hxxp://notepad[.]plus

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2024, 02:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

http://notepad.plus

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133577946483283980"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1148	chrome.exe
1148	chrome.exe
3908	chrome.exe
3908	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 3416	1148	chrome.exe	84
PID 1148 wrote to memory of 3416	1148	chrome.exe	84
PID 1148 wrote to memory of 2988	1148	chrome.exe	85
PID 1148 wrote to memory of 2988	1148	chrome.exe	85
PID 1148 wrote to memory of 2988	1148	chrome.exe	85
PID 1148 wrote to memory of 2988	1148	chrome.exe	85
PID 1148 wrote to memory of 2988	1148	chrome.exe	85
PID 1148 wrote to memory of 2988	1148	chrome.exe	85
PID 1148 wrote to memory of 2988	1148	chrome.exe	85
PID 1148 wrote to memory of 2988	1148	chrome.exe	85
PID 1148 wrote to memory of 2988	1148	chrome.exe	85
PID 1148 wrote to memory of 2988	1148	chrome.exe	85
PID 1148 wrote to memory of 2988	1148	chrome.exe	85
PID 1148 wrote to memory of 2988	1148	chrome.exe	85
PID 1148 wrote to memory of 2988	1148	chrome.exe	85
PID 1148 wrote to memory of 2988	1148	chrome.exe	85
PID 1148 wrote to memory of 2988	1148	chrome.exe	85
PID 1148 wrote to memory of 2988	1148	chrome.exe	85
PID 1148 wrote to memory of 2988	1148	chrome.exe	85
PID 1148 wrote to memory of 2988	1148	chrome.exe	85
PID 1148 wrote to memory of 2988	1148	chrome.exe	85
PID 1148 wrote to memory of 2988	1148	chrome.exe	85
PID 1148 wrote to memory of 2988	1148	chrome.exe	85
PID 1148 wrote to memory of 2988	1148	chrome.exe	85
PID 1148 wrote to memory of 2988	1148	chrome.exe	85
PID 1148 wrote to memory of 2988	1148	chrome.exe	85
PID 1148 wrote to memory of 2988	1148	chrome.exe	85
PID 1148 wrote to memory of 2988	1148	chrome.exe	85
PID 1148 wrote to memory of 2988	1148	chrome.exe	85
PID 1148 wrote to memory of 2988	1148	chrome.exe	85
PID 1148 wrote to memory of 2988	1148	chrome.exe	85
PID 1148 wrote to memory of 2988	1148	chrome.exe	85
PID 1148 wrote to memory of 2988	1148	chrome.exe	85
PID 1148 wrote to memory of 1940	1148	chrome.exe	86
PID 1148 wrote to memory of 1940	1148	chrome.exe	86
PID 1148 wrote to memory of 3792	1148	chrome.exe	87
PID 1148 wrote to memory of 3792	1148	chrome.exe	87
PID 1148 wrote to memory of 3792	1148	chrome.exe	87
PID 1148 wrote to memory of 3792	1148	chrome.exe	87
PID 1148 wrote to memory of 3792	1148	chrome.exe	87
PID 1148 wrote to memory of 3792	1148	chrome.exe	87
PID 1148 wrote to memory of 3792	1148	chrome.exe	87
PID 1148 wrote to memory of 3792	1148	chrome.exe	87
PID 1148 wrote to memory of 3792	1148	chrome.exe	87
PID 1148 wrote to memory of 3792	1148	chrome.exe	87
PID 1148 wrote to memory of 3792	1148	chrome.exe	87
PID 1148 wrote to memory of 3792	1148	chrome.exe	87
PID 1148 wrote to memory of 3792	1148	chrome.exe	87
PID 1148 wrote to memory of 3792	1148	chrome.exe	87
PID 1148 wrote to memory of 3792	1148	chrome.exe	87
PID 1148 wrote to memory of 3792	1148	chrome.exe	87
PID 1148 wrote to memory of 3792	1148	chrome.exe	87
PID 1148 wrote to memory of 3792	1148	chrome.exe	87
PID 1148 wrote to memory of 3792	1148	chrome.exe	87
PID 1148 wrote to memory of 3792	1148	chrome.exe	87
PID 1148 wrote to memory of 3792	1148	chrome.exe	87
PID 1148 wrote to memory of 3792	1148	chrome.exe	87
PID 1148 wrote to memory of 3792	1148	chrome.exe	87
PID 1148 wrote to memory of 3792	1148	chrome.exe	87
PID 1148 wrote to memory of 3792	1148	chrome.exe	87
PID 1148 wrote to memory of 3792	1148	chrome.exe	87
PID 1148 wrote to memory of 3792	1148	chrome.exe	87
PID 1148 wrote to memory of 3792	1148	chrome.exe	87
PID 1148 wrote to memory of 3792	1148	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://notepad.plus
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc6ba2ab58,0x7ffc6ba2ab68,0x7ffc6ba2ab78
  2⤵
  PID:3416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1704 --field-trial-handle=1892,i,12550634940697668369,9110664124768680102,131072 /prefetch:2
  2⤵
  PID:2988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1892,i,12550634940697668369,9110664124768680102,131072 /prefetch:8
  2⤵
  PID:1940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2236 --field-trial-handle=1892,i,12550634940697668369,9110664124768680102,131072 /prefetch:8
  2⤵
  PID:3792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2828 --field-trial-handle=1892,i,12550634940697668369,9110664124768680102,131072 /prefetch:1
  2⤵
  PID:2936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2836 --field-trial-handle=1892,i,12550634940697668369,9110664124768680102,131072 /prefetch:1
  2⤵
  PID:4456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4216 --field-trial-handle=1892,i,12550634940697668369,9110664124768680102,131072 /prefetch:1
  2⤵
  PID:1508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4560 --field-trial-handle=1892,i,12550634940697668369,9110664124768680102,131072 /prefetch:8
  2⤵
  PID:1016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4644 --field-trial-handle=1892,i,12550634940697668369,9110664124768680102,131072 /prefetch:8
  2⤵
  PID:1128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4572 --field-trial-handle=1892,i,12550634940697668369,9110664124768680102,131072 /prefetch:1
  2⤵
  PID:1464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 --field-trial-handle=1892,i,12550634940697668369,9110664124768680102,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3908

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
600B

MD5
6cd038dc0a06e6398abfc081acc1fecf

SHA1
ae1d625e0f012dd8fc7b6d33018d2c24984fcef2

SHA256
79d5f1c1cef5ad818257e002ca47d07a38869e0f30596285fffef781cf1e678b

SHA512
f0fe4fb992a8c66bd04c5abb4433ba45cd0f597f184dd58f3490824afe65b030e955bffbb4836edcd887323f1b29d705fe6ed40f1ab739628e7641510ba4ab4e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\7c9afa11-b483-4273-a801-61ebf2429c2a.tmp

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
7e025c48907e12f1327811ef229888a4

SHA1
50c83bc34dc19f3a449f4cbe9094fef4a235eb16

SHA256
f7d3ce9364878b1a31529c9bd9024db6e5be0f421a4bc2dcded3ddabbf78ab91

SHA512
4be0230f9a8078b1b3fc7104b3b5758801d7d0f1d652cd78cf05b40c34bb4aa00ad859e1256edb98b6a5d86339f87d23d46c3069614e9cc1cc82f36dc0186d3f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
aed63c21a3d5e64748208f7d879e4380

SHA1
7332eba1e05c3682a44367b6df0ab71413777081

SHA256
262db7e4f2fad9650be8bfdb42ada263c9d6674a747d3803602161f7ae807c3a

SHA512
41d9fd694758090d50ab68d6e984b7234c8fc85a15757f4dd3adff56bad5a132f28677db665541cb0632a554982a287455fce17a6b8a605b3613d9ca67e395e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
414cbdd0d0db54fc9e839aae7bb4fc6b

SHA1
23a73915f40ecf9a64317424ef12fd98f5d30943

SHA256
27c376629ac3cd5070b55b72a465770d081a5fa4425fd4a8724a6b397c1bda34

SHA512
ebfab94417a9a7bef0f1deccbabf19b992ec6264f2ff65ead1971a919e21fd7a8c453ba889e52033dba7db2a2bcb86353159c0c75b4dd6e81b1775f9043a592c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
250KB

MD5
e7e98c8d22e3b30a9656c7a008a748b6

SHA1
17f31ba4c6385a009dd2a564bc900e72b922af91

SHA256
8142d72241f67602262691b7196fa5d598e1a750f5ef25534cc39c1dc7e12d80

SHA512
b630f50eec270ee015e354e52adc2f376c9f499f5b463e0db3812de4ea51159d8493a600721ac073f9ce41ab2e8ad7efcb726e0482a322ea427238b365c75d8b

Download Submit