hxxps://tcgms[.]net/tr/c/l31a2fh28n2fi28y2942892ec2a731x2a72c628000/2065568

Analysis

max time kernel
39s
max time network
45s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 05:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://tcgms.net/tr/c/l31a2fh28n2fi28y2942892ec2a731x2a72c628000/2065568

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5064	chrome.exe
5064	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5064 wrote to memory of 1260	5064	chrome.exe	91
PID 5064 wrote to memory of 1260	5064	chrome.exe	91
PID 5064 wrote to memory of 1580	5064	chrome.exe	93
PID 5064 wrote to memory of 1580	5064	chrome.exe	93
PID 5064 wrote to memory of 1580	5064	chrome.exe	93
PID 5064 wrote to memory of 1580	5064	chrome.exe	93
PID 5064 wrote to memory of 1580	5064	chrome.exe	93
PID 5064 wrote to memory of 1580	5064	chrome.exe	93
PID 5064 wrote to memory of 1580	5064	chrome.exe	93
PID 5064 wrote to memory of 1580	5064	chrome.exe	93
PID 5064 wrote to memory of 1580	5064	chrome.exe	93
PID 5064 wrote to memory of 1580	5064	chrome.exe	93
PID 5064 wrote to memory of 1580	5064	chrome.exe	93
PID 5064 wrote to memory of 1580	5064	chrome.exe	93
PID 5064 wrote to memory of 1580	5064	chrome.exe	93
PID 5064 wrote to memory of 1580	5064	chrome.exe	93
PID 5064 wrote to memory of 1580	5064	chrome.exe	93
PID 5064 wrote to memory of 1580	5064	chrome.exe	93
PID 5064 wrote to memory of 1580	5064	chrome.exe	93
PID 5064 wrote to memory of 1580	5064	chrome.exe	93
PID 5064 wrote to memory of 1580	5064	chrome.exe	93
PID 5064 wrote to memory of 1580	5064	chrome.exe	93
PID 5064 wrote to memory of 1580	5064	chrome.exe	93
PID 5064 wrote to memory of 1580	5064	chrome.exe	93
PID 5064 wrote to memory of 1580	5064	chrome.exe	93
PID 5064 wrote to memory of 1580	5064	chrome.exe	93
PID 5064 wrote to memory of 1580	5064	chrome.exe	93
PID 5064 wrote to memory of 1580	5064	chrome.exe	93
PID 5064 wrote to memory of 1580	5064	chrome.exe	93
PID 5064 wrote to memory of 1580	5064	chrome.exe	93
PID 5064 wrote to memory of 1580	5064	chrome.exe	93
PID 5064 wrote to memory of 1580	5064	chrome.exe	93
PID 5064 wrote to memory of 1580	5064	chrome.exe	93
PID 5064 wrote to memory of 1580	5064	chrome.exe	93
PID 5064 wrote to memory of 1580	5064	chrome.exe	93
PID 5064 wrote to memory of 1580	5064	chrome.exe	93
PID 5064 wrote to memory of 1580	5064	chrome.exe	93
PID 5064 wrote to memory of 1580	5064	chrome.exe	93
PID 5064 wrote to memory of 1580	5064	chrome.exe	93
PID 5064 wrote to memory of 1580	5064	chrome.exe	93
PID 5064 wrote to memory of 3440	5064	chrome.exe	94
PID 5064 wrote to memory of 3440	5064	chrome.exe	94
PID 5064 wrote to memory of 2104	5064	chrome.exe	95
PID 5064 wrote to memory of 2104	5064	chrome.exe	95
PID 5064 wrote to memory of 2104	5064	chrome.exe	95
PID 5064 wrote to memory of 2104	5064	chrome.exe	95
PID 5064 wrote to memory of 2104	5064	chrome.exe	95
PID 5064 wrote to memory of 2104	5064	chrome.exe	95
PID 5064 wrote to memory of 2104	5064	chrome.exe	95
PID 5064 wrote to memory of 2104	5064	chrome.exe	95
PID 5064 wrote to memory of 2104	5064	chrome.exe	95
PID 5064 wrote to memory of 2104	5064	chrome.exe	95
PID 5064 wrote to memory of 2104	5064	chrome.exe	95
PID 5064 wrote to memory of 2104	5064	chrome.exe	95
PID 5064 wrote to memory of 2104	5064	chrome.exe	95
PID 5064 wrote to memory of 2104	5064	chrome.exe	95
PID 5064 wrote to memory of 2104	5064	chrome.exe	95
PID 5064 wrote to memory of 2104	5064	chrome.exe	95
PID 5064 wrote to memory of 2104	5064	chrome.exe	95
PID 5064 wrote to memory of 2104	5064	chrome.exe	95
PID 5064 wrote to memory of 2104	5064	chrome.exe	95
PID 5064 wrote to memory of 2104	5064	chrome.exe	95
PID 5064 wrote to memory of 2104	5064	chrome.exe	95
PID 5064 wrote to memory of 2104	5064	chrome.exe	95

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://tcgms.net/tr/c/l31a2fh28n2fi28y2942892ec2a731x2a72c628000/2065568
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcb2a39758,0x7ffcb2a39768,0x7ffcb2a39778
  2⤵
  PID:1260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1724 --field-trial-handle=1780,i,2629514896258839475,3862221664404019516,131072 /prefetch:2
  2⤵
  PID:1580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1780,i,2629514896258839475,3862221664404019516,131072 /prefetch:8
  2⤵
  PID:3440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2220 --field-trial-handle=1780,i,2629514896258839475,3862221664404019516,131072 /prefetch:8
  2⤵
  PID:2104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3116 --field-trial-handle=1780,i,2629514896258839475,3862221664404019516,131072 /prefetch:1
  2⤵
  PID:3136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3128 --field-trial-handle=1780,i,2629514896258839475,3862221664404019516,131072 /prefetch:1
  2⤵
  PID:4084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3904 --field-trial-handle=1780,i,2629514896258839475,3862221664404019516,131072 /prefetch:1
  2⤵
  PID:612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5032 --field-trial-handle=1780,i,2629514896258839475,3862221664404019516,131072 /prefetch:8
  2⤵
  PID:624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=5956 --field-trial-handle=1780,i,2629514896258839475,3862221664404019516,131072 /prefetch:1
  2⤵
  PID:1496

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2004

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f4 0x4b8
1⤵
PID:3880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
986B

MD5
b162dd77c5f4409f06aec41f326a34fd

SHA1
eda04d8834afa684bc3a14839fcea40444bd5407

SHA256
a2124e1807207c884522f52b8e7fec6dcb6e431c4136bfde9a386d9cb2d8fa1a

SHA512
503de9be06f0d01698e0acc428af0b6266680ecd4df9be8a21fc81f730ef8ab3384860d936b90f75ac6f67cb556dc723d990978cb12d35db40d43ca3f3e271e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
986B

MD5
e9d3a39f581789101daea33364fcfc83

SHA1
ae4dc8b06a33c268b2ea1832f77f272b6bb84cce

SHA256
d733955c4be16a6dbed9662c90c8408d584e22b74ea1c042ad6e5ed341d89c36

SHA512
c416613f3bd84be87978e8ed3f7d21a019952fd210422e26004b731506d268e86532f61166335fa540024dea6c965ffbffe3d7fbf09832dd41e48f025ee685ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
4c0a86d41c2348eea0f114aa64b0861f

SHA1
419070b6bb268bcb6deffac9f26599cbe85a2cb6

SHA256
3f2dd91cc45e8af4e1d5cec99ad9cb2bcf678fe407b95bc82475a0fee917184c

SHA512
71cc5cb74ec70445135088405b8b0c27947ca15823b0556f5da354da77c170f1a2b17d2ac1360ff6451ccd2c3325b29f99bc8a5b5bfcbef8662fb7e995fec4b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
da6ac3356c77e99629b70faa8d518324

SHA1
1cb38f38524b99716c1bcc57bc0bcee7e0082e49

SHA256
4ef55172d7af5c593151f878bb200688021c6934e8012b41213fec81491d4243

SHA512
b7f2cf5a0678c0dabb10ce9b84881b8debb7c71618e2d7e171bd570bd12e975824f64f04b49e871e1fb71595d545e707b95372c12b584a1b3b0806f5344cecbe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
03c8b791bd8b1278679035483682e137

SHA1
885a464561c999e933557a076688fe5605c4aa82

SHA256
7602c327d4d45204f0f91bf35041099fb58e04b8c9e2397ea8e1a4da32ee3fdc

SHA512
5cdf1c99d1f50b13edec0ad0580b33df91fbbc8313cf1bda39b7a4fb35910dc4e100780bd5ac87aed1de54af45a38889b6bec5dc47ee9efc726b2877b0870e06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
d0fa3da0a4c9bd27025fe904c94614ab

SHA1
436b23394c9840d14725c3a4359476db8f0e51b1

SHA256
a301be2d3de6303d1cb6906b563151c0c44065eaed70ea7ae6c38d3d346bdc53

SHA512
e965938a19469266c641989134544ad4a8d020bc33d2e5b76f1498d069c12212f3b8b743fa61e44c85dc469734aac628bbfe17832d588f43d6e3046976f064af

Download Submit