrome.exe
Token: SeCreatePagefilePrivilege	3020	chrome.exe
Token: SeShutdownPrivilege	3020	chrome.exe
Token: SeCreatePagefilePrivilege	3020	chrome.exe
Token: SeShutdownPrivilege	3020	chrome.exe
Token: SeCreatePagefilePrivilege	3020	chrome.exe
Token: SeShutdownPrivilege	3020	chrome.exe
Token: SeCreatePagefilePrivilege	3020	chrome.exe
Token: SeShutdownPrivilege	3020	chrome.exe
Token: SeCreatePagefilePrivilege	3020	chrome.exe
Token: SeShutdownPrivilege	3020	chrome.exe
Token: SeCreatePagefilePrivilege	3020	chrome.exe
Token: SeShutdownPrivilege	3020	chrome.exe
Token: SeCreatePagefilePrivilege	3020	chrome.exe
Token: SeShutdownPrivilege	3020	chrome.exe
Token: SeCreatePagefilePrivilege	3020	chrome.exe
Token: SeShutdownPrivilege	3020	chrome.exe
Token: SeCreatePagefilePrivilege	3020	chrome.exe
Token: SeShutdownPrivilege	3020	chrome.exe
Token: SeCreatePagefilePrivilege	3020	chrome.exe
Token: SeShutdownPrivilege	3020	chrome.exe
Token: SeCreatePagefilePrivilege	3020	chrome.exe
Token: SeShutdownPrivilege	3020	chrome.exe
Token: SeCreatePagefilePrivilege	3020	chrome.exe
Token: SeShutdownPrivilege	3020	chrome.exe
Token: SeCreatePagefilePrivilege	3020	chrome.exe
Token: SeShutdownPrivilege	3020	chrome.exe
Token: SeCreatePagefilePrivilege	3020	chrome.exe
Token: SeShutdownPrivilege	3020	chrome.exe
Token: SeCreatePagefilePrivilege	3020	chrome.exe
Token: SeShutdownPrivilege	3020	chrome.exe
Token: SeCreatePagefilePrivilege	3020	chrome.exe
Token: SeShutdownPrivilege	3020	chrome.exe
Token: SeCreatePagefilePrivilege	3020	chrome.exe
Token: SeShutdownPrivilege	3020	chrome.exe
Token: SeCreatePagefilePrivilege	3020	chrome.exe
Token: SeShutdownPrivilege	3020	chrome.exe
Token: SeCreatePagefilePrivilege	3020	chrome.exe
Token: SeShutdownPrivilege	3020	chrome.exe
Token: SeCreatePagefilePrivilege	3020	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3020	chrome.exe
3020	chrome.exe
3020	chrome.exe
3020	chrome.exe
3020	chrome.exe
3020	chrome.exe
3020	chrome.exe
3020	chrome.exe
3020	chrome.exe
3020	chrome.exe
3020	chrome.exe
3020	chrome.exe
3020	chrome.exe
3020	chrome.exe
3020	chrome.exe
3020	chrome.exe
3020	chrome.exe
3020	chrome.exe
3020	chrome.exe
3020	chrome.exe
3020	chrome.exe
3020	chrome.exe
3020	chrome.exe
3020	chrome.exe
3020	chrome.exe
3020	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3020	chrome.exe
3020	chrome.exe
3020	chrome.exe
3020	chrome.exe
3020	chrome.exe
3020	chrome.exe
3020	chrome.exe
3020	chrome.exe
3020	chrome.exe
3020	chrome.exe
3020	chrome.exe
3020	chrome.exe
3020	chrome.exe
3020	chrome.exe
3020	chrome.exe
3020	chrome.exe
3020	chrome.exe
3020	chrome.exe
3020	chrome.exe
3020	chrome.exe
3020	chrome.exe
3020	chrome.exe
3020	chrome.exe
3020	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 4108	3020	chrome.exe	86
PID 3020 wrote to memory of 4108	3020	chrome.exe	86
PID 3020 wrote to memory of 4856	3020	chrome.exe	90
PID 3020 wrote to memory of 4856	3020	chrome.exe	90
PID 3020 wrote to memory of 4856	3020	chrome.exe	90
PID 3020 wrote to memory of 4856	3020	chrome.exe	90
PID 3020 wrote to memory of 4856	3020	chrome.exe	90
PID 3020 wrote to memory of 4856	3020	chrome.exe	90
PID 3020 wrote to memory of 4856	3020	chrome.exe	90
PID 3020 wrote to memory of 4856	3020	chrome.exe	90
PID 3020 wrote to memory of 4856	3020	chrome.exe	90
PID 3020 wrote to memory of 4856	3020	chrome.exe	90
PID 3020 wrote to memory of 4856	3020	chrome.exe	90
PID 3020 wrote to memory of 4856	3020	chrome.exe	90
PID 3020 wrote to memory of 4856	3020	chrome.exe	90
PID 3020 wrote to memory of 4856	3020	chrome.exe	90
PID 3020 wrote to memory of 4856	3020	chrome.exe	90
PID 3020 wrote to memory of 4856	3020	chrome.exe	90
PID 3020 wrote to memory of 4856	3020	chrome.exe	90
PID 3020 wrote to memory of 4856	3020	chrome.exe	90
PID 3020 wrote to memory of 4856	3020	chrome.exe	90
PID 3020 wrote to memory of 4856	3020	chrome.exe	90
PID 3020 wrote to memory of 4856	3020	chrome.exe	90
PID 3020 wrote to memory of 4856	3020	chrome.exe	90
PID 3020 wrote to memory of 4856	3020	chrome.exe	90
PID 3020 wrote to memory of 4856	3020	chrome.exe	90
PID 3020 wrote to memory of 4856	3020	chrome.exe	90
PID 3020 wrote to memory of 4856	3020	chrome.exe	90
PID 3020 wrote to memory of 4856	3020	chrome.exe	90
PID 3020 wrote to memory of 4856	3020	chrome.exe	90
PID 3020 wrote to memory of 4856	3020	chrome.exe	90
PID 3020 wrote to memory of 4856	3020	chrome.exe	90
PID 3020 wrote to memory of 4856	3020	chrome.exe	90
PID 3020 wrote to memory of 4856	3020	chrome.exe	90
PID 3020 wrote to memory of 4856	3020	chrome.exe	90
PID 3020 wrote to memory of 4856	3020	chrome.exe	90
PID 3020 wrote to memory of 4856	3020	chrome.exe	90
PID 3020 wrote to memory of 4856	3020	chrome.exe	90
PID 3020 wrote to memory of 4856	3020	chrome.exe	90
PID 3020 wrote to memory of 4856	3020	chrome.exe	90
PID 3020 wrote to memory of 3948	3020	chrome.exe	91
PID 3020 wrote to memory of 3948	3020	chrome.exe	91
PID 3020 wrote to memory of 1144	3020	chrome.exe	92
PID 3020 wrote to memory of 1144	3020	chrome.exe	92
PID 3020 wrote to memory of 1144	3020	chrome.exe	92
PID 3020 wrote to memory of 1144	3020	chrome.exe	92
PID 3020 wrote to memory of 1144	3020	chrome.exe	92
PID 3020 wrote to memory of 1144	3020	chrome.exe	92
PID 3020 wrote to memory of 1144	3020	chrome.exe	92
PID 3020 wrote to memory of 1144	3020	chrome.exe	92
PID 3020 wrote to memory of 1144	3020	chrome.exe	92
PID 3020 wrote to memory of 1144	3020	chrome.exe	92
PID 3020 wrote to memory of 1144	3020	chrome.exe	92
PID 3020 wrote to memory of 1144	3020	chrome.exe	92
PID 3020 wrote to memory of 1144	3020	chrome.exe	92
PID 3020 wrote to memory of 1144	3020	chrome.exe	92
PID 3020 wrote to memory of 1144	3020	chrome.exe	92
PID 3020 wrote to memory of 1144	3020	chrome.exe	92
PID 3020 wrote to memory of 1144	3020	chrome.exe	92
PID 3020 wrote to memory of 1144	3020	chrome.exe	92
PID 3020 wrote to memory of 1144	3020	chrome.exe	92
PID 3020 wrote to memory of 1144	3020	chrome.exe	92
PID 3020 wrote to memory of 1144	3020	chrome.exe	92
PID 3020 wrote to memory of 1144	3020	chrome.exe	92

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.timesheetz.net/EtzWeb/u/a1e979fc54
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa3de09758,0x7ffa3de09768,0x7ffa3de09778
  2⤵
  PID:4108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1672 --field-trial-handle=1872,i,12257693624120288148,599895679073831314,131072 /prefetch:2
  2⤵
  PID:4856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=1872,i,12257693624120288148,599895679073831314,131072 /prefetch:8
  2⤵
  PID:3948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2200 --field-trial-handle=1872,i,12257693624120288148,599895679073831314,131072 /prefetch:8
  2⤵
  PID:1144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3056 --field-trial-handle=1872,i,12257693624120288148,599895679073831314,131072 /prefetch:1
  2⤵
  PID:3060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3204 --field-trial-handle=1872,i,12257693624120288148,599895679073831314,131072 /prefetch:1
  2⤵
  PID:1892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4568 --field-trial-handle=1872,i,12257693624120288148,599895679073831314,131072 /prefetch:8
  2⤵
  PID:4844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 --field-trial-handle=1872,i,12257693624120288148,599895679073831314,131072 /prefetch:8
  2⤵
  PID:2152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=824 --field-trial-handle=1872,i,12257693624120288148,599895679073831314,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4788

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
2f3d2266f0d165201625e2a19b516d18

SHA1
af3cc42a9b479ae6cc933637d9069ab2f7eb0403

SHA256
96dcb57777bef90e4c37ce3df19f89e64cc7638bc367371f8a573fc7634f28b3

SHA512
b630d94537f10cbe732b4878a1022df7072a7d0dfaacdaf7370558b810caf4a2644de0fffc42d1a955fed5ad89f8871cf5a5eae16738c6dac3176eadb2b1eaca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
db9fcab21d68cfe06eee7dfcffda25d6

SHA1
c7d52aeebaeec171a77d355844925ae1f3f83cdf

SHA256
b17587f6a3d9954e075eb8dafbce4438da8cfc8a9cd1431218c69f02691d0276

SHA512
08dbd0ac03192fd8d26d3e8753246ea1b3edf1554055635575f2c831fa87c64765a378bd7b0cc642aa89618025a12edbc49b369376b477493245e9af97d5ebfa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
874B

MD5
60e31a17230e3f7a6aa100f63bad8085

SHA1
dab588eb54e8c18f3d337df3725fd7dc42ac10b8

SHA256
96c1577a60f04aa09efa5984f76f94c8928107851c72e33fcf26a359f6b05e87

SHA512
5844275b1475e6d9df49184b35fa2fab510ad31d563ece4d2b72d6fd26138964d014f23aa3b6043b1e6c201b7a22ec7fb8e586f5e85d60e2cafe640a56476f5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
c65268310d8e310b6d7bdc2f372ef107

SHA1
c93caffc625bf5d4fd5f2b026ea5ca853a4291c6

SHA256
295b8cfdb97dd8fe85b5c661ec0314f550e20e03bdcef132130006418186c462

SHA512
c561050f8f5123f724cee593f8596d1ea8ec77fe68e47b540d49cfd3c1b63d8aa32e43248ff1d7ed8f721c9babd86a68f45ef3577849f8605e20bb08fd09a34d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
c5b5a345714beb40e35c5ec30833030e

SHA1
0a2069110ca380abb19b631df58ed0496d083282

SHA256
1e21eaa761fc4a0b1e6cfb0ce620784297e6aa1a3955202dcc57023d135f23bc

SHA512
5961cf0d9990bc677e3946e815f06773f2580ef34bbe1769c47a4d998a65bf4ad37302da115a96b0d5525c476cbb1564856671969ca5b516ee872ece525081c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit