hxxp://www[.]halloransage[.]com/

Analysis

max time kernel
300s
max time network
255s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2024 19:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://www.halloransage.com/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133572521129639649"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3696	chrome.exe
3696	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3696	chrome.exe
Token: SeCreatePagefilePrivilege	3696	chrome.exe
Token: SeShutdownPrivilege	3696	chrome.exe
Token: SeCreatePagefilePrivilege	3696	chrome.exe
Token: SeShutdownPrivilege	3696	chrome.exe
Token: SeCreatePagefilePrivilege	3696	chrome.exe
Token: SeShutdownPrivilege	3696	chrome.exe
Token: SeCreatePagefilePrivilege	3696	chrome.exe
Token: SeShutdownPrivilege	3696	chrome.exe
Token: SeCreatePagefilePrivilege	3696	chrome.exe
Token: SeShutdownPrivilege	3696	chrome.exe
Token: SeCreatePagefilePrivilege	3696	chrome.exe
Token: SeShutdownPrivilege	3696	chrome.exe
Token: SeCreatePagefilePrivilege	3696	chrome.exe
Token: SeShutdownPrivilege	3696	chrome.exe
Token: SeCreatePagefilePrivilege	3696	chrome.exe
Token: SeShutdownPrivilege	3696	chrome.exe
Token: SeCreatePagefilePrivilege	3696	chrome.exe
Token: SeShutdownPrivilege	3696	chrome.exe
Token: SeCreatePagefilePrivilege	3696	chrome.exe
Token: SeShutdownPrivilege	3696	chrome.exe
Token: SeCreatePagefilePrivilege	3696	chrome.exe
Token: SeShutdownPrivilege	3696	chrome.exe
Token: SeCreatePagefilePrivilege	3696	chrome.exe
Token: SeShutdownPrivilege	3696	chrome.exe
Token: SeCreatePagefilePrivilege	3696	chrome.exe
Token: SeShutdownPrivilege	3696	chrome.exe
Token: SeCreatePagefilePrivilege	3696	chrome.exe
Token: SeShutdownPrivilege	3696	chrome.exe
Token: SeCreatePagefilePrivilege	3696	chrome.exe
Token: SeShutdownPrivilege	3696	chrome.exe
Token: SeCreatePagefilePrivilege	3696	chrome.exe
Token: SeShutdownPrivilege	3696	chrome.exe
Token: SeCreatePagefilePrivilege	3696	chrome.exe
Token: SeShutdownPrivilege	3696	chrome.exe
Token: SeCreatePagefilePrivilege	3696	chrome.exe
Token: SeShutdownPrivilege	3696	chrome.exe
Token: SeCreatePagefilePrivilege	3696	chrome.exe
Token: SeShutdownPrivilege	3696	chrome.exe
Token: SeCreatePagefilePrivilege	3696	chrome.exe
Token: SeShutdownPrivilege	3696	chrome.exe
Token: SeCreatePagefilePrivilege	3696	chrome.exe
Token: SeShutdownPrivilege	3696	chrome.exe
Token: SeCreatePagefilePrivilege	3696	chrome.exe
Token: SeShutdownPrivilege	3696	chrome.exe
Token: SeCreatePagefilePrivilege	3696	chrome.exe
Token: SeShutdownPrivilege	3696	chrome.exe
Token: SeCreatePagefilePrivilege	3696	chrome.exe
Token: SeShutdownPrivilege	3696	chrome.exe
Token: SeCreatePagefilePrivilege	3696	chrome.exe
Token: SeShutdownPrivilege	3696	chrome.exe
Token: SeCreatePagefilePrivilege	3696	chrome.exe
Token: SeShutdownPrivilege	3696	chrome.exe
Token: SeCreatePagefilePrivilege	3696	chrome.exe
Token: SeShutdownPrivilege	3696	chrome.exe
Token: SeCreatePagefilePrivilege	3696	chrome.exe
Token: SeShutdownPrivilege	3696	chrome.exe
Token: SeCreatePagefilePrivilege	3696	chrome.exe
Token: SeShutdownPrivilege	3696	chrome.exe
Token: SeCreatePagefilePrivilege	3696	chrome.exe
Token: SeShutdownPrivilege	3696	chrome.exe
Token: SeCreatePagefilePrivilege	3696	chrome.exe
Token: SeShutdownPrivilege	3696	chrome.exe
Token: SeCreatePagefilePrivilege	3696	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3696 wrote to memory of 4144	3696	chrome.exe	84
PID 3696 wrote to memory of 4144	3696	chrome.exe	84
PID 3696 wrote to memory of 2916	3696	chrome.exe	86
PID 3696 wrote to memory of 2916	3696	chrome.exe	86
PID 3696 wrote to memory of 2916	3696	chrome.exe	86
PID 3696 wrote to memory of 2916	3696	chrome.exe	86
PID 3696 wrote to memory of 2916	3696	chrome.exe	86
PID 3696 wrote to memory of 2916	3696	chrome.exe	86
PID 3696 wrote to memory of 2916	3696	chrome.exe	86
PID 3696 wrote to memory of 2916	3696	chrome.exe	86
PID 3696 wrote to memory of 2916	3696	chrome.exe	86
PID 3696 wrote to memory of 2916	3696	chrome.exe	86
PID 3696 wrote to memory of 2916	3696	chrome.exe	86
PID 3696 wrote to memory of 2916	3696	chrome.exe	86
PID 3696 wrote to memory of 2916	3696	chrome.exe	86
PID 3696 wrote to memory of 2916	3696	chrome.exe	86
PID 3696 wrote to memory of 2916	3696	chrome.exe	86
PID 3696 wrote to memory of 2916	3696	chrome.exe	86
PID 3696 wrote to memory of 2916	3696	chrome.exe	86
PID 3696 wrote to memory of 2916	3696	chrome.exe	86
PID 3696 wrote to memory of 2916	3696	chrome.exe	86
PID 3696 wrote to memory of 2916	3696	chrome.exe	86
PID 3696 wrote to memory of 2916	3696	chrome.exe	86
PID 3696 wrote to memory of 2916	3696	chrome.exe	86
PID 3696 wrote to memory of 2916	3696	chrome.exe	86
PID 3696 wrote to memory of 2916	3696	chrome.exe	86
PID 3696 wrote to memory of 2916	3696	chrome.exe	86
PID 3696 wrote to memory of 2916	3696	chrome.exe	86
PID 3696 wrote to memory of 2916	3696	chrome.exe	86
PID 3696 wrote to memory of 2916	3696	chrome.exe	86
PID 3696 wrote to memory of 2916	3696	chrome.exe	86
PID 3696 wrote to memory of 2916	3696	chrome.exe	86
PID 3696 wrote to memory of 2916	3696	chrome.exe	86
PID 3696 wrote to memory of 2916	3696	chrome.exe	86
PID 3696 wrote to memory of 2916	3696	chrome.exe	86
PID 3696 wrote to memory of 2916	3696	chrome.exe	86
PID 3696 wrote to memory of 2916	3696	chrome.exe	86
PID 3696 wrote to memory of 2916	3696	chrome.exe	86
PID 3696 wrote to memory of 2916	3696	chrome.exe	86
PID 3696 wrote to memory of 2916	3696	chrome.exe	86
PID 3696 wrote to memory of 4896	3696	chrome.exe	87
PID 3696 wrote to memory of 4896	3696	chrome.exe	87
PID 3696 wrote to memory of 384	3696	chrome.exe	88
PID 3696 wrote to memory of 384	3696	chrome.exe	88
PID 3696 wrote to memory of 384	3696	chrome.exe	88
PID 3696 wrote to memory of 384	3696	chrome.exe	88
PID 3696 wrote to memory of 384	3696	chrome.exe	88
PID 3696 wrote to memory of 384	3696	chrome.exe	88
PID 3696 wrote to memory of 384	3696	chrome.exe	88
PID 3696 wrote to memory of 384	3696	chrome.exe	88
PID 3696 wrote to memory of 384	3696	chrome.exe	88
PID 3696 wrote to memory of 384	3696	chrome.exe	88
PID 3696 wrote to memory of 384	3696	chrome.exe	88
PID 3696 wrote to memory of 384	3696	chrome.exe	88
PID 3696 wrote to memory of 384	3696	chrome.exe	88
PID 3696 wrote to memory of 384	3696	chrome.exe	88
PID 3696 wrote to memory of 384	3696	chrome.exe	88
PID 3696 wrote to memory of 384	3696	chrome.exe	88
PID 3696 wrote to memory of 384	3696	chrome.exe	88
PID 3696 wrote to memory of 384	3696	chrome.exe	88
PID 3696 wrote to memory of 384	3696	chrome.exe	88
PID 3696 wrote to memory of 384	3696	chrome.exe	88
PID 3696 wrote to memory of 384	3696	chrome.exe	88
PID 3696 wrote to memory of 384	3696	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://www.halloransage.com/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9fef79758,0x7ff9fef79768,0x7ff9fef79778
  2⤵
  PID:4144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1716 --field-trial-handle=1828,i,8625826710340928055,11400034274123368991,131072 /prefetch:2
  2⤵
  PID:2916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1828,i,8625826710340928055,11400034274123368991,131072 /prefetch:8
  2⤵
  PID:4896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2172 --field-trial-handle=1828,i,8625826710340928055,11400034274123368991,131072 /prefetch:8
  2⤵
  PID:384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2800 --field-trial-handle=1828,i,8625826710340928055,11400034274123368991,131072 /prefetch:1
  2⤵
  PID:832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2808 --field-trial-handle=1828,i,8625826710340928055,11400034274123368991,131072 /prefetch:1
  2⤵
  PID:2900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4636 --field-trial-handle=1828,i,8625826710340928055,11400034274123368991,131072 /prefetch:1
  2⤵
  PID:1716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5316 --field-trial-handle=1828,i,8625826710340928055,11400034274123368991,131072 /prefetch:8
  2⤵
  PID:1388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 --field-trial-handle=1828,i,8625826710340928055,11400034274123368991,131072 /prefetch:8
  2⤵
  PID:4884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1000 --field-trial-handle=1828,i,8625826710340928055,11400034274123368991,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5060

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
ef9e52a63c192ca8e251f9c9eb3d2c60

SHA1
460ab173e306ae616eb9ac47ae152c230f6eb912

SHA256
be66d6a0a68ca0e1d42a0f2ecd850e75767eb678a867b652e82426765382c733

SHA512
5680027b7a9b45546368a7e81b102e05a404f4de5c0980887206aacde572133729d8dc59e270c4b85bb6f503e3936d4b70c98799ffcac1c8133d1bd84daecb15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
aef844098d86329a61dae1809ddda61d

SHA1
0103ad61891014bf09317c6887ef5445496b6c1c

SHA256
4cd7696979b5ab3e99f724d37c8603beadbb02ebd0d3d68363bc28d9c9082437

SHA512
4bd9e294926df8f1e2cdda75f5e81b498d4a5da68770ce4aec2b34f5efb2501bc02d094d63f0209d098f87e63d5597ed023b3196c86d488a4e2ec30606e72039

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
113ea5bbfb88e495856b0de55b02ca67

SHA1
864370d51ca2dc5e0bcdbf26e88c5824935f5ca0

SHA256
349cd15f3bb714a7f222e232b179f6d8d4985e242212e17dc68e11297023e0c4

SHA512
085f3fbc265e51399858617619f6dae0d3beb5479e1ca66b8ac9b1490f98e2fdcf52604ce4c66c42afd3f3c22d7c690579ec312f6c3b71e3522dc7e33799a392

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
872B

MD5
aa473e470e4b1e38062fb50f03af121f

SHA1
0a169f8a00b5513585a5074e23a33786f32fac21

SHA256
74940eabad85fe7dbb935e57b16d0d6cacaa243a9480cad8b7a2f66c0030788c

SHA512
14f87d5c6fce62b2910cd353cf57f26e221f7bd5f361b456f6f762753c78aba09dd740b6501bf832544ad682a7292150f1749a70c7d64cbf0c22872265923d4e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
59ae0b6a025f3b7d48cb585a3b7e360e

SHA1
4355ccfe46fee81919321ce0ac55e376a88ab570

SHA256
9990ce85d858767634b86709c276ad882038295539a817d559212fa5bb0423c0

SHA512
440d95f74e524b68ea7b52ec8cc9d7157fb122fef292b29ad49cbbc516b07507695529ad9739496bf6fae72118c203dca329119df647b7aff14f7fca0f01bf0f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
253KB

MD5
fe0cbecaaf028ada61a5623c8624359a

SHA1
8d920893c70ced8c0494ff1929e93ae52e3f8ce4

SHA256
da6af97fc17ec9b49dc26ffa016452d6f7c28aa238de761100755b3590510a73

SHA512
83721573859867bcc831bd856c73311069e264dd2457aadbf80f525e6f714d16ef4de1d5afd9b8681f4203c2e1818c9e5a35c107e1713f142786d28f2e0a7891

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit