hxxps://api[.]getpxlemal[.]com?id=11541916&stepNo=1

Resubmissions

09/04/2024, 09:28

240409-lfj78aeh9x 1

09/04/2024, 09:24

240409-lc2yvsbf37 4

Analysis

max time kernel
600s
max time network
602s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 09:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://api.getpxlemal.com?id=11541916&stepNo=1

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133571297812822776"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
744	chrome.exe
744	chrome.exe
4740	chrome.exe
4740	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
744	chrome.exe
744	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	744	chrome.exe
Token: SeCreatePagefilePrivilege	744	chrome.exe
Token: SeShutdownPrivilege	744	chrome.exe
Token: SeCreatePagefilePrivilege	744	chrome.exe
Token: SeShutdownPrivilege	744	chrome.exe
Token: SeCreatePagefilePrivilege	744	chrome.exe
Token: SeShutdownPrivilege	744	chrome.exe
Token: SeCreatePagefilePrivilege	744	chrome.exe
Token: SeShutdownPrivilege	744	chrome.exe
Token: SeCreatePagefilePrivilege	744	chrome.exe
Token: SeShutdownPrivilege	744	chrome.exe
Token: SeCreatePagefilePrivilege	744	chrome.exe
Token: SeShutdownPrivilege	744	chrome.exe
Token: SeCreatePagefilePrivilege	744	chrome.exe
Token: SeShutdownPrivilege	744	chrome.exe
Token: SeCreatePagefilePrivilege	744	chrome.exe
Token: SeShutdownPrivilege	744	chrome.exe
Token: SeCreatePagefilePrivilege	744	chrome.exe
Token: SeShutdownPrivilege	744	chrome.exe
Token: SeCreatePagefilePrivilege	744	chrome.exe
Token: SeShutdownPrivilege	744	chrome.exe
Token: SeCreatePagefilePrivilege	744	chrome.exe
Token: SeShutdownPrivilege	744	chrome.exe
Token: SeCreatePagefilePrivilege	744	chrome.exe
Token: SeShutdownPrivilege	744	chrome.exe
Token: SeCreatePagefilePrivilege	744	chrome.exe
Token: SeShutdownPrivilege	744	chrome.exe
Token: SeCreatePagefilePrivilege	744	chrome.exe
Token: SeShutdownPrivilege	744	chrome.exe
Token: SeCreatePagefilePrivilege	744	chrome.exe
Token: SeShutdownPrivilege	744	chrome.exe
Token: SeCreatePagefilePrivilege	744	chrome.exe
Token: SeShutdownPrivilege	744	chrome.exe
Token: SeCreatePagefilePrivilege	744	chrome.exe
Token: SeShutdownPrivilege	744	chrome.exe
Token: SeCreatePagefilePrivilege	744	chrome.exe
Token: SeShutdownPrivilege	744	chrome.exe
Token: SeCreatePagefilePrivilege	744	chrome.exe
Token: SeShutdownPrivilege	744	chrome.exe
Token: SeCreatePagefilePrivilege	744	chrome.exe
Token: SeShutdownPrivilege	744	chrome.exe
Token: SeCreatePagefilePrivilege	744	chrome.exe
Token: SeShutdownPrivilege	744	chrome.exe
Token: SeCreatePagefilePrivilege	744	chrome.exe
Token: SeShutdownPrivilege	744	chrome.exe
Token: SeCreatePagefilePrivilege	744	chrome.exe
Token: SeShutdownPrivilege	744	chrome.exe
Token: SeCreatePagefilePrivilege	744	chrome.exe
Token: SeShutdownPrivilege	744	chrome.exe
Token: SeCreatePagefilePrivilege	744	chrome.exe
Token: SeShutdownPrivilege	744	chrome.exe
Token: SeCreatePagefilePrivilege	744	chrome.exe
Token: SeShutdownPrivilege	744	chrome.exe
Token: SeCreatePagefilePrivilege	744	chrome.exe
Token: SeShutdownPrivilege	744	chrome.exe
Token: SeCreatePagefilePrivilege	744	chrome.exe
Token: SeShutdownPrivilege	744	chrome.exe
Token: SeCreatePagefilePrivilege	744	chrome.exe
Token: SeShutdownPrivilege	744	chrome.exe
Token: SeCreatePagefilePrivilege	744	chrome.exe
Token: SeShutdownPrivilege	744	chrome.exe
Token: SeCreatePagefilePrivilege	744	chrome.exe
Token: SeShutdownPrivilege	744	chrome.exe
Token: SeCreatePagefilePrivilege	744	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 744 wrote to memory of 2972	744	chrome.exe	94
PID 744 wrote to memory of 2972	744	chrome.exe	94
PID 744 wrote to memory of 2928	744	chrome.exe	99
PID 744 wrote to memory of 2928	744	chrome.exe	99
PID 744 wrote to memory of 2928	744	chrome.exe	99
PID 744 wrote to memory of 2928	744	chrome.exe	99
PID 744 wrote to memory of 2928	744	chrome.exe	99
PID 744 wrote to memory of 2928	744	chrome.exe	99
PID 744 wrote to memory of 2928	744	chrome.exe	99
PID 744 wrote to memory of 2928	744	chrome.exe	99
PID 744 wrote to memory of 2928	744	chrome.exe	99
PID 744 wrote to memory of 2928	744	chrome.exe	99
PID 744 wrote to memory of 2928	744	chrome.exe	99
PID 744 wrote to memory of 2928	744	chrome.exe	99
PID 744 wrote to memory of 2928	744	chrome.exe	99
PID 744 wrote to memory of 2928	744	chrome.exe	99
PID 744 wrote to memory of 2928	744	chrome.exe	99
PID 744 wrote to memory of 2928	744	chrome.exe	99
PID 744 wrote to memory of 2928	744	chrome.exe	99
PID 744 wrote to memory of 2928	744	chrome.exe	99
PID 744 wrote to memory of 2928	744	chrome.exe	99
PID 744 wrote to memory of 2928	744	chrome.exe	99
PID 744 wrote to memory of 2928	744	chrome.exe	99
PID 744 wrote to memory of 2928	744	chrome.exe	99
PID 744 wrote to memory of 2928	744	chrome.exe	99
PID 744 wrote to memory of 2928	744	chrome.exe	99
PID 744 wrote to memory of 2928	744	chrome.exe	99
PID 744 wrote to memory of 2928	744	chrome.exe	99
PID 744 wrote to memory of 2928	744	chrome.exe	99
PID 744 wrote to memory of 2928	744	chrome.exe	99
PID 744 wrote to memory of 2928	744	chrome.exe	99
PID 744 wrote to memory of 2928	744	chrome.exe	99
PID 744 wrote to memory of 2928	744	chrome.exe	99
PID 744 wrote to memory of 2928	744	chrome.exe	99
PID 744 wrote to memory of 2928	744	chrome.exe	99
PID 744 wrote to memory of 2928	744	chrome.exe	99
PID 744 wrote to memory of 2928	744	chrome.exe	99
PID 744 wrote to memory of 2928	744	chrome.exe	99
PID 744 wrote to memory of 2928	744	chrome.exe	99
PID 744 wrote to memory of 2928	744	chrome.exe	99
PID 744 wrote to memory of 2776	744	chrome.exe	100
PID 744 wrote to memory of 2776	744	chrome.exe	100
PID 744 wrote to memory of 4468	744	chrome.exe	101
PID 744 wrote to memory of 4468	744	chrome.exe	101
PID 744 wrote to memory of 4468	744	chrome.exe	101
PID 744 wrote to memory of 4468	744	chrome.exe	101
PID 744 wrote to memory of 4468	744	chrome.exe	101
PID 744 wrote to memory of 4468	744	chrome.exe	101
PID 744 wrote to memory of 4468	744	chrome.exe	101
PID 744 wrote to memory of 4468	744	chrome.exe	101
PID 744 wrote to memory of 4468	744	chrome.exe	101
PID 744 wrote to memory of 4468	744	chrome.exe	101
PID 744 wrote to memory of 4468	744	chrome.exe	101
PID 744 wrote to memory of 4468	744	chrome.exe	101
PID 744 wrote to memory of 4468	744	chrome.exe	101
PID 744 wrote to memory of 4468	744	chrome.exe	101
PID 744 wrote to memory of 4468	744	chrome.exe	101
PID 744 wrote to memory of 4468	744	chrome.exe	101
PID 744 wrote to memory of 4468	744	chrome.exe	101
PID 744 wrote to memory of 4468	744	chrome.exe	101
PID 744 wrote to memory of 4468	744	chrome.exe	101
PID 744 wrote to memory of 4468	744	chrome.exe	101
PID 744 wrote to memory of 4468	744	chrome.exe	101
PID 744 wrote to memory of 4468	744	chrome.exe	101

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://api.getpxlemal.com?id=11541916&stepNo=1
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xbc,0x108,0x7ffea4379758,0x7ffea4379768,0x7ffea4379778
  2⤵
  PID:2972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1724 --field-trial-handle=1876,i,11180411139036153227,17950099958392040372,131072 /prefetch:2
  2⤵
  PID:2928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1876,i,11180411139036153227,17950099958392040372,131072 /prefetch:8
  2⤵
  PID:2776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2220 --field-trial-handle=1876,i,11180411139036153227,17950099958392040372,131072 /prefetch:8
  2⤵
  PID:4468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2960 --field-trial-handle=1876,i,11180411139036153227,17950099958392040372,131072 /prefetch:1
  2⤵
  PID:2920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2968 --field-trial-handle=1876,i,11180411139036153227,17950099958392040372,131072 /prefetch:1
  2⤵
  PID:2796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4808 --field-trial-handle=1876,i,11180411139036153227,17950099958392040372,131072 /prefetch:8
  2⤵
  PID:1436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 --field-trial-handle=1876,i,11180411139036153227,17950099958392040372,131072 /prefetch:8
  2⤵
  PID:2996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5064 --field-trial-handle=1876,i,11180411139036153227,17950099958392040372,131072 /prefetch:8
  2⤵
  PID:4772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1880 --field-trial-handle=1876,i,11180411139036153227,17950099958392040372,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4740

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4220 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
1⤵
PID:3528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3868 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
1⤵
PID:1488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
677B

MD5
8281b4f552b244c6e093809a8526aa2b

SHA1
ec2aebf63c9e3eb3ddaf3a852b3cab5961f595a6

SHA256
81a86a5028e5b5734e74d91fa396634be6374135ad10cc7b944170e814373acb

SHA512
af5deb6cc84d485c99f99c996f98feaaca2cc4f9fd29708a0e3f9a100f952e8ead7374d75beed5a9bcba3954164d57d6471bc43c86509b37e9681669e1376220

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
534B

MD5
bc129cfedbcfa1a326218b96c58d35a0

SHA1
2c636bf0f9d059151e1c898d30e4f1d11ff352a6

SHA256
f070927e8df3ff2491156ccdc23cdbab5bd385523913fefcf11930c1b806dd85

SHA512
686d14b4d0ee11026dfea520bca5d8cf5a4f471ddf924d4176b10a13c01da4deb0de737bdca37877f2b3a16fe1a466249872af8aca1f6f1328666f41d8e6caeb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
33b41dddb00716f1bac017bf3be7b76c

SHA1
d8b020db068a56f53eb1ea04001a150912226ee3

SHA256
97c3b90a0876c85caba546dd9560481640856a47c821b2105a9f4c0da8fba980

SHA512
59294b1f95295dbbea248ba9c5761c2ba3e33a41ce1a77c43258e883a0704eacefebee0a4fca98290c60785dca7feb92718d9602854bf813434a66f787f0d540

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
17bf18a6802fb55868e94cb053a1bae2

SHA1
99d0f17b86e62e76be0608e5320260d63f14d01f

SHA256
26fba3cbba37959d692cf0993bad3215c3f38a8d4fb49ee3b87023db5d9a1c58

SHA512
ed69a6c12c6f7d0070953d12c9b2a6b9ed7f8d4a525cc67d67fc8141a9b7468056571dabe19718b724abbe8c29058738c4dbdd8244a015308023f8ff89549f77

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
df4e2126882d4542b88d7996e7c4a640

SHA1
44d3c432dac87c3be148ee12b6c9430a02a1c6da

SHA256
b4edca5a3cdf61e590773e1c729724c8665a02a7a93a9aee76ec89b6278e23ec

SHA512
7a1be16080a5f47b8d12101c307bc8026aabf66ad96e35da05f94fc9633777f604570b460653b6334bebcadfca4e462428338c10a091984c1f2edc98ca42eb2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
08c6ff46ec769f9ead59f4f6de04947c

SHA1
5dfcc2c461777795aac3b7378257b3edcc5912dc

SHA256
01c2f80043d010578d58031bbe72451f12a43ca16bebc373ef4f897083fcb685

SHA512
d76a761f1e21b6bbdbb306ba63dfec6642dd9d634b1f9a7a9bb8539b40278e3564b6b69d5ac14865ce962c27c521786006ad79357190d07e71849746d418041d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit