hxxps://intranet[.]rtl[.]com/serve/AMIfv9694daUVzk_h7KNmXB8Fj6nkZIAChGh52laRnfM-ZOhWnhZqgJY60jpQJ1sTSkSeJ4PoB61AqBG-78TOkKYRgb0UCCCCTT1o9OXP2BI9vB1phwJ-X6yNHqxp-2TptFjjSKlKOyiIJOWGxL8c7_fKWILfrb60AZXSXTRBw1QQR6oRoXjE3k7QzjklC257C0niYvLIx-A1KaHTnqOTlcoaICM2aE5D4U970SiaGM7K49C8XUiGhZrDxHctM1Oc3foRI-AcWhWbzq-cRHPD74SNmmXr1Y5fw

Analysis

max time kernel
149s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2024, 08:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://intranet.rtl.com/serve/AMIfv9694daUVzk_h7KNmXB8Fj6nkZIAChGh52laRnfM-ZOhWnhZqgJY60jpQJ1sTSkSeJ4PoB61AqBG-78TOkKYRgb0UCCCCTT1o9OXP2BI9vB1phwJ-X6yNHqxp-2TptFjjSKlKOyiIJOWGxL8c7_fKWILfrb60AZXSXTRBw1QQR6oRoXjE3k7QzjklC257C0niYvLIx-A1KaHTnqOTlcoaICM2aE5D4U970SiaGM7K49C8XUiGhZrDxHctM1Oc3foRI-AcWhWbzq-cRHPD74SNmmXr1Y5fw

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133578158938727606"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3184	chrome.exe
3184	chrome.exe
1696	chrome.exe
1696	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3184	chrome.exe
Token: SeCreatePagefilePrivilege	3184	chrome.exe
Token: SeShutdownPrivilege	3184	chrome.exe
Token: SeCreatePagefilePrivilege	3184	chrome.exe
Token: SeShutdownPrivilege	3184	chrome.exe
Token: SeCreatePagefilePrivilege	3184	chrome.exe
Token: SeShutdownPrivilege	3184	chrome.exe
Token: SeCreatePagefilePrivilege	3184	chrome.exe
Token: SeShutdownPrivilege	3184	chrome.exe
Token: SeCreatePagefilePrivilege	3184	chrome.exe
Token: SeShutdownPrivilege	3184	chrome.exe
Token: SeCreatePagefilePrivilege	3184	chrome.exe
Token: SeShutdownPrivilege	3184	chrome.exe
Token: SeCreatePagefilePrivilege	3184	chrome.exe
Token: SeShutdownPrivilege	3184	chrome.exe
Token: SeCreatePagefilePrivilege	3184	chrome.exe
Token: SeShutdownPrivilege	3184	chrome.exe
Token: SeCreatePagefilePrivilege	3184	chrome.exe
Token: SeShutdownPrivilege	3184	chrome.exe
Token: SeCreatePagefilePrivilege	3184	chrome.exe
Token: SeShutdownPrivilege	3184	chrome.exe
Token: SeCreatePagefilePrivilege	3184	chrome.exe
Token: SeShutdownPrivilege	3184	chrome.exe
Token: SeCreatePagefilePrivilege	3184	chrome.exe
Token: SeShutdownPrivilege	3184	chrome.exe
Token: SeCreatePagefilePrivilege	3184	chrome.exe
Token: SeShutdownPrivilege	3184	chrome.exe
Token: SeCreatePagefilePrivilege	3184	chrome.exe
Token: SeShutdownPrivilege	3184	chrome.exe
Token: SeCreatePagefilePrivilege	3184	chrome.exe
Token: SeShutdownPrivilege	3184	chrome.exe
Token: SeCreatePagefilePrivilege	3184	chrome.exe
Token: SeShutdownPrivilege	3184	chrome.exe
Token: SeCreatePagefilePrivilege	3184	chrome.exe
Token: SeShutdownPrivilege	3184	chrome.exe
Token: SeCreatePagefilePrivilege	3184	chrome.exe
Token: SeShutdownPrivilege	3184	chrome.exe
Token: SeCreatePagefilePrivilege	3184	chrome.exe
Token: SeShutdownPrivilege	3184	chrome.exe
Token: SeCreatePagefilePrivilege	3184	chrome.exe
Token: SeShutdownPrivilege	3184	chrome.exe
Token: SeCreatePagefilePrivilege	3184	chrome.exe
Token: SeShutdownPrivilege	3184	chrome.exe
Token: SeCreatePagefilePrivilege	3184	chrome.exe
Token: SeShutdownPrivilege	3184	chrome.exe
Token: SeCreatePagefilePrivilege	3184	chrome.exe
Token: SeShutdownPrivilege	3184	chrome.exe
Token: SeCreatePagefilePrivilege	3184	chrome.exe
Token: SeShutdownPrivilege	3184	chrome.exe
Token: SeCreatePagefilePrivilege	3184	chrome.exe
Token: SeShutdownPrivilege	3184	chrome.exe
Token: SeCreatePagefilePrivilege	3184	chrome.exe
Token: SeShutdownPrivilege	3184	chrome.exe
Token: SeCreatePagefilePrivilege	3184	chrome.exe
Token: SeShutdownPrivilege	3184	chrome.exe
Token: SeCreatePagefilePrivilege	3184	chrome.exe
Token: SeShutdownPrivilege	3184	chrome.exe
Token: SeCreatePagefilePrivilege	3184	chrome.exe
Token: SeShutdownPrivilege	3184	chrome.exe
Token: SeCreatePagefilePrivilege	3184	chrome.exe
Token: SeShutdownPrivilege	3184	chrome.exe
Token: SeCreatePagefilePrivilege	3184	chrome.exe
Token: SeShutdownPrivilege	3184	chrome.exe
Token: SeCreatePagefilePrivilege	3184	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3184 wrote to memory of 1776	3184	chrome.exe	87
PID 3184 wrote to memory of 1776	3184	chrome.exe	87
PID 3184 wrote to memory of 3176	3184	chrome.exe	88
PID 3184 wrote to memory of 3176	3184	chrome.exe	88
PID 3184 wrote to memory of 3176	3184	chrome.exe	88
PID 3184 wrote to memory of 3176	3184	chrome.exe	88
PID 3184 wrote to memory of 3176	3184	chrome.exe	88
PID 3184 wrote to memory of 3176	3184	chrome.exe	88
PID 3184 wrote to memory of 3176	3184	chrome.exe	88
PID 3184 wrote to memory of 3176	3184	chrome.exe	88
PID 3184 wrote to memory of 3176	3184	chrome.exe	88
PID 3184 wrote to memory of 3176	3184	chrome.exe	88
PID 3184 wrote to memory of 3176	3184	chrome.exe	88
PID 3184 wrote to memory of 3176	3184	chrome.exe	88
PID 3184 wrote to memory of 3176	3184	chrome.exe	88
PID 3184 wrote to memory of 3176	3184	chrome.exe	88
PID 3184 wrote to memory of 3176	3184	chrome.exe	88
PID 3184 wrote to memory of 3176	3184	chrome.exe	88
PID 3184 wrote to memory of 3176	3184	chrome.exe	88
PID 3184 wrote to memory of 3176	3184	chrome.exe	88
PID 3184 wrote to memory of 3176	3184	chrome.exe	88
PID 3184 wrote to memory of 3176	3184	chrome.exe	88
PID 3184 wrote to memory of 3176	3184	chrome.exe	88
PID 3184 wrote to memory of 3176	3184	chrome.exe	88
PID 3184 wrote to memory of 3176	3184	chrome.exe	88
PID 3184 wrote to memory of 3176	3184	chrome.exe	88
PID 3184 wrote to memory of 3176	3184	chrome.exe	88
PID 3184 wrote to memory of 3176	3184	chrome.exe	88
PID 3184 wrote to memory of 3176	3184	chrome.exe	88
PID 3184 wrote to memory of 3176	3184	chrome.exe	88
PID 3184 wrote to memory of 3176	3184	chrome.exe	88
PID 3184 wrote to memory of 3176	3184	chrome.exe	88
PID 3184 wrote to memory of 3176	3184	chrome.exe	88
PID 3184 wrote to memory of 4584	3184	chrome.exe	89
PID 3184 wrote to memory of 4584	3184	chrome.exe	89
PID 3184 wrote to memory of 1436	3184	chrome.exe	90
PID 3184 wrote to memory of 1436	3184	chrome.exe	90
PID 3184 wrote to memory of 1436	3184	chrome.exe	90
PID 3184 wrote to memory of 1436	3184	chrome.exe	90
PID 3184 wrote to memory of 1436	3184	chrome.exe	90
PID 3184 wrote to memory of 1436	3184	chrome.exe	90
PID 3184 wrote to memory of 1436	3184	chrome.exe	90
PID 3184 wrote to memory of 1436	3184	chrome.exe	90
PID 3184 wrote to memory of 1436	3184	chrome.exe	90
PID 3184 wrote to memory of 1436	3184	chrome.exe	90
PID 3184 wrote to memory of 1436	3184	chrome.exe	90
PID 3184 wrote to memory of 1436	3184	chrome.exe	90
PID 3184 wrote to memory of 1436	3184	chrome.exe	90
PID 3184 wrote to memory of 1436	3184	chrome.exe	90
PID 3184 wrote to memory of 1436	3184	chrome.exe	90
PID 3184 wrote to memory of 1436	3184	chrome.exe	90
PID 3184 wrote to memory of 1436	3184	chrome.exe	90
PID 3184 wrote to memory of 1436	3184	chrome.exe	90
PID 3184 wrote to memory of 1436	3184	chrome.exe	90
PID 3184 wrote to memory of 1436	3184	chrome.exe	90
PID 3184 wrote to memory of 1436	3184	chrome.exe	90
PID 3184 wrote to memory of 1436	3184	chrome.exe	90
PID 3184 wrote to memory of 1436	3184	chrome.exe	90
PID 3184 wrote to memory of 1436	3184	chrome.exe	90
PID 3184 wrote to memory of 1436	3184	chrome.exe	90
PID 3184 wrote to memory of 1436	3184	chrome.exe	90
PID 3184 wrote to memory of 1436	3184	chrome.exe	90
PID 3184 wrote to memory of 1436	3184	chrome.exe	90
PID 3184 wrote to memory of 1436	3184	chrome.exe	90

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://intranet.rtl.com/serve/AMIfv9694daUVzk_h7KNmXB8Fj6nkZIAChGh52laRnfM-ZOhWnhZqgJY60jpQJ1sTSkSeJ4PoB61AqBG-78TOkKYRgb0UCCCCTT1o9OXP2BI9vB1phwJ-X6yNHqxp-2TptFjjSKlKOyiIJOWGxL8c7_fKWILfrb60AZXSXTRBw1QQR6oRoXjE3k7QzjklC257C0niYvLIx-A1KaHTnqOTlcoaICM2aE5D4U970SiaGM7K49C8XUiGhZrDxHctM1Oc3foRI-AcWhWbzq-cRHPD74SNmmXr1Y5fw
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcf8d2ab58,0x7ffcf8d2ab68,0x7ffcf8d2ab78
  2⤵
  PID:1776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1588 --field-trial-handle=1716,i,3109356743616516481,264822612078450976,131072 /prefetch:2
  2⤵
  PID:3176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1716,i,3109356743616516481,264822612078450976,131072 /prefetch:8
  2⤵
  PID:4584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2228 --field-trial-handle=1716,i,3109356743616516481,264822612078450976,131072 /prefetch:8
  2⤵
  PID:1436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2980 --field-trial-handle=1716,i,3109356743616516481,264822612078450976,131072 /prefetch:1
  2⤵
  PID:4748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2996 --field-trial-handle=1716,i,3109356743616516481,264822612078450976,131072 /prefetch:1
  2⤵
  PID:2268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4560 --field-trial-handle=1716,i,3109356743616516481,264822612078450976,131072 /prefetch:8
  2⤵
  PID:540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4640 --field-trial-handle=1716,i,3109356743616516481,264822612078450976,131072 /prefetch:8
  2⤵
  PID:4020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4716 --field-trial-handle=1716,i,3109356743616516481,264822612078450976,131072 /prefetch:1
  2⤵
  PID:3860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1860 --field-trial-handle=1716,i,3109356743616516481,264822612078450976,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1696

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
9e2182e77750bc81dc02666a3270d011

SHA1
e8b04dd536d8f8c1a4b48295140b33a0d2c82e7c

SHA256
be03182c400bf352b6ce64b2569794ecee6481969ea5d0dabe8e27f45d4a3a30

SHA512
79e5572f51bcfb1a41645997f82bc4dcb4c65edcfe93b4571ccef8ac99ced14f6c2a2578934e8f67e964428d25e87b95e0218a6960337d398a0d1243e16b0b54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
fadde0227110817b108184dfadbce6ba

SHA1
737410880bb8b664d80bae66838d12b25081cb8a

SHA256
4c29879ea20b6602bc6ff7578ec5c91b43494f7a549f578d8989f647fccbe4d1

SHA512
9af0288ce1a0648ab2337a3f1709a3e51f325cda3632c87dc9dd582eebeda70e00a2998522333626011a62a573049806e57395594aedfc138e4c33f096deda18

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
ba4daad1dd6f9f8f912724a723f32ed5

SHA1
515135b5c54ea4d0e6c00d80cd8aee0bc608e6e7

SHA256
047293d062bdd6e32210f8ee776eef9ba921720d7ca6e6f7ea64eb4bd1fd5ea2

SHA512
703a6de61810f14b32b131bf0d3d329621e113f0e47e12bad6a0fd15690eff81bc60d25bafffcc00ebe781b097e75918cf2e674b70ee40b853dc7b7b02008fab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
127KB

MD5
9ccce4a26229cad1097ad5a725fb0d9d

SHA1
c19bd499a48d45bcc1583380a005bd2d9e420aca

SHA256
a4dbc29da5cb34070b746cfb7620713d4feb6465aa62cc596ace91ea495d59eb

SHA512
6830933e8fc406b6a5e93d839267ccf3b4346da3a55d2aedac5078460b72ac3b0b6cc2236e622a5a6c5e9fc19604764cd224ecd0bae453fbd6519c0e20f2ff53

Download Submit