00df06e486137943654d3259f947dc01d162dc71fafa47f4938181c7c4e0067f

General

Target

wpad.js
Size

1KB
MD5

02b80d8c3b62d0494bb45d44f1789cce
SHA1

0a195cc1037e584680d667ca4e7fa666c5df3a53
SHA256

00df06e486137943654d3259f947dc01d162dc71fafa47f4938181c7c4e0067f
SHA512

6b6a7eb196debba8af8147fb6f9df2af56ccabf4d21101157ef3a60eb8c31a0a8985f1613e1ed128893264abd3c36539c0d0d359a0b31d02c751473e587242c7

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

3844 chrome.exe
3844 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

3844 chrome.exe
3844 chrome.exe
3844 chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	3844	chrome.exe
Token: SeCreatePagefilePrivilege	3844	chrome.exe
Token: SeShutdownPrivilege	3844	chrome.exe
Token: SeCreatePagefilePrivilege	3844	chrome.exe
Token: SeShutdownPrivilege	3844	chrome.exe
Token: SeCreatePagefilePrivilege	3844	chrome.exe
Token: SeShutdownPrivilege	3844	chrome.exe
Token: SeCreatePagefilePrivilege	3844	chrome.exe
Token: SeShutdownPrivilege	3844	chrome.exe
Token: SeCreatePagefilePrivilege	3844	chrome.exe
Token: SeShutdownPrivilege	3844	chrome.exe
Token: SeCreatePagefilePrivilege	3844	chrome.exe
Token: SeShutdownPrivilege	3844	chrome.exe
Token: SeCreatePagefilePrivilege	3844	chrome.exe
Token: SeShutdownPrivilege	3844	chrome.exe
Token: SeCreatePagefilePrivilege	3844	chrome.exe
Token: SeShutdownPrivilege	3844	chrome.exe
Token: SeCreatePagefilePrivilege	3844	chrome.exe
Token: SeShutdownPrivilege	3844	chrome.exe
Token: SeCreatePagefilePrivilege	3844	chrome.exe
Token: SeShutdownPrivilege	3844	chrome.exe
Token: SeCreatePagefilePrivilege	3844	chrome.exe
Token: SeShutdownPrivilege	3844	chrome.exe
Token: SeCreatePagefilePrivilege	3844	chrome.exe
Token: SeShutdownPrivilege	3844	chrome.exe
Token: SeCreatePagefilePrivilege	3844	chrome.exe
Token: SeShutdownPrivilege	3844	chrome.exe
Token: SeCreatePagefilePrivilege	3844	chrome.exe
Token: SeShutdownPrivilege	3844	chrome.exe
Token: SeCreatePagefilePrivilege	3844	chrome.exe
Token: SeShutdownPrivilege	3844	chrome.exe
Token: SeCreatePagefilePrivilege	3844	chrome.exe
Token: SeShutdownPrivilege	3844	chrome.exe
Token: SeCreatePagefilePrivilege	3844	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
3844	chrome.exe
3844	chrome.exe
3844	chrome.exe
3844	chrome.exe
3844	chrome.exe
3844	chrome.exe
3844	chrome.exe
3844	chrome.exe
3844	chrome.exe
3844	chrome.exe
3844	chrome.exe
3844	chrome.exe
3844	chrome.exe
3844	chrome.exe
3844	chrome.exe
3844	chrome.exe
3844	chrome.exe
3844	chrome.exe
3844	chrome.exe
3844	chrome.exe
3844	chrome.exe
3844	chrome.exe
3844	chrome.exe
3844	chrome.exe
3844	chrome.exe
3844	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
3844	chrome.exe
3844	chrome.exe
3844	chrome.exe
3844	chrome.exe
3844	chrome.exe
3844	chrome.exe
3844	chrome.exe
3844	chrome.exe
3844	chrome.exe
3844	chrome.exe
3844	chrome.exe
3844	chrome.exe
3844	chrome.exe
3844	chrome.exe
3844	chrome.exe
3844	chrome.exe
3844	chrome.exe
3844	chrome.exe
3844	chrome.exe
3844	chrome.exe
3844	chrome.exe
3844	chrome.exe
3844	chrome.exe
3844	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3844 wrote to memory of 2616	3844	chrome.exe	chrome.exe
PID 3844 wrote to memory of 2616	3844	chrome.exe	chrome.exe
PID 3844 wrote to memory of 844	3844	chrome.exe	chrome.exe
PID 3844 wrote to memory of 844	3844	chrome.exe	chrome.exe
PID 3844 wrote to memory of 844	3844	chrome.exe	chrome.exe
PID 3844 wrote to memory of 844	3844	chrome.exe	chrome.exe
PID 3844 wrote to memory of 844	3844	chrome.exe	chrome.exe
PID 3844 wrote to memory of 844	3844	chrome.exe	chrome.exe
PID 3844 wrote to memory of 844	3844	chrome.exe	chrome.exe
PID 3844 wrote to memory of 844	3844	chrome.exe	chrome.exe
PID 3844 wrote to memory of 844	3844	chrome.exe	chrome.exe
PID 3844 wrote to memory of 844	3844	chrome.exe	chrome.exe
PID 3844 wrote to memory of 844	3844	chrome.exe	chrome.exe
PID 3844 wrote to memory of 844	3844	chrome.exe	chrome.exe
PID 3844 wrote to memory of 844	3844	chrome.exe	chrome.exe
PID 3844 wrote to memory of 844	3844	chrome.exe	chrome.exe
PID 3844 wrote to memory of 844	3844	chrome.exe	chrome.exe
PID 3844 wrote to memory of 844	3844	chrome.exe	chrome.exe
PID 3844 wrote to memory of 844	3844	chrome.exe	chrome.exe
PID 3844 wrote to memory of 844	3844	chrome.exe	chrome.exe
PID 3844 wrote to memory of 844	3844	chrome.exe	chrome.exe
PID 3844 wrote to memory of 844	3844	chrome.exe	chrome.exe
PID 3844 wrote to memory of 844	3844	chrome.exe	chrome.exe
PID 3844 wrote to memory of 844	3844	chrome.exe	chrome.exe
PID 3844 wrote to memory of 844	3844	chrome.exe	chrome.exe
PID 3844 wrote to memory of 844	3844	chrome.exe	chrome.exe
PID 3844 wrote to memory of 844	3844	chrome.exe	chrome.exe
PID 3844 wrote to memory of 844	3844	chrome.exe	chrome.exe
PID 3844 wrote to memory of 844	3844	chrome.exe	chrome.exe
PID 3844 wrote to memory of 844	3844	chrome.exe	chrome.exe
PID 3844 wrote to memory of 844	3844	chrome.exe	chrome.exe
PID 3844 wrote to memory of 844	3844	chrome.exe	chrome.exe
PID 3844 wrote to memory of 844	3844	chrome.exe	chrome.exe
PID 3844 wrote to memory of 3020	3844	chrome.exe	chrome.exe
PID 3844 wrote to memory of 3020	3844	chrome.exe	chrome.exe
PID 3844 wrote to memory of 856	3844	chrome.exe	chrome.exe
PID 3844 wrote to memory of 856	3844	chrome.exe	chrome.exe
PID 3844 wrote to memory of 856	3844	chrome.exe	chrome.exe
PID 3844 wrote to memory of 856	3844	chrome.exe	chrome.exe
PID 3844 wrote to memory of 856	3844	chrome.exe	chrome.exe
PID 3844 wrote to memory of 856	3844	chrome.exe	chrome.exe
PID 3844 wrote to memory of 856	3844	chrome.exe	chrome.exe
PID 3844 wrote to memory of 856	3844	chrome.exe	chrome.exe
PID 3844 wrote to memory of 856	3844	chrome.exe	chrome.exe
PID 3844 wrote to memory of 856	3844	chrome.exe	chrome.exe
PID 3844 wrote to memory of 856	3844	chrome.exe	chrome.exe
PID 3844 wrote to memory of 856	3844	chrome.exe	chrome.exe
PID 3844 wrote to memory of 856	3844	chrome.exe	chrome.exe
PID 3844 wrote to memory of 856	3844	chrome.exe	chrome.exe
PID 3844 wrote to memory of 856	3844	chrome.exe	chrome.exe
PID 3844 wrote to memory of 856	3844	chrome.exe	chrome.exe
PID 3844 wrote to memory of 856	3844	chrome.exe	chrome.exe
PID 3844 wrote to memory of 856	3844	chrome.exe	chrome.exe
PID 3844 wrote to memory of 856	3844	chrome.exe	chrome.exe
PID 3844 wrote to memory of 856	3844	chrome.exe	chrome.exe
PID 3844 wrote to memory of 856	3844	chrome.exe	chrome.exe
PID 3844 wrote to memory of 856	3844	chrome.exe	chrome.exe
PID 3844 wrote to memory of 856	3844	chrome.exe	chrome.exe
PID 3844 wrote to memory of 856	3844	chrome.exe	chrome.exe
PID 3844 wrote to memory of 856	3844	chrome.exe	chrome.exe
PID 3844 wrote to memory of 856	3844	chrome.exe	chrome.exe
PID 3844 wrote to memory of 856	3844	chrome.exe	chrome.exe
PID 3844 wrote to memory of 856	3844	chrome.exe	chrome.exe
PID 3844 wrote to memory of 856	3844	chrome.exe	chrome.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\wpad.js
1⤵
PID:2972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fffff37ab58,0x7fffff37ab68,0x7fffff37ab78
2⤵
PID:2616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1704 --field-trial-handle=1984,i,12410055175877798797,3838850679113360916,131072 /prefetch:2
2⤵
PID:844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 --field-trial-handle=1984,i,12410055175877798797,3838850679113360916,131072 /prefetch:8
2⤵
PID:3020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2228 --field-trial-handle=1984,i,12410055175877798797,3838850679113360916,131072 /prefetch:8
2⤵
PID:856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3024 --field-trial-handle=1984,i,12410055175877798797,3838850679113360916,131072 /prefetch:1
2⤵
PID:3276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3036 --field-trial-handle=1984,i,12410055175877798797,3838850679113360916,131072 /prefetch:1
2⤵
PID:2120

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4212 --field-trial-handle=1984,i,12410055175877798797,3838850679113360916,131072 /prefetch:1
2⤵
PID:3224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4408 --field-trial-handle=1984,i,12410055175877798797,3838850679113360916,131072 /prefetch:8
2⤵
PID:5108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4556 --field-trial-handle=1984,i,12410055175877798797,3838850679113360916,131072 /prefetch:8
2⤵
PID:1388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4576 --field-trial-handle=1984,i,12410055175877798797,3838850679113360916,131072 /prefetch:8
2⤵
PID:4576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4688 --field-trial-handle=1984,i,12410055175877798797,3838850679113360916,131072 /prefetch:8
2⤵
PID:4836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4932 --field-trial-handle=1984,i,12410055175877798797,3838850679113360916,131072 /prefetch:8
2⤵
PID:2772

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3304

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

JavaScript

1

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
352B

MD5
87b484a80339008029657182b2f204a9

SHA1
5dcf1bff74d76d0cb54cb49490c4d3ef63eca739

SHA256
ab99a63b4744e30e9d1451f88f1211321173af179819bae156b35debd70eb228

SHA512
e2b8662871fc1d44cc48fca1363b8f4662816d43e64fbbd9172b6c4a012684586a39232360d52e1459290f85b8f69039f02b17895a8082318819cf501556cc00

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
10531aa0cac059dde7e1f4f1328cb9de

SHA1
1628ed5f4b88882431933be586cd45ed2ef5152e

SHA256
d37429fa1f5966967e0d3b3e66778bdbcfa6d03e0a6215bf8b9bb565f9b78460

SHA512
307226fcb5daea74f13cad18146434f59c8c8cd2198053de2689ac6bf67b56fa6a4b3aeb25d40118f2e5a2268b6d95188088161a1dccff5c4e816efdaf78d826

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
257KB

MD5
b8b80a7e7193a40100b35a11f0d27f68

SHA1
5c8d7b44508d7a5dac65ff38b457af6a221bbd5b

SHA256
9554f16e24fd377a165f9775b83812f1d0b0c4ee061d5df822d073e5962172e5

SHA512
8c21e15baa0e60ef82e1f15ea18e5f6a2d4ec3cf996ccac666fb1b243d1d286a516a22b3f6ed6799b3acc5217e4ab8ef3ae23178dad322868a2b9d88387aea1e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
257KB

MD5
e00429e0e07640cf577400db4e40b4d7

SHA1
6a13af429a37fbf0355068378ba77a248f65d22a

SHA256
4cd234758bf06e0e2ac0b507f1ccaf6a1ec5a28c61df4e4634c0e305e58b6e6a

SHA512
6dee41e4c66f6d24ef7be400f43a438b7640aef6b14a695c958be0303abba8bba8e3410641fc5c42c3d49bc228fec6d5b06e5c1599300ca86b247b564d8c03d4

Download Submit
\??\pipe\crashpad_3844_NNRUEIHWPHGUBXEV
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads