hxxps://creationsintileandmarble[.]filecloudonline[.]com/url/ujyei3qbk4xmyjkt

Analysis

max time kernel
149s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 19:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://creationsintileandmarble.filecloudonline.com/url/ujyei3qbk4xmyjkt

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133571630243463569"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3164	chrome.exe
3164	chrome.exe
4660	chrome.exe
4660	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3164	chrome.exe
3164	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3164 wrote to memory of 2244	3164	chrome.exe	84
PID 3164 wrote to memory of 2244	3164	chrome.exe	84
PID 3164 wrote to memory of 4180	3164	chrome.exe	86
PID 3164 wrote to memory of 4180	3164	chrome.exe	86
PID 3164 wrote to memory of 4180	3164	chrome.exe	86
PID 3164 wrote to memory of 4180	3164	chrome.exe	86
PID 3164 wrote to memory of 4180	3164	chrome.exe	86
PID 3164 wrote to memory of 4180	3164	chrome.exe	86
PID 3164 wrote to memory of 4180	3164	chrome.exe	86
PID 3164 wrote to memory of 4180	3164	chrome.exe	86
PID 3164 wrote to memory of 4180	3164	chrome.exe	86
PID 3164 wrote to memory of 4180	3164	chrome.exe	86
PID 3164 wrote to memory of 4180	3164	chrome.exe	86
PID 3164 wrote to memory of 4180	3164	chrome.exe	86
PID 3164 wrote to memory of 4180	3164	chrome.exe	86
PID 3164 wrote to memory of 4180	3164	chrome.exe	86
PID 3164 wrote to memory of 4180	3164	chrome.exe	86
PID 3164 wrote to memory of 4180	3164	chrome.exe	86
PID 3164 wrote to memory of 4180	3164	chrome.exe	86
PID 3164 wrote to memory of 4180	3164	chrome.exe	86
PID 3164 wrote to memory of 4180	3164	chrome.exe	86
PID 3164 wrote to memory of 4180	3164	chrome.exe	86
PID 3164 wrote to memory of 4180	3164	chrome.exe	86
PID 3164 wrote to memory of 4180	3164	chrome.exe	86
PID 3164 wrote to memory of 4180	3164	chrome.exe	86
PID 3164 wrote to memory of 4180	3164	chrome.exe	86
PID 3164 wrote to memory of 4180	3164	chrome.exe	86
PID 3164 wrote to memory of 4180	3164	chrome.exe	86
PID 3164 wrote to memory of 4180	3164	chrome.exe	86
PID 3164 wrote to memory of 4180	3164	chrome.exe	86
PID 3164 wrote to memory of 4180	3164	chrome.exe	86
PID 3164 wrote to memory of 4180	3164	chrome.exe	86
PID 3164 wrote to memory of 4180	3164	chrome.exe	86
PID 3164 wrote to memory of 4180	3164	chrome.exe	86
PID 3164 wrote to memory of 4180	3164	chrome.exe	86
PID 3164 wrote to memory of 4180	3164	chrome.exe	86
PID 3164 wrote to memory of 4180	3164	chrome.exe	86
PID 3164 wrote to memory of 4180	3164	chrome.exe	86
PID 3164 wrote to memory of 4180	3164	chrome.exe	86
PID 3164 wrote to memory of 4180	3164	chrome.exe	86
PID 3164 wrote to memory of 2764	3164	chrome.exe	87
PID 3164 wrote to memory of 2764	3164	chrome.exe	87
PID 3164 wrote to memory of 1540	3164	chrome.exe	88
PID 3164 wrote to memory of 1540	3164	chrome.exe	88
PID 3164 wrote to memory of 1540	3164	chrome.exe	88
PID 3164 wrote to memory of 1540	3164	chrome.exe	88
PID 3164 wrote to memory of 1540	3164	chrome.exe	88
PID 3164 wrote to memory of 1540	3164	chrome.exe	88
PID 3164 wrote to memory of 1540	3164	chrome.exe	88
PID 3164 wrote to memory of 1540	3164	chrome.exe	88
PID 3164 wrote to memory of 1540	3164	chrome.exe	88
PID 3164 wrote to memory of 1540	3164	chrome.exe	88
PID 3164 wrote to memory of 1540	3164	chrome.exe	88
PID 3164 wrote to memory of 1540	3164	chrome.exe	88
PID 3164 wrote to memory of 1540	3164	chrome.exe	88
PID 3164 wrote to memory of 1540	3164	chrome.exe	88
PID 3164 wrote to memory of 1540	3164	chrome.exe	88
PID 3164 wrote to memory of 1540	3164	chrome.exe	88
PID 3164 wrote to memory of 1540	3164	chrome.exe	88
PID 3164 wrote to memory of 1540	3164	chrome.exe	88
PID 3164 wrote to memory of 1540	3164	chrome.exe	88
PID 3164 wrote to memory of 1540	3164	chrome.exe	88
PID 3164 wrote to memory of 1540	3164	chrome.exe	88
PID 3164 wrote to memory of 1540	3164	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://creationsintileandmarble.filecloudonline.com/url/ujyei3qbk4xmyjkt
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe96389758,0x7ffe96389768,0x7ffe96389778
  2⤵
  PID:2244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1644 --field-trial-handle=1876,i,6597145263748079440,6346539921106565262,131072 /prefetch:2
  2⤵
  PID:4180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=1876,i,6597145263748079440,6346539921106565262,131072 /prefetch:8
  2⤵
  PID:2764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2184 --field-trial-handle=1876,i,6597145263748079440,6346539921106565262,131072 /prefetch:8
  2⤵
  PID:1540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3132 --field-trial-handle=1876,i,6597145263748079440,6346539921106565262,131072 /prefetch:1
  2⤵
  PID:4912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3140 --field-trial-handle=1876,i,6597145263748079440,6346539921106565262,131072 /prefetch:1
  2⤵
  PID:4168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 --field-trial-handle=1876,i,6597145263748079440,6346539921106565262,131072 /prefetch:8
  2⤵
  PID:2624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4932 --field-trial-handle=1876,i,6597145263748079440,6346539921106565262,131072 /prefetch:8
  2⤵
  PID:1564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3604 --field-trial-handle=1876,i,6597145263748079440,6346539921106565262,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4660

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
72fe5db8875a23d9c55ce48d46d1f8c6

SHA1
6a2f5880018fd053024c855d349d89a70dc0e092

SHA256
8c811fc8b6a338264309a189d42468e92b76e1cc50a11079df1a5665ec93a36b

SHA512
c9229e96beef105fd080cf69baff0802f5b8ec45c10628d9c150600ca714830128562a4433dde9ade218daf81cbb2f7a963d8e3d809656d9e6a63acaa3239706

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
7dd8393019ffb204485383db5d836719

SHA1
11dc5abd6da0ae67b32e8a1448eae29faec6eec1

SHA256
52a8086060959f6eeaf17156761171425f79fb8b02a1b2afe4a68a0c4bb5e9de

SHA512
46a9d119c4184ff7161302baadf4e3bcf786525b8592d3ddf0ccf6647c5f1fb7c88c86873f05ce3fe44535f01863b681c0b30b48a2bd713501d8d9726e558fa5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
823B

MD5
6ed8da26a5fd0f9f3502e53b25986e8c

SHA1
b812ed67e55e81972154d945dcebc8c9abc6cd0a

SHA256
8b9663548682feeda63b97d2b4eba26c4658ffcacd9c8af792a545ae9116b9c5

SHA512
c5954a80f5bdfcd8a07dcb916ad4dfa46af98634e26ceea8dff28e730e674eaf2eebc60be72d1b6dc5d9c81b3f098ae5b28bc944d92a0d3dc5b6614f54d1beba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
13339b6e1a325a542d54eb53e7bd9be3

SHA1
3e23bd8a335bc19018934e12f3a836093904a379

SHA256
fddd0c207d65c43aa4ce3aca445ad9c5d03f7405da238213977d6858a1818601

SHA512
17c7f7f7e8da6f8f12571de547624402c8f9620ea8680dc1fee33383728c74f5ed732d427e79325cac293cfd94303e4efcc61e970d78dac1c1f430debca041e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
1553bc399ada396cc0082b04e131699d

SHA1
737d30d157e5e9809b6697a70e18e7b8443ac550

SHA256
d6790fab119fb52a4450bc60ea179df4508ab7aca7610dfc0ad5cb85b4d5ae53

SHA512
9c96aa60b4eadd124fc4618a1d94a93b42f685719c376d7bc9f0f9c29d8fe130dd11b0e3fd70942e8f0346ff81971a368bb3880651c5e28d6b0f4184f55a49d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
7a75778697929d4e22db952ae450a373

SHA1
02fcea4b79af3d49ee78cb03654338a04653faeb

SHA256
dd716c23a3c8dd789658d8f5e36f51de0385aad17a2fd14ebfb71b597768591f

SHA512
6f1fe7f3cb1261148243934c201d9fd0027a26dc44ac1f0bc7ca41a8ea58df9e5579465346f6ede0f6dd8f44dac305c1dfc73a2134478559bdd43e5b3a8470f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
4cce29b02a0eef177023b7412612a1a9

SHA1
b9cf86a89b2381f0134baefa336c6552b21b24d7

SHA256
6da4eb2943e1829475874ba37d0db77cd107edfda6d8e027f99047588aae39ff

SHA512
326628ac9333081bfd662902315dbdede8cb59239a910edf08d5e2972b5416e75a297ecee02f6c5dfa29a60138a8fb70a5eceef304aa94b6fc34331dce627f12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit