hxxps://hps[.]investorweb[.]ky/

Analysis

max time kernel
149s
max time network
144s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
16/04/2024, 08:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://hps.investorweb.ky/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133577301969097970"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4364	chrome.exe
4364	chrome.exe
72	chrome.exe
72	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4364	chrome.exe
4364	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4364 wrote to memory of 4684	4364	chrome.exe	80
PID 4364 wrote to memory of 4684	4364	chrome.exe	80
PID 4364 wrote to memory of 3924	4364	chrome.exe	81
PID 4364 wrote to memory of 3924	4364	chrome.exe	81
PID 4364 wrote to memory of 3924	4364	chrome.exe	81
PID 4364 wrote to memory of 3924	4364	chrome.exe	81
PID 4364 wrote to memory of 3924	4364	chrome.exe	81
PID 4364 wrote to memory of 3924	4364	chrome.exe	81
PID 4364 wrote to memory of 3924	4364	chrome.exe	81
PID 4364 wrote to memory of 3924	4364	chrome.exe	81
PID 4364 wrote to memory of 3924	4364	chrome.exe	81
PID 4364 wrote to memory of 3924	4364	chrome.exe	81
PID 4364 wrote to memory of 3924	4364	chrome.exe	81
PID 4364 wrote to memory of 3924	4364	chrome.exe	81
PID 4364 wrote to memory of 3924	4364	chrome.exe	81
PID 4364 wrote to memory of 3924	4364	chrome.exe	81
PID 4364 wrote to memory of 3924	4364	chrome.exe	81
PID 4364 wrote to memory of 3924	4364	chrome.exe	81
PID 4364 wrote to memory of 3924	4364	chrome.exe	81
PID 4364 wrote to memory of 3924	4364	chrome.exe	81
PID 4364 wrote to memory of 3924	4364	chrome.exe	81
PID 4364 wrote to memory of 3924	4364	chrome.exe	81
PID 4364 wrote to memory of 3924	4364	chrome.exe	81
PID 4364 wrote to memory of 3924	4364	chrome.exe	81
PID 4364 wrote to memory of 3924	4364	chrome.exe	81
PID 4364 wrote to memory of 3924	4364	chrome.exe	81
PID 4364 wrote to memory of 3924	4364	chrome.exe	81
PID 4364 wrote to memory of 3924	4364	chrome.exe	81
PID 4364 wrote to memory of 3924	4364	chrome.exe	81
PID 4364 wrote to memory of 3924	4364	chrome.exe	81
PID 4364 wrote to memory of 3924	4364	chrome.exe	81
PID 4364 wrote to memory of 3924	4364	chrome.exe	81
PID 4364 wrote to memory of 3924	4364	chrome.exe	81
PID 4364 wrote to memory of 5044	4364	chrome.exe	82
PID 4364 wrote to memory of 5044	4364	chrome.exe	82
PID 4364 wrote to memory of 3484	4364	chrome.exe	83
PID 4364 wrote to memory of 3484	4364	chrome.exe	83
PID 4364 wrote to memory of 3484	4364	chrome.exe	83
PID 4364 wrote to memory of 3484	4364	chrome.exe	83
PID 4364 wrote to memory of 3484	4364	chrome.exe	83
PID 4364 wrote to memory of 3484	4364	chrome.exe	83
PID 4364 wrote to memory of 3484	4364	chrome.exe	83
PID 4364 wrote to memory of 3484	4364	chrome.exe	83
PID 4364 wrote to memory of 3484	4364	chrome.exe	83
PID 4364 wrote to memory of 3484	4364	chrome.exe	83
PID 4364 wrote to memory of 3484	4364	chrome.exe	83
PID 4364 wrote to memory of 3484	4364	chrome.exe	83
PID 4364 wrote to memory of 3484	4364	chrome.exe	83
PID 4364 wrote to memory of 3484	4364	chrome.exe	83
PID 4364 wrote to memory of 3484	4364	chrome.exe	83
PID 4364 wrote to memory of 3484	4364	chrome.exe	83
PID 4364 wrote to memory of 3484	4364	chrome.exe	83
PID 4364 wrote to memory of 3484	4364	chrome.exe	83
PID 4364 wrote to memory of 3484	4364	chrome.exe	83
PID 4364 wrote to memory of 3484	4364	chrome.exe	83
PID 4364 wrote to memory of 3484	4364	chrome.exe	83
PID 4364 wrote to memory of 3484	4364	chrome.exe	83
PID 4364 wrote to memory of 3484	4364	chrome.exe	83
PID 4364 wrote to memory of 3484	4364	chrome.exe	83
PID 4364 wrote to memory of 3484	4364	chrome.exe	83
PID 4364 wrote to memory of 3484	4364	chrome.exe	83
PID 4364 wrote to memory of 3484	4364	chrome.exe	83
PID 4364 wrote to memory of 3484	4364	chrome.exe	83
PID 4364 wrote to memory of 3484	4364	chrome.exe	83

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://hps.investorweb.ky/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff94dbdab58,0x7ff94dbdab68,0x7ff94dbdab78
  2⤵
  PID:4684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1536 --field-trial-handle=1820,i,7134337986347491488,7518589810571880767,131072 /prefetch:2
  2⤵
  PID:3924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=1820,i,7134337986347491488,7518589810571880767,131072 /prefetch:8
  2⤵
  PID:5044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2152 --field-trial-handle=1820,i,7134337986347491488,7518589810571880767,131072 /prefetch:8
  2⤵
  PID:3484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2896 --field-trial-handle=1820,i,7134337986347491488,7518589810571880767,131072 /prefetch:1
  2⤵
  PID:4648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2904 --field-trial-handle=1820,i,7134337986347491488,7518589810571880767,131072 /prefetch:1
  2⤵
  PID:2512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4784 --field-trial-handle=1820,i,7134337986347491488,7518589810571880767,131072 /prefetch:8
  2⤵
  PID:4676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4436 --field-trial-handle=1820,i,7134337986347491488,7518589810571880767,131072 /prefetch:8
  2⤵
  PID:4804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1460 --field-trial-handle=1820,i,7134337986347491488,7518589810571880767,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:72

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:72

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
af3e832d8dac3692915661d45c548562

SHA1
09b2e74f54a16b7b7271930210e14e4652e91b41

SHA256
ca789b1b4d8d8a83cfc99adb6285144cdc2d2539e7584d89d708580425848c55

SHA512
d28b46c8eee9660a911fa945f576188810ba1b7b0f6d850205ddd801ccf0ff6a274aa6d6aaee669c39726ac581ba30e91e77061f14ab59fc875e2123890f6ebd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\2cbfd236-5905-4002-9bcc-a9965ea5491c.tmp

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
ad4fda932432116ff310a2fe392351df

SHA1
8c36f864ce57f2a5947c3c8693579082c29709b5

SHA256
2214902423fcbf324033710887f4174fd1132d82110cb92def1b16abe0b6a1a5

SHA512
da80c0f1b667492d32f94c1d58e325cd8b88d734a45e9b33e3aae45ecc8c7559d5e9713e3a08d25fcdb83a3da2c620033512429a2e0114de19cc1d0fbb2f34ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
62efbc9cbbbe1162d4f73df2eb253c2b

SHA1
69570537edfef815c7c9eece6a5a67217634783c

SHA256
18e627259b2c42537593033ad2a482b61e5c4420724e775425fb681494f34eef

SHA512
e3df3c7e6db96380846abe6de89a18b427f91d2c073777b4fa36b1c1815368884c393b4152d702b2949a9e4d5b4c2d9a5669d635a08302dc64a558c23a91bce0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
7d27fa36f220c768639ae1fe885ca7c8

SHA1
3b0d513f7b5334b2df59b0bd48bea7b01526e9dc

SHA256
d98438c3c62a09ecd53c70788540ca102f33f367e4d4049df29406242434ea80

SHA512
1388be886866d94b4e926680e680c4577bcfea3c16aad64c5a89ca8dba8a0012256717458fe875a3e47521a947ea8ee672ce90538dde12208ee5080644cd352a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
7355a670476fc2d1dfaf93af5a56b3ba

SHA1
20e2ce9253adeabe1a8e2aac928b4db81d4945a8

SHA256
8b11795323f94a61ea99b42416654045c9f7e4e931fa8b5f63893700a269eaea

SHA512
4f6467eadee3d45fd9957835bdfb0c8b69bd0befb471334fa68facc1c56337a3b6bc44788eb0c872f9e9ff0a32fa4b7c779cc77e4313ee2910a5e4221a73861b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
127KB

MD5
06008037dd9d10fbc79aa2c066f28dff

SHA1
7c9a7168a9eb9875b5c14780c6c202778b9641e4

SHA256
7d20a9f85456fafea002af79bdcc43cc8484c096fd114f6b04226fee826407ec

SHA512
77478fe55ab4469f3995729eab67e6a1cf41d1d771948768661a005679858cb020f5e6abc48a5a8d64ca0688ab883db0c0247bee6d81455a6cf03b57d1bdb98c

Download Submit