hxxps://greenfixx[.]com/plot

Analysis

max time kernel
73s
max time network
67s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
02-05-2024 19:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://greenfixx.com/plot

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133591507595960694"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4064	chrome.exe
4064	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4064 wrote to memory of 3204	4064	chrome.exe	82
PID 4064 wrote to memory of 3204	4064	chrome.exe	82
PID 4064 wrote to memory of 712	4064	chrome.exe	84
PID 4064 wrote to memory of 712	4064	chrome.exe	84
PID 4064 wrote to memory of 712	4064	chrome.exe	84
PID 4064 wrote to memory of 712	4064	chrome.exe	84
PID 4064 wrote to memory of 712	4064	chrome.exe	84
PID 4064 wrote to memory of 712	4064	chrome.exe	84
PID 4064 wrote to memory of 712	4064	chrome.exe	84
PID 4064 wrote to memory of 712	4064	chrome.exe	84
PID 4064 wrote to memory of 712	4064	chrome.exe	84
PID 4064 wrote to memory of 712	4064	chrome.exe	84
PID 4064 wrote to memory of 712	4064	chrome.exe	84
PID 4064 wrote to memory of 712	4064	chrome.exe	84
PID 4064 wrote to memory of 712	4064	chrome.exe	84
PID 4064 wrote to memory of 712	4064	chrome.exe	84
PID 4064 wrote to memory of 712	4064	chrome.exe	84
PID 4064 wrote to memory of 712	4064	chrome.exe	84
PID 4064 wrote to memory of 712	4064	chrome.exe	84
PID 4064 wrote to memory of 712	4064	chrome.exe	84
PID 4064 wrote to memory of 712	4064	chrome.exe	84
PID 4064 wrote to memory of 712	4064	chrome.exe	84
PID 4064 wrote to memory of 712	4064	chrome.exe	84
PID 4064 wrote to memory of 712	4064	chrome.exe	84
PID 4064 wrote to memory of 712	4064	chrome.exe	84
PID 4064 wrote to memory of 712	4064	chrome.exe	84
PID 4064 wrote to memory of 712	4064	chrome.exe	84
PID 4064 wrote to memory of 712	4064	chrome.exe	84
PID 4064 wrote to memory of 712	4064	chrome.exe	84
PID 4064 wrote to memory of 712	4064	chrome.exe	84
PID 4064 wrote to memory of 712	4064	chrome.exe	84
PID 4064 wrote to memory of 712	4064	chrome.exe	84
PID 4064 wrote to memory of 712	4064	chrome.exe	84
PID 4064 wrote to memory of 3740	4064	chrome.exe	85
PID 4064 wrote to memory of 3740	4064	chrome.exe	85
PID 4064 wrote to memory of 1280	4064	chrome.exe	86
PID 4064 wrote to memory of 1280	4064	chrome.exe	86
PID 4064 wrote to memory of 1280	4064	chrome.exe	86
PID 4064 wrote to memory of 1280	4064	chrome.exe	86
PID 4064 wrote to memory of 1280	4064	chrome.exe	86
PID 4064 wrote to memory of 1280	4064	chrome.exe	86
PID 4064 wrote to memory of 1280	4064	chrome.exe	86
PID 4064 wrote to memory of 1280	4064	chrome.exe	86
PID 4064 wrote to memory of 1280	4064	chrome.exe	86
PID 4064 wrote to memory of 1280	4064	chrome.exe	86
PID 4064 wrote to memory of 1280	4064	chrome.exe	86
PID 4064 wrote to memory of 1280	4064	chrome.exe	86
PID 4064 wrote to memory of 1280	4064	chrome.exe	86
PID 4064 wrote to memory of 1280	4064	chrome.exe	86
PID 4064 wrote to memory of 1280	4064	chrome.exe	86
PID 4064 wrote to memory of 1280	4064	chrome.exe	86
PID 4064 wrote to memory of 1280	4064	chrome.exe	86
PID 4064 wrote to memory of 1280	4064	chrome.exe	86
PID 4064 wrote to memory of 1280	4064	chrome.exe	86
PID 4064 wrote to memory of 1280	4064	chrome.exe	86
PID 4064 wrote to memory of 1280	4064	chrome.exe	86
PID 4064 wrote to memory of 1280	4064	chrome.exe	86
PID 4064 wrote to memory of 1280	4064	chrome.exe	86
PID 4064 wrote to memory of 1280	4064	chrome.exe	86
PID 4064 wrote to memory of 1280	4064	chrome.exe	86
PID 4064 wrote to memory of 1280	4064	chrome.exe	86
PID 4064 wrote to memory of 1280	4064	chrome.exe	86
PID 4064 wrote to memory of 1280	4064	chrome.exe	86
PID 4064 wrote to memory of 1280	4064	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://greenfixx.com/plot
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8f7a8ab58,0x7ff8f7a8ab68,0x7ff8f7a8ab78
  2⤵
  PID:3204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1700 --field-trial-handle=1884,i,264066209789034598,12230441531990578368,131072 /prefetch:2
  2⤵
  PID:712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2020 --field-trial-handle=1884,i,264066209789034598,12230441531990578368,131072 /prefetch:8
  2⤵
  PID:3740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2080 --field-trial-handle=1884,i,264066209789034598,12230441531990578368,131072 /prefetch:8
  2⤵
  PID:1280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3044 --field-trial-handle=1884,i,264066209789034598,12230441531990578368,131072 /prefetch:1
  2⤵
  PID:2372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3060 --field-trial-handle=1884,i,264066209789034598,12230441531990578368,131072 /prefetch:1
  2⤵
  PID:3008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4116 --field-trial-handle=1884,i,264066209789034598,12230441531990578368,131072 /prefetch:1
  2⤵
  PID:3492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4216 --field-trial-handle=1884,i,264066209789034598,12230441531990578368,131072 /prefetch:1
  2⤵
  PID:3080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3148 --field-trial-handle=1884,i,264066209789034598,12230441531990578368,131072 /prefetch:8
  2⤵
  PID:3020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4796 --field-trial-handle=1884,i,264066209789034598,12230441531990578368,131072 /prefetch:8
  2⤵
  PID:4696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4912 --field-trial-handle=1884,i,264066209789034598,12230441531990578368,131072 /prefetch:1
  2⤵
  PID:1196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4660 --field-trial-handle=1884,i,264066209789034598,12230441531990578368,131072 /prefetch:1
  2⤵
  PID:1744

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
6dc23982f1369dac06bedc713b2f2600

SHA1
91243f5e3fd4d98e6bdd7ec044d501a3702940fa

SHA256
f4cf267ac3b59b9acc13e0a8be63e72b67de22d1e46ecad09840d67790cf8667

SHA512
652784ef7d868e3b192014cc386fe5d37e36d80f874514a5e0e1d9c45bc8c45d3bba09e8a47002d0e92eb774a860c2024d9e07095e209cf70aeafb49410e67a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
e1dc431958c8e2d7ef5e3c93339ca92e

SHA1
d28cc7b5a002b7b9c20d2affdcd700b2713e63fc

SHA256
5cffeac4a4d58a5203096f60638d93043f12dfac8085af0a395a90a37b332bdb

SHA512
63eb4b5a5b827606d0e80f6cb2781e07cc069620103d3b30ffb45060bf71bbdee43bd7c75314e4ef9e6fd0b16df8b3b988ec458b59e29287691ad4fa84f4b4e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
3fe0df92d7f639e250bec388ac2398e3

SHA1
2ab2b110334ebc96d0931d5c8d962ff26e0c7a7e

SHA256
b379610d398baa25c8315c6bf8ff2469864b884a52ca904129411b27e0c0b4d7

SHA512
0598435e98327fdb9953621733af2eab76c703d0ac12c05b79ab1a079c1a919566eed0a947d02828e95abf31d934b6a457ce7b94cd67baa82eaaa30edfed3ea3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
6b16d9b57648de2b30591f589af1af86

SHA1
2d7232be2b4c143d157585f5ec726a0eb54d0bbf

SHA256
44162326cf0ba98e34246cc2d9154a02f4463f709a7f0e394d3403da860c0f8d

SHA512
9c477bfeb7fc1e327fc398c1d10ac865eeda81842f067d771905b793eb9686247687c61d59c88977e7ff74dd6ef98ca5c801816f6a607224a6f2d49f0f4bcb40

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
95f03cce370f8f2c04f9bb357463503a

SHA1
7be2a9b960c07934442f540d21bc914f7ff9ff20

SHA256
4d667f0ec9507be8adb5a350debf214396ff4215f731524d8f706b57527cf0a1

SHA512
de682c7f9fa35241457b0d56abd1eb25cdfd68f4784b646079937b5821c5947e1e6002f0c55264f298c78588fe4c166d7b819022e3bd5cb8e5f5a48279d14d9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
a01c025024b748efcb3df549401bcd49

SHA1
1bc71208e80729632b62858afc8d4875f3e88b4a

SHA256
643eef0cc12fa34b510a447b6640363e6aba4bb891120b2f3b6ca7f38b5cd402

SHA512
a16a7fd0b8703b7223347724cc064397cae30b4e8eae690612941a23ebe7f676e5db2180cf02527d041e508422a301faaceedc484472ce7718e82dec74ef716a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
2b75d547b5c537dc11f2ea486bff0daa

SHA1
b95ff113d16065a87d5bdf49a3fa94d6fd597c16

SHA256
4e3d95ab43fc4c9584f3d14444e8b0bfb7fa10ba0c68312ac8d31e7facc5544d

SHA512
ccb94a7bf5906e072cfdc3c433836f04c60d0035b2d51bf0f9133ae01768169ad3859976324307fe48e82ef4ab6ba3b519a9ff6b5f1a258e772e413a5e6ba73d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
54331c030e38de336b78ae33e63d1bb7

SHA1
b98a31efd30d308663b942dba3515ef4dd6c0869

SHA256
2740ff3a0253e6f30f94ca3b7dc91fb813cad63a9e2c9892c947048c12e38b06

SHA512
8eefce1fd85f03302466da298c7d183307f4d1d49e70576980d80c7df9bcb7de2398978d8031a6d2d07a3b93af344d26c87ea15738f9f12d49cf03e66d34d46e

Download Submit