hxxp://tracking[.]epressrelease[.]me/tracking/unsubscribe?d=_aGsh3slbi6B7hgnskx7uWiCVq654PLZXpj2hZKzQVBZHZARw-9_FvQfvk6C_ZdONl5umkjKVS76KhW4suPhhy3M3fkiPhaiK2vsMb2QYUEP0

Analysis

max time kernel
29s
max time network
28s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
22/04/2024, 04:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://tracking.epressrelease.me/tracking/unsubscribe?d=_aGsh3slbi6B7hgnskx7uWiCVq654PLZXpj2hZKzQVBZHZARw-9_FvQfvk6C_ZdONl5umkjKVS76KhW4suPhhy3M3fkiPhaiK2vsMb2QYUEP0

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133582329894351774"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
524	chrome.exe
524	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
524	chrome.exe
524	chrome.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

description	pid	Process
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 524 wrote to memory of 2524	524	chrome.exe	73
PID 524 wrote to memory of 2524	524	chrome.exe	73
PID 524 wrote to memory of 2668	524	chrome.exe	75
PID 524 wrote to memory of 2668	524	chrome.exe	75
PID 524 wrote to memory of 2668	524	chrome.exe	75
PID 524 wrote to memory of 2668	524	chrome.exe	75
PID 524 wrote to memory of 2668	524	chrome.exe	75
PID 524 wrote to memory of 2668	524	chrome.exe	75
PID 524 wrote to memory of 2668	524	chrome.exe	75
PID 524 wrote to memory of 2668	524	chrome.exe	75
PID 524 wrote to memory of 2668	524	chrome.exe	75
PID 524 wrote to memory of 2668	524	chrome.exe	75
PID 524 wrote to memory of 2668	524	chrome.exe	75
PID 524 wrote to memory of 2668	524	chrome.exe	75
PID 524 wrote to memory of 2668	524	chrome.exe	75
PID 524 wrote to memory of 2668	524	chrome.exe	75
PID 524 wrote to memory of 2668	524	chrome.exe	75
PID 524 wrote to memory of 2668	524	chrome.exe	75
PID 524 wrote to memory of 2668	524	chrome.exe	75
PID 524 wrote to memory of 2668	524	chrome.exe	75
PID 524 wrote to memory of 2668	524	chrome.exe	75
PID 524 wrote to memory of 2668	524	chrome.exe	75
PID 524 wrote to memory of 2668	524	chrome.exe	75
PID 524 wrote to memory of 2668	524	chrome.exe	75
PID 524 wrote to memory of 2668	524	chrome.exe	75
PID 524 wrote to memory of 2668	524	chrome.exe	75
PID 524 wrote to memory of 2668	524	chrome.exe	75
PID 524 wrote to memory of 2668	524	chrome.exe	75
PID 524 wrote to memory of 2668	524	chrome.exe	75
PID 524 wrote to memory of 2668	524	chrome.exe	75
PID 524 wrote to memory of 2668	524	chrome.exe	75
PID 524 wrote to memory of 2668	524	chrome.exe	75
PID 524 wrote to memory of 2668	524	chrome.exe	75
PID 524 wrote to memory of 2668	524	chrome.exe	75
PID 524 wrote to memory of 2668	524	chrome.exe	75
PID 524 wrote to memory of 2668	524	chrome.exe	75
PID 524 wrote to memory of 2668	524	chrome.exe	75
PID 524 wrote to memory of 2668	524	chrome.exe	75
PID 524 wrote to memory of 2668	524	chrome.exe	75
PID 524 wrote to memory of 2668	524	chrome.exe	75
PID 524 wrote to memory of 1256	524	chrome.exe	76
PID 524 wrote to memory of 1256	524	chrome.exe	76
PID 524 wrote to memory of 952	524	chrome.exe	77
PID 524 wrote to memory of 952	524	chrome.exe	77
PID 524 wrote to memory of 952	524	chrome.exe	77
PID 524 wrote to memory of 952	524	chrome.exe	77
PID 524 wrote to memory of 952	524	chrome.exe	77
PID 524 wrote to memory of 952	524	chrome.exe	77
PID 524 wrote to memory of 952	524	chrome.exe	77
PID 524 wrote to memory of 952	524	chrome.exe	77
PID 524 wrote to memory of 952	524	chrome.exe	77
PID 524 wrote to memory of 952	524	chrome.exe	77
PID 524 wrote to memory of 952	524	chrome.exe	77
PID 524 wrote to memory of 952	524	chrome.exe	77
PID 524 wrote to memory of 952	524	chrome.exe	77
PID 524 wrote to memory of 952	524	chrome.exe	77
PID 524 wrote to memory of 952	524	chrome.exe	77
PID 524 wrote to memory of 952	524	chrome.exe	77
PID 524 wrote to memory of 952	524	chrome.exe	77
PID 524 wrote to memory of 952	524	chrome.exe	77
PID 524 wrote to memory of 952	524	chrome.exe	77
PID 524 wrote to memory of 952	524	chrome.exe	77
PID 524 wrote to memory of 952	524	chrome.exe	77
PID 524 wrote to memory of 952	524	chrome.exe	77

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://tracking.epressrelease.me/tracking/unsubscribe?d=_aGsh3slbi6B7hgnskx7uWiCVq654PLZXpj2hZKzQVBZHZARw-9_FvQfvk6C_ZdONl5umkjKVS76KhW4suPhhy3M3fkiPhaiK2vsMb2QYUEP0
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffe88119758,0x7ffe88119768,0x7ffe88119778
  2⤵
  PID:2524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1832,i,1707862100016643027,1107612456506111174,131072 /prefetch:2
  2⤵
  PID:2668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1780 --field-trial-handle=1832,i,1707862100016643027,1107612456506111174,131072 /prefetch:8
  2⤵
  PID:1256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2056 --field-trial-handle=1832,i,1707862100016643027,1107612456506111174,131072 /prefetch:8
  2⤵
  PID:952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2576 --field-trial-handle=1832,i,1707862100016643027,1107612456506111174,131072 /prefetch:1
  2⤵
  PID:3516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2584 --field-trial-handle=1832,i,1707862100016643027,1107612456506111174,131072 /prefetch:1
  2⤵
  PID:3888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4588 --field-trial-handle=1832,i,1707862100016643027,1107612456506111174,131072 /prefetch:8
  2⤵
  PID:868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4704 --field-trial-handle=1832,i,1707862100016643027,1107612456506111174,131072 /prefetch:8
  2⤵
  PID:2040

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1018B

MD5
780296bb1f9f1e8414a5b85719039858

SHA1
5ef2e5e55e2e972f5af764223308509f7b6748e9

SHA256
8bcc6700518ff8f17ef7fce65ca6967070ea1f6dd3a7fce4d57fc754a0751707

SHA512
228db59f5131c0fc17812f8fc4b714d2c0ab8b9e6986c8999aea202581a6f9396e33da7f53210d31d91f76a198ead001bd7d8e6e9414fdc22932f60adfbccad9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
537B

MD5
780c80210a722d0b53efde57d6f4e168

SHA1
59dd97dc9dea46b4844efb7d41631a664cf22597

SHA256
1c94171f08d19cdf36e86fd0365e70259d0fbdfe8203c1e04bee333546cfe8c1

SHA512
cfdf748999754d490f620bd3b6127c393aacf2fd7d5b3490b00629ce7c9ad45126a28c5cf02c84b870d3829aecac8cf9cfde5f6918ae135c13ffdf50e71511ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
8ffac8e42de1a2e936db749afcabf385

SHA1
d79b4399706c5fbd7a9df1367804b89f9a290a54

SHA256
21f7935d5bceb8837303dbbd8fd95503b7038c5aa46ad18320ada0ab59c96535

SHA512
d88da00c4bc257ece4a6b30b491c9ab49a3c33f60e0589f319750866abf9d6e4f4c17a6dd85964ece771ae619570297133f8f5b70d88f32d6ccb0bac4d41bbc3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
650e98085172eb6408d7eb7fcf37428c

SHA1
195ea53e96285ffec70bda47a770f011c76f171a

SHA256
52920285646b39e007dec2c444bc6ed1cfa4812495ccbe81bf4f16a3fe496870

SHA512
de5ee7a1ed02ae691d1e6b49c7d914ed12b62974c8ce2ca5c1365bdebf7f912ec2221d81df3051b2136cf66305dcfc799f77e8ba7957bc6a9d254ddeb855a36a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit