hxxp://docs[.]fortinet[.]com/fortitoken/

Analysis

max time kernel
30s
max time network
32s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
18/04/2024, 08:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

http://docs.fortinet.com/fortitoken/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133579043536860350"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4796	chrome.exe
4796	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4796	chrome.exe
Token: SeCreatePagefilePrivilege	4796	chrome.exe
Token: SeShutdownPrivilege	4796	chrome.exe
Token: SeCreatePagefilePrivilege	4796	chrome.exe
Token: SeShutdownPrivilege	4796	chrome.exe
Token: SeCreatePagefilePrivilege	4796	chrome.exe
Token: SeShutdownPrivilege	4796	chrome.exe
Token: SeCreatePagefilePrivilege	4796	chrome.exe
Token: SeShutdownPrivilege	4796	chrome.exe
Token: SeCreatePagefilePrivilege	4796	chrome.exe
Token: SeShutdownPrivilege	4796	chrome.exe
Token: SeCreatePagefilePrivilege	4796	chrome.exe
Token: SeShutdownPrivilege	4796	chrome.exe
Token: SeCreatePagefilePrivilege	4796	chrome.exe
Token: SeShutdownPrivilege	4796	chrome.exe
Token: SeCreatePagefilePrivilege	4796	chrome.exe
Token: SeShutdownPrivilege	4796	chrome.exe
Token: SeCreatePagefilePrivilege	4796	chrome.exe
Token: SeShutdownPrivilege	4796	chrome.exe
Token: SeCreatePagefilePrivilege	4796	chrome.exe
Token: SeShutdownPrivilege	4796	chrome.exe
Token: SeCreatePagefilePrivilege	4796	chrome.exe
Token: SeShutdownPrivilege	4796	chrome.exe
Token: SeCreatePagefilePrivilege	4796	chrome.exe
Token: SeShutdownPrivilege	4796	chrome.exe
Token: SeCreatePagefilePrivilege	4796	chrome.exe
Token: SeShutdownPrivilege	4796	chrome.exe
Token: SeCreatePagefilePrivilege	4796	chrome.exe
Token: SeShutdownPrivilege	4796	chrome.exe
Token: SeCreatePagefilePrivilege	4796	chrome.exe
Token: SeShutdownPrivilege	4796	chrome.exe
Token: SeCreatePagefilePrivilege	4796	chrome.exe
Token: SeShutdownPrivilege	4796	chrome.exe
Token: SeCreatePagefilePrivilege	4796	chrome.exe
Token: SeShutdownPrivilege	4796	chrome.exe
Token: SeCreatePagefilePrivilege	4796	chrome.exe
Token: SeShutdownPrivilege	4796	chrome.exe
Token: SeCreatePagefilePrivilege	4796	chrome.exe
Token: SeShutdownPrivilege	4796	chrome.exe
Token: SeCreatePagefilePrivilege	4796	chrome.exe
Token: SeShutdownPrivilege	4796	chrome.exe
Token: SeCreatePagefilePrivilege	4796	chrome.exe
Token: SeShutdownPrivilege	4796	chrome.exe
Token: SeCreatePagefilePrivilege	4796	chrome.exe
Token: SeShutdownPrivilege	4796	chrome.exe
Token: SeCreatePagefilePrivilege	4796	chrome.exe
Token: SeShutdownPrivilege	4796	chrome.exe
Token: SeCreatePagefilePrivilege	4796	chrome.exe
Token: SeShutdownPrivilege	4796	chrome.exe
Token: SeCreatePagefilePrivilege	4796	chrome.exe
Token: SeShutdownPrivilege	4796	chrome.exe
Token: SeCreatePagefilePrivilege	4796	chrome.exe
Token: SeShutdownPrivilege	4796	chrome.exe
Token: SeCreatePagefilePrivilege	4796	chrome.exe
Token: SeShutdownPrivilege	4796	chrome.exe
Token: SeCreatePagefilePrivilege	4796	chrome.exe
Token: SeShutdownPrivilege	4796	chrome.exe
Token: SeCreatePagefilePrivilege	4796	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4796 wrote to memory of 1480	4796	chrome.exe	78
PID 4796 wrote to memory of 1480	4796	chrome.exe	78
PID 4796 wrote to memory of 2172	4796	chrome.exe	79
PID 4796 wrote to memory of 2172	4796	chrome.exe	79
PID 4796 wrote to memory of 2172	4796	chrome.exe	79
PID 4796 wrote to memory of 2172	4796	chrome.exe	79
PID 4796 wrote to memory of 2172	4796	chrome.exe	79
PID 4796 wrote to memory of 2172	4796	chrome.exe	79
PID 4796 wrote to memory of 2172	4796	chrome.exe	79
PID 4796 wrote to memory of 2172	4796	chrome.exe	79
PID 4796 wrote to memory of 2172	4796	chrome.exe	79
PID 4796 wrote to memory of 2172	4796	chrome.exe	79
PID 4796 wrote to memory of 2172	4796	chrome.exe	79
PID 4796 wrote to memory of 2172	4796	chrome.exe	79
PID 4796 wrote to memory of 2172	4796	chrome.exe	79
PID 4796 wrote to memory of 2172	4796	chrome.exe	79
PID 4796 wrote to memory of 2172	4796	chrome.exe	79
PID 4796 wrote to memory of 2172	4796	chrome.exe	79
PID 4796 wrote to memory of 2172	4796	chrome.exe	79
PID 4796 wrote to memory of 2172	4796	chrome.exe	79
PID 4796 wrote to memory of 2172	4796	chrome.exe	79
PID 4796 wrote to memory of 2172	4796	chrome.exe	79
PID 4796 wrote to memory of 2172	4796	chrome.exe	79
PID 4796 wrote to memory of 2172	4796	chrome.exe	79
PID 4796 wrote to memory of 2172	4796	chrome.exe	79
PID 4796 wrote to memory of 2172	4796	chrome.exe	79
PID 4796 wrote to memory of 2172	4796	chrome.exe	79
PID 4796 wrote to memory of 2172	4796	chrome.exe	79
PID 4796 wrote to memory of 2172	4796	chrome.exe	79
PID 4796 wrote to memory of 2172	4796	chrome.exe	79
PID 4796 wrote to memory of 2172	4796	chrome.exe	79
PID 4796 wrote to memory of 2172	4796	chrome.exe	79
PID 4796 wrote to memory of 2172	4796	chrome.exe	79
PID 4796 wrote to memory of 4488	4796	chrome.exe	80
PID 4796 wrote to memory of 4488	4796	chrome.exe	80
PID 4796 wrote to memory of 2972	4796	chrome.exe	81
PID 4796 wrote to memory of 2972	4796	chrome.exe	81
PID 4796 wrote to memory of 2972	4796	chrome.exe	81
PID 4796 wrote to memory of 2972	4796	chrome.exe	81
PID 4796 wrote to memory of 2972	4796	chrome.exe	81
PID 4796 wrote to memory of 2972	4796	chrome.exe	81
PID 4796 wrote to memory of 2972	4796	chrome.exe	81
PID 4796 wrote to memory of 2972	4796	chrome.exe	81
PID 4796 wrote to memory of 2972	4796	chrome.exe	81
PID 4796 wrote to memory of 2972	4796	chrome.exe	81
PID 4796 wrote to memory of 2972	4796	chrome.exe	81
PID 4796 wrote to memory of 2972	4796	chrome.exe	81
PID 4796 wrote to memory of 2972	4796	chrome.exe	81
PID 4796 wrote to memory of 2972	4796	chrome.exe	81
PID 4796 wrote to memory of 2972	4796	chrome.exe	81
PID 4796 wrote to memory of 2972	4796	chrome.exe	81
PID 4796 wrote to memory of 2972	4796	chrome.exe	81
PID 4796 wrote to memory of 2972	4796	chrome.exe	81
PID 4796 wrote to memory of 2972	4796	chrome.exe	81
PID 4796 wrote to memory of 2972	4796	chrome.exe	81
PID 4796 wrote to memory of 2972	4796	chrome.exe	81
PID 4796 wrote to memory of 2972	4796	chrome.exe	81
PID 4796 wrote to memory of 2972	4796	chrome.exe	81
PID 4796 wrote to memory of 2972	4796	chrome.exe	81
PID 4796 wrote to memory of 2972	4796	chrome.exe	81
PID 4796 wrote to memory of 2972	4796	chrome.exe	81
PID 4796 wrote to memory of 2972	4796	chrome.exe	81
PID 4796 wrote to memory of 2972	4796	chrome.exe	81
PID 4796 wrote to memory of 2972	4796	chrome.exe	81

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://docs.fortinet.com/fortitoken/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb9a1cab58,0x7ffb9a1cab68,0x7ffb9a1cab78
  2⤵
  PID:1480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1648 --field-trial-handle=1816,i,15748319036546761673,16001976936194765820,131072 /prefetch:2
  2⤵
  PID:2172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 --field-trial-handle=1816,i,15748319036546761673,16001976936194765820,131072 /prefetch:8
  2⤵
  PID:4488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2108 --field-trial-handle=1816,i,15748319036546761673,16001976936194765820,131072 /prefetch:8
  2⤵
  PID:2972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2960 --field-trial-handle=1816,i,15748319036546761673,16001976936194765820,131072 /prefetch:1
  2⤵
  PID:3704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2976 --field-trial-handle=1816,i,15748319036546761673,16001976936194765820,131072 /prefetch:1
  2⤵
  PID:1008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4264 --field-trial-handle=1816,i,15748319036546761673,16001976936194765820,131072 /prefetch:8
  2⤵
  PID:2140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4504 --field-trial-handle=1816,i,15748319036546761673,16001976936194765820,131072 /prefetch:8
  2⤵
  PID:856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4488 --field-trial-handle=1816,i,15748319036546761673,16001976936194765820,131072 /prefetch:1
  2⤵
  PID:796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4044 --field-trial-handle=1816,i,15748319036546761673,16001976936194765820,131072 /prefetch:1
  2⤵
  PID:2304

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
cb2b4904ab5a114c84dcc2d222916048

SHA1
6b895b51595a7b8a70d5794bc83e04f433c33ba7

SHA256
b49ad003fc092e686b80b51dafadde3ec7cc74c3c038574b114535f030a3ad99

SHA512
b4a820ba4e9833f50d83eb1deebaf925d73bca4f1170800c62f4a9e995a8fe9c6ece836fe80dbd3e93acb5dd44d0411f151087249a0a37e0575ef102dffc32a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
2f7076d0b990de77435077f4f3fb3652

SHA1
1209010f0e9abc7c41c177229704aba3d3ed4d75

SHA256
74c544b05ef0ff299a84331f1e1097af8363244bb10518f947745115161c15ed

SHA512
ed553c5dc121dadece1166c81ee3ba8e282772fcc873d8c6095819b67a1435f7d794e23bfbce38b5040113112321e63e449c6a9f244220d49cd2da69b4e3453a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
9c00c9d535fb29e39b62e2045be80ee6

SHA1
5a78498d7b7949d3ffa5489ed1a871f813487e02

SHA256
528dc888b81772a8947223e57ac88faba6e62cf88c2f3eea55ad42fc84577148

SHA512
81cc49c667a5a521d50c06b8934c4b208e0067fc046f2485c970bbff6cd52b6d21e6e43e791f65a48e502f67561d1db2642d72f07e8801456214989a8786719a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
127KB

MD5
8fbfe9d2778781151bea8cc176e6509c

SHA1
4d15652d9abd39b358633621b8f150c6beeb092d

SHA256
ef41f79d5510808db973fa219a5baa35e1ca42a35d4c960891751d3f5976eee5

SHA512
c1f43ee46732b9391705a4eefff410304118aef6996c1a9addc7f76a43b6b4d62c51b54be60a3ce41f4e47144851fe5fcbe35a51802d45d9dfefe2aba8a60794

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
127KB

MD5
dfc001976da82983c051ed8977a9e145

SHA1
5c799571558ea59c72e78dbb62540a2169fbffff

SHA256
08ce7d71504c76de983c03394b02f20b2cc6f5f1c8768dbaf6fba0a3d1514580

SHA512
d2018d1fb72ea14b528b72e9b1306b98bb087e28efe3317a13813524bcbf2ca081e6247391dfa195145588bab16c2d0226db6da570d468b337778cdb88601640

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit