hxxp://envs[.]sh/h5O

Analysis

max time kernel
54s
max time network
56s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
16-04-2024 10:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://envs.sh/h5O

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133577354401528867"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4604	chrome.exe
4604	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4604 wrote to memory of 5000	4604	chrome.exe	88
PID 4604 wrote to memory of 5000	4604	chrome.exe	88
PID 4604 wrote to memory of 3724	4604	chrome.exe	89
PID 4604 wrote to memory of 3724	4604	chrome.exe	89
PID 4604 wrote to memory of 3724	4604	chrome.exe	89
PID 4604 wrote to memory of 3724	4604	chrome.exe	89
PID 4604 wrote to memory of 3724	4604	chrome.exe	89
PID 4604 wrote to memory of 3724	4604	chrome.exe	89
PID 4604 wrote to memory of 3724	4604	chrome.exe	89
PID 4604 wrote to memory of 3724	4604	chrome.exe	89
PID 4604 wrote to memory of 3724	4604	chrome.exe	89
PID 4604 wrote to memory of 3724	4604	chrome.exe	89
PID 4604 wrote to memory of 3724	4604	chrome.exe	89
PID 4604 wrote to memory of 3724	4604	chrome.exe	89
PID 4604 wrote to memory of 3724	4604	chrome.exe	89
PID 4604 wrote to memory of 3724	4604	chrome.exe	89
PID 4604 wrote to memory of 3724	4604	chrome.exe	89
PID 4604 wrote to memory of 3724	4604	chrome.exe	89
PID 4604 wrote to memory of 3724	4604	chrome.exe	89
PID 4604 wrote to memory of 3724	4604	chrome.exe	89
PID 4604 wrote to memory of 3724	4604	chrome.exe	89
PID 4604 wrote to memory of 3724	4604	chrome.exe	89
PID 4604 wrote to memory of 3724	4604	chrome.exe	89
PID 4604 wrote to memory of 3724	4604	chrome.exe	89
PID 4604 wrote to memory of 3724	4604	chrome.exe	89
PID 4604 wrote to memory of 3724	4604	chrome.exe	89
PID 4604 wrote to memory of 3724	4604	chrome.exe	89
PID 4604 wrote to memory of 3724	4604	chrome.exe	89
PID 4604 wrote to memory of 3724	4604	chrome.exe	89
PID 4604 wrote to memory of 3724	4604	chrome.exe	89
PID 4604 wrote to memory of 3724	4604	chrome.exe	89
PID 4604 wrote to memory of 3724	4604	chrome.exe	89
PID 4604 wrote to memory of 3724	4604	chrome.exe	89
PID 4604 wrote to memory of 1744	4604	chrome.exe	90
PID 4604 wrote to memory of 1744	4604	chrome.exe	90
PID 4604 wrote to memory of 1996	4604	chrome.exe	91
PID 4604 wrote to memory of 1996	4604	chrome.exe	91
PID 4604 wrote to memory of 1996	4604	chrome.exe	91
PID 4604 wrote to memory of 1996	4604	chrome.exe	91
PID 4604 wrote to memory of 1996	4604	chrome.exe	91
PID 4604 wrote to memory of 1996	4604	chrome.exe	91
PID 4604 wrote to memory of 1996	4604	chrome.exe	91
PID 4604 wrote to memory of 1996	4604	chrome.exe	91
PID 4604 wrote to memory of 1996	4604	chrome.exe	91
PID 4604 wrote to memory of 1996	4604	chrome.exe	91
PID 4604 wrote to memory of 1996	4604	chrome.exe	91
PID 4604 wrote to memory of 1996	4604	chrome.exe	91
PID 4604 wrote to memory of 1996	4604	chrome.exe	91
PID 4604 wrote to memory of 1996	4604	chrome.exe	91
PID 4604 wrote to memory of 1996	4604	chrome.exe	91
PID 4604 wrote to memory of 1996	4604	chrome.exe	91
PID 4604 wrote to memory of 1996	4604	chrome.exe	91
PID 4604 wrote to memory of 1996	4604	chrome.exe	91
PID 4604 wrote to memory of 1996	4604	chrome.exe	91
PID 4604 wrote to memory of 1996	4604	chrome.exe	91
PID 4604 wrote to memory of 1996	4604	chrome.exe	91
PID 4604 wrote to memory of 1996	4604	chrome.exe	91
PID 4604 wrote to memory of 1996	4604	chrome.exe	91
PID 4604 wrote to memory of 1996	4604	chrome.exe	91
PID 4604 wrote to memory of 1996	4604	chrome.exe	91
PID 4604 wrote to memory of 1996	4604	chrome.exe	91
PID 4604 wrote to memory of 1996	4604	chrome.exe	91
PID 4604 wrote to memory of 1996	4604	chrome.exe	91
PID 4604 wrote to memory of 1996	4604	chrome.exe	91

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://envs.sh/h5O
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd0ffeab58,0x7ffd0ffeab68,0x7ffd0ffeab78
  2⤵
  PID:5000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1680 --field-trial-handle=1944,i,14781233285487964391,1771313646009744304,131072 /prefetch:2
  2⤵
  PID:3724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1944,i,14781233285487964391,1771313646009744304,131072 /prefetch:8
  2⤵
  PID:1744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2256 --field-trial-handle=1944,i,14781233285487964391,1771313646009744304,131072 /prefetch:8
  2⤵
  PID:1996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2948 --field-trial-handle=1944,i,14781233285487964391,1771313646009744304,131072 /prefetch:1
  2⤵
  PID:628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2956 --field-trial-handle=1944,i,14781233285487964391,1771313646009744304,131072 /prefetch:1
  2⤵
  PID:3848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4312 --field-trial-handle=1944,i,14781233285487964391,1771313646009744304,131072 /prefetch:1
  2⤵
  PID:2716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4612 --field-trial-handle=1944,i,14781233285487964391,1771313646009744304,131072 /prefetch:8
  2⤵
  PID:1972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4516 --field-trial-handle=1944,i,14781233285487964391,1771313646009744304,131072 /prefetch:8
  2⤵
  PID:2456

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
408B

MD5
1cd67f9c421b84a327e7ff3a9881fe50

SHA1
7cae17dc2a47f19e2c23094960291e5837d75714

SHA256
9097b2b7b0a7b26a492b7606fac68ee52ec61085f0c2d3c0e8d92c4e25657834

SHA512
ae29cb5121f58b556e5d037a9e2f2a3f03aef76bd33188b140549b138d758773c8de35156d3101c83167c53c5526a044bba6e8ee3eb508fca25569601e6a5864

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
eb6b52a219a6c0c68e426b7a9a78216d

SHA1
475b48a7f905b29870f31a95dc6ef11831acd291

SHA256
637483fba04f95570deb2747b52a45b96bb38ee98e5f21baa3891f065194cc63

SHA512
dda7f9634a3047b4ac6d4b0624d635e125b5ff701bff7904f583056dd7a097d365d260cc8e93410e4a04e2fb3935dcc3ad9db7245dce3df100755de5b7c529d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
7d0bb7cb403a1d61c58fb601c6f720eb

SHA1
a954e8a8eb536bc42bfb0d9d88e7d9e6316aa47d

SHA256
84ce58c7632e78570fcde2e6fc5295d46167119a1f5869e06c9cdc87f3f0fcc4

SHA512
bc5ba280106b8ceddac7929bd5cfd2b924be5ea7b986d1efcf03a35a60078def6233256624bffa756aaa4aa79076b877935d45e81e22a443f086a78bee4aaac0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
d6cd49142d8632cc2931b292fc0415cf

SHA1
596a6cd235db3cf4718f1e2de4a0dddc343106e6

SHA256
aadf5def7b6bd7a168d35df42c3c8c35343aa4ce5cdb96702458621c24cb3d09

SHA512
4fe2a362c62e7dee39798b07c9700fef6a274ae3a7967c3b99a8ebb40c4053faea92c7d023283c2f1d8f2e842e3ba476e44d23bceb3a0382d4f54cf8960ffc11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
ccca4984933592832db8f7d9de96eeed

SHA1
144225c10e666abcf09668af0b62e437c0019890

SHA256
b469663abc098bf52159c37978d1d51ae5aa5d51f9774a5d1b89bcab51b70d33

SHA512
2dce15113b5ad81202a8586528bee4b638c1d5ee02e9184d0645050b0041e564e4263c9b1f2170d09f592c4e22694062a4dab2c975d7ecf74956de12b6af5c55

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
48e9cd4d2d2fd7bb2bd46047757bb60c

SHA1
1ba530da0e6a1747f5399202d12f561c23201f0e

SHA256
d6589e3dc5141d821d7cc85a05bb0da7e84e070c4863900176aa1671986190ee

SHA512
48db44e6e02ac04886e074390f0126ff095f137e0f213799dd6832d87f60f63370368613cb0da54388e1208ff5acdd86c87395fb1d6b1802f44fad4aa77129e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
127KB

MD5
6304d6eaf200aa48505fecb0d83d6908

SHA1
215eaf64ef04ff1cd2c7a946c9997e9e6e0ac21f

SHA256
7606382760cc2db9f17f99af6779893c47aa7834c44644efe728aa4139a80f89

SHA512
c19be675d91161be55683200f3789689e45a41bcac36229b6cdd6b748964e7d179748c4992c0774b5206ccfa3fe571ba3dfaea97eb02478024c5cc3524eef9f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
127KB

MD5
e65e786d17f2b037503bf5f266703e7c

SHA1
b600cff27fe583e1707f22a5da8d458081d3c3dd

SHA256
93005a0d2ec0d451f258e34f634ab75370c1837208b47889e65cb9c513372052

SHA512
588d0f2214b554ebe0b9c1f3fd4717407187f64e26ac7271ef2741214d5b7ff28673ebb6a88a674a00184dc6a77b996659e930d4f78c65bf11ed944bea333452

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
e70cffb5da61b9a8fc76e8b15b957f26

SHA1
6543de8d09939ae53558fc247ef5a58489685574

SHA256
e21ea774c6e34ff7e95839a8285632e54f5cb1148fe85f457c92cc6ab9d9e30f

SHA512
89224cae3bcea1e5b31c5b3a9ca8ab93ac0d50927856b56fe89c0db1f439dca3ddf3ce7dc1ff8ca9bc090ccf0a353254cbd796ac4afe558bae781f3a8b46cbea

Download Submit