hxxps://enterprise-vip[.]betterwood[.]com/renew?sign=1dda996d-0364-4bd8-9fb7-b02d38eb48f8

Analysis

max time kernel
152s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2024, 12:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://enterprise-vip.betterwood.com/renew?sign=1dda996d-0364-4bd8-9fb7-b02d38eb48f8

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3404	chrome.exe
3404	chrome.exe
3964	chrome.exe
3964	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3404	chrome.exe
3404	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3404 wrote to memory of 2332	3404	chrome.exe	91
PID 3404 wrote to memory of 2332	3404	chrome.exe	91
PID 3404 wrote to memory of 1052	3404	chrome.exe	93
PID 3404 wrote to memory of 1052	3404	chrome.exe	93
PID 3404 wrote to memory of 1052	3404	chrome.exe	93
PID 3404 wrote to memory of 1052	3404	chrome.exe	93
PID 3404 wrote to memory of 1052	3404	chrome.exe	93
PID 3404 wrote to memory of 1052	3404	chrome.exe	93
PID 3404 wrote to memory of 1052	3404	chrome.exe	93
PID 3404 wrote to memory of 1052	3404	chrome.exe	93
PID 3404 wrote to memory of 1052	3404	chrome.exe	93
PID 3404 wrote to memory of 1052	3404	chrome.exe	93
PID 3404 wrote to memory of 1052	3404	chrome.exe	93
PID 3404 wrote to memory of 1052	3404	chrome.exe	93
PID 3404 wrote to memory of 1052	3404	chrome.exe	93
PID 3404 wrote to memory of 1052	3404	chrome.exe	93
PID 3404 wrote to memory of 1052	3404	chrome.exe	93
PID 3404 wrote to memory of 1052	3404	chrome.exe	93
PID 3404 wrote to memory of 1052	3404	chrome.exe	93
PID 3404 wrote to memory of 1052	3404	chrome.exe	93
PID 3404 wrote to memory of 1052	3404	chrome.exe	93
PID 3404 wrote to memory of 1052	3404	chrome.exe	93
PID 3404 wrote to memory of 1052	3404	chrome.exe	93
PID 3404 wrote to memory of 1052	3404	chrome.exe	93
PID 3404 wrote to memory of 1052	3404	chrome.exe	93
PID 3404 wrote to memory of 1052	3404	chrome.exe	93
PID 3404 wrote to memory of 1052	3404	chrome.exe	93
PID 3404 wrote to memory of 1052	3404	chrome.exe	93
PID 3404 wrote to memory of 1052	3404	chrome.exe	93
PID 3404 wrote to memory of 1052	3404	chrome.exe	93
PID 3404 wrote to memory of 1052	3404	chrome.exe	93
PID 3404 wrote to memory of 1052	3404	chrome.exe	93
PID 3404 wrote to memory of 1052	3404	chrome.exe	93
PID 3404 wrote to memory of 1052	3404	chrome.exe	93
PID 3404 wrote to memory of 1052	3404	chrome.exe	93
PID 3404 wrote to memory of 1052	3404	chrome.exe	93
PID 3404 wrote to memory of 1052	3404	chrome.exe	93
PID 3404 wrote to memory of 1052	3404	chrome.exe	93
PID 3404 wrote to memory of 1052	3404	chrome.exe	93
PID 3404 wrote to memory of 1052	3404	chrome.exe	93
PID 3404 wrote to memory of 4936	3404	chrome.exe	94
PID 3404 wrote to memory of 4936	3404	chrome.exe	94
PID 3404 wrote to memory of 3840	3404	chrome.exe	95
PID 3404 wrote to memory of 3840	3404	chrome.exe	95
PID 3404 wrote to memory of 3840	3404	chrome.exe	95
PID 3404 wrote to memory of 3840	3404	chrome.exe	95
PID 3404 wrote to memory of 3840	3404	chrome.exe	95
PID 3404 wrote to memory of 3840	3404	chrome.exe	95
PID 3404 wrote to memory of 3840	3404	chrome.exe	95
PID 3404 wrote to memory of 3840	3404	chrome.exe	95
PID 3404 wrote to memory of 3840	3404	chrome.exe	95
PID 3404 wrote to memory of 3840	3404	chrome.exe	95
PID 3404 wrote to memory of 3840	3404	chrome.exe	95
PID 3404 wrote to memory of 3840	3404	chrome.exe	95
PID 3404 wrote to memory of 3840	3404	chrome.exe	95
PID 3404 wrote to memory of 3840	3404	chrome.exe	95
PID 3404 wrote to memory of 3840	3404	chrome.exe	95
PID 3404 wrote to memory of 3840	3404	chrome.exe	95
PID 3404 wrote to memory of 3840	3404	chrome.exe	95
PID 3404 wrote to memory of 3840	3404	chrome.exe	95
PID 3404 wrote to memory of 3840	3404	chrome.exe	95
PID 3404 wrote to memory of 3840	3404	chrome.exe	95
PID 3404 wrote to memory of 3840	3404	chrome.exe	95
PID 3404 wrote to memory of 3840	3404	chrome.exe	95

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://enterprise-vip.betterwood.com/renew?sign=1dda996d-0364-4bd8-9fb7-b02d38eb48f8
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff98c009758,0x7ff98c009768,0x7ff98c009778
  2⤵
  PID:2332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1724 --field-trial-handle=1904,i,13655955075003280992,10245862844912897269,131072 /prefetch:2
  2⤵
  PID:1052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1904,i,13655955075003280992,10245862844912897269,131072 /prefetch:8
  2⤵
  PID:4936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2272 --field-trial-handle=1904,i,13655955075003280992,10245862844912897269,131072 /prefetch:8
  2⤵
  PID:3840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3064 --field-trial-handle=1904,i,13655955075003280992,10245862844912897269,131072 /prefetch:1
  2⤵
  PID:4792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3068 --field-trial-handle=1904,i,13655955075003280992,10245862844912897269,131072 /prefetch:1
  2⤵
  PID:2184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3988 --field-trial-handle=1904,i,13655955075003280992,10245862844912897269,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3964

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4068 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8
1⤵
PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
4efdbb70be626a9c601e19f1ca9cf68d

SHA1
a076d384b8910c03d220406e7be62c214446dc6a

SHA256
0bfb5ee034482074a490c36e3a06fc3872f8d4f44cc7dc91272ef2cf74f7aeb5

SHA512
4b5cb8e6c8947569078ff19056c1c3c56ce45e11d73a5232033d97a0ee4a1a30f53c3367dd8deb2d562188d4135ac01934b3d85ff08af37a79cf524bf5b629ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
630B

MD5
3b618935dfbce85525ea6fedf308bc8b

SHA1
81933cfd82868ac518e445ae029967be4ca1e3ca

SHA256
7616fa3f0b1bbc57d61e4e8f6372e1c9f09ec0a757579a9999f2fe07b2d47c5d

SHA512
caa4e9b65f67be4369be8e83075095a1646153ec90cf914958e96e7f0e1be97596839d7da57b00e10289372eab97102ca6653785ca09de73c4db0c059de2988c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
986B

MD5
515a526cfdc2aa1f71915659bb1a5328

SHA1
185adeebf249c5cdabac6ddaf9e1908ae86094cd

SHA256
541249c2f011490fce4ae3d2ed8c0d3680f9246b0fda85b8fad79e1227a61d40

SHA512
b17a06b6731638e8e2ae70f915ab57024c6fd15b15939a852225d8cfc2fbe8f9a02d44c7c90057f9bbb0a2e049f08aafa2241624ecbe98ba04128c2cc4a859ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
537B

MD5
9a48a1d35b91f6625f8d8dd973c15e2d

SHA1
3b91dd04ebccc1c24e0aad01ebf5b654299de6ae

SHA256
6012234ec3174681100650ebf27ece68c2cbe082b7025d2375d045d369450a0e

SHA512
1ded05e62a6652d10532a3133582bf55c94a9810aeeeb860f93b13478069c34047a7d079a0759c43789122be10a0666bd464ad7a7b17785934810d6269093dcf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
5c7ae5033739d958f6123d249897e4ff

SHA1
3f9b2e42780c51d57ee72dc22df87c9deb730c60

SHA256
6b0d5bf318fb137ece382b966124ade9876df61b6cd0f395ee6ac0e8df808a5a

SHA512
f27cc230d7c897a08f688d7ac7995aff9638df7b1849f032d27ef12c8750dcbf513ceecbf1e5061a11ceb71c5bba74ceae2c7c145695206802694a5ee9d6facf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
ffc59112fc5f16fa15b4762f2ce5fc01

SHA1
c9c0f32e823da55c03e225d9095e152369158cb4

SHA256
d22711db660fd730ef9fc01da2c1754c5f7d68e892188cfe3e02f46e9182998b

SHA512
c71dbaa74d25fc72163de5cf50a1fd63db135e9e19ad7681adeeb75f7d39549d7e54ca73b92ea06a8b05c540613a32222df6dbf75295a7a18a1a3ff4844948bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
9edb755b0c2018a9244c9cd57aef0b55

SHA1
52de71fc2e0fa4da39eb4cff9b43914a09c9119b

SHA256
53bed369c80a56ab8bc3c2c707e576a19fd17dcd71be560f66ee685d64361a97

SHA512
2ac9480156f1aa487b5b52598a6d156021808f90d9f44b91a8e63238f1b84916a0cbd052feca85f9c6ba215c68f329d957a4c871be3e460c4eb88bc19756db34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
5d739c48eece26fafd562b73ac7ad2ed

SHA1
06156ad3320c173e0558ae5569c1b54bb77b196d

SHA256
ebdb8c9229320c172b8145bab8aff42b9947f33da9325598d7f4e781b38c93cb

SHA512
0a8fcb8abf55996022d2c7e85d1308d6ec97632ee4c2a2795e3aab5a8c966c8c4c1a83591a1c41fd4b48c0335b8284ba2a1f7089786910cf3df450f1781a8f20

Download Submit