hxxp://file[://]/\\45[.]89[.]53[.]187

Analysis

max time kernel
600s
max time network
570s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
09/04/2024, 17:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://file:///\\45.89.53.187

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133571617953999561"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4192	chrome.exe
4192	chrome.exe
3052	chrome.exe
3052	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4192 wrote to memory of 4812	4192	chrome.exe	73
PID 4192 wrote to memory of 4812	4192	chrome.exe	73
PID 4192 wrote to memory of 5012	4192	chrome.exe	75
PID 4192 wrote to memory of 5012	4192	chrome.exe	75
PID 4192 wrote to memory of 5012	4192	chrome.exe	75
PID 4192 wrote to memory of 5012	4192	chrome.exe	75
PID 4192 wrote to memory of 5012	4192	chrome.exe	75
PID 4192 wrote to memory of 5012	4192	chrome.exe	75
PID 4192 wrote to memory of 5012	4192	chrome.exe	75
PID 4192 wrote to memory of 5012	4192	chrome.exe	75
PID 4192 wrote to memory of 5012	4192	chrome.exe	75
PID 4192 wrote to memory of 5012	4192	chrome.exe	75
PID 4192 wrote to memory of 5012	4192	chrome.exe	75
PID 4192 wrote to memory of 5012	4192	chrome.exe	75
PID 4192 wrote to memory of 5012	4192	chrome.exe	75
PID 4192 wrote to memory of 5012	4192	chrome.exe	75
PID 4192 wrote to memory of 5012	4192	chrome.exe	75
PID 4192 wrote to memory of 5012	4192	chrome.exe	75
PID 4192 wrote to memory of 5012	4192	chrome.exe	75
PID 4192 wrote to memory of 5012	4192	chrome.exe	75
PID 4192 wrote to memory of 5012	4192	chrome.exe	75
PID 4192 wrote to memory of 5012	4192	chrome.exe	75
PID 4192 wrote to memory of 5012	4192	chrome.exe	75
PID 4192 wrote to memory of 5012	4192	chrome.exe	75
PID 4192 wrote to memory of 5012	4192	chrome.exe	75
PID 4192 wrote to memory of 5012	4192	chrome.exe	75
PID 4192 wrote to memory of 5012	4192	chrome.exe	75
PID 4192 wrote to memory of 5012	4192	chrome.exe	75
PID 4192 wrote to memory of 5012	4192	chrome.exe	75
PID 4192 wrote to memory of 5012	4192	chrome.exe	75
PID 4192 wrote to memory of 5012	4192	chrome.exe	75
PID 4192 wrote to memory of 5012	4192	chrome.exe	75
PID 4192 wrote to memory of 5012	4192	chrome.exe	75
PID 4192 wrote to memory of 5012	4192	chrome.exe	75
PID 4192 wrote to memory of 5012	4192	chrome.exe	75
PID 4192 wrote to memory of 5012	4192	chrome.exe	75
PID 4192 wrote to memory of 5012	4192	chrome.exe	75
PID 4192 wrote to memory of 5012	4192	chrome.exe	75
PID 4192 wrote to memory of 5012	4192	chrome.exe	75
PID 4192 wrote to memory of 5012	4192	chrome.exe	75
PID 4192 wrote to memory of 1156	4192	chrome.exe	76
PID 4192 wrote to memory of 1156	4192	chrome.exe	76
PID 4192 wrote to memory of 1364	4192	chrome.exe	77
PID 4192 wrote to memory of 1364	4192	chrome.exe	77
PID 4192 wrote to memory of 1364	4192	chrome.exe	77
PID 4192 wrote to memory of 1364	4192	chrome.exe	77
PID 4192 wrote to memory of 1364	4192	chrome.exe	77
PID 4192 wrote to memory of 1364	4192	chrome.exe	77
PID 4192 wrote to memory of 1364	4192	chrome.exe	77
PID 4192 wrote to memory of 1364	4192	chrome.exe	77
PID 4192 wrote to memory of 1364	4192	chrome.exe	77
PID 4192 wrote to memory of 1364	4192	chrome.exe	77
PID 4192 wrote to memory of 1364	4192	chrome.exe	77
PID 4192 wrote to memory of 1364	4192	chrome.exe	77
PID 4192 wrote to memory of 1364	4192	chrome.exe	77
PID 4192 wrote to memory of 1364	4192	chrome.exe	77
PID 4192 wrote to memory of 1364	4192	chrome.exe	77
PID 4192 wrote to memory of 1364	4192	chrome.exe	77
PID 4192 wrote to memory of 1364	4192	chrome.exe	77
PID 4192 wrote to memory of 1364	4192	chrome.exe	77
PID 4192 wrote to memory of 1364	4192	chrome.exe	77
PID 4192 wrote to memory of 1364	4192	chrome.exe	77
PID 4192 wrote to memory of 1364	4192	chrome.exe	77
PID 4192 wrote to memory of 1364	4192	chrome.exe	77

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://file:///\\45.89.53.187
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff9f6229758,0x7ff9f6229768,0x7ff9f6229778
  2⤵
  PID:4812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1544 --field-trial-handle=1836,i,9337105449298606615,17794617094038567279,131072 /prefetch:2
  2⤵
  PID:5012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1512 --field-trial-handle=1836,i,9337105449298606615,17794617094038567279,131072 /prefetch:8
  2⤵
  PID:1156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2080 --field-trial-handle=1836,i,9337105449298606615,17794617094038567279,131072 /prefetch:8
  2⤵
  PID:1364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2684 --field-trial-handle=1836,i,9337105449298606615,17794617094038567279,131072 /prefetch:1
  2⤵
  PID:1508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2704 --field-trial-handle=1836,i,9337105449298606615,17794617094038567279,131072 /prefetch:1
  2⤵
  PID:1688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4008 --field-trial-handle=1836,i,9337105449298606615,17794617094038567279,131072 /prefetch:1
  2⤵
  PID:4788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3748 --field-trial-handle=1836,i,9337105449298606615,17794617094038567279,131072 /prefetch:1
  2⤵
  PID:792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4040 --field-trial-handle=1836,i,9337105449298606615,17794617094038567279,131072 /prefetch:8
  2⤵
  PID:4588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3904 --field-trial-handle=1836,i,9337105449298606615,17794617094038567279,131072 /prefetch:8
  2⤵
  PID:212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4480 --field-trial-handle=1836,i,9337105449298606615,17794617094038567279,131072 /prefetch:1
  2⤵
  PID:232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4300 --field-trial-handle=1836,i,9337105449298606615,17794617094038567279,131072 /prefetch:1
  2⤵
  PID:4776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3164 --field-trial-handle=1836,i,9337105449298606615,17794617094038567279,131072 /prefetch:1
  2⤵
  PID:2176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3520 --field-trial-handle=1836,i,9337105449298606615,17794617094038567279,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3520 --field-trial-handle=1836,i,9337105449298606615,17794617094038567279,131072 /prefetch:1
  2⤵
  PID:5060

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
1f9689574e9fdda370f4c05ef5cb554a

SHA1
45a1b6f29a3c0af254312fd58efdd9525896bb07

SHA256
61aa1681fe5ff0728be986dde80845ca9967501e64efcf8baa110a254b3959e0

SHA512
30e7637056e08edaa549b49a9fbf29881fdd2a65bb2793a91c5405f430ca788a4025d4bc33a578a5d38d601f78e53fa4c60e7b00511bab4608f96ef66b393165

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
371213529d18694b0d50304ac105fb0f

SHA1
43bbbdc120489077159b3af50649c355f7ab8e94

SHA256
5ce45d44a7413dfd4ea2f1b478e8915a9e332d2b8f30871d12c102b8ad8bfbba

SHA512
52eaf6ce1e23cc3f628a6468eecfdd3f252b95805a27cff10b2442add31347e36b076da38508979c8520f164090bd9d12e78ff5e61791c3c4f8f72ca5657f81e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
1eacb6189f8e6a986554dd68b75080f4

SHA1
ca6605c3eff97b1bccb5995008edf8c02c98223e

SHA256
a70062fe1f02b7a28db9b0a60ea6aaec707cebef77cfefb651e1e05ca1f1fb1d

SHA512
fbebb6f4b927963e1a7e10001077a35bfc3e90949e3c2ead4183c0329b1591e2272ba633d44a4a64259ad66e04ad3b1b95fe84f0fa4fe021641b37f8737b20fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
a9df9bd239640e8cd2881534dc00291a

SHA1
2e48d80d5681c301cd7a2d4dfe83b7500cc40927

SHA256
dce2f580e25f924999ad4c75132904ad8f5c98d3517c1682f4f1f6bc163c8c34

SHA512
2b1e215ec05f6c095b6a63f30b5148d022b559a31d96f6a79dae01d31753b21332c79df690a43e91add9cbe546b0bce024bd6e6c8130f0b2905f5925a10279d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit