hxxps://71[.]26[.]131[.]97/

Analysis

max time kernel
149s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 16:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://71.26.131.97/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133602636798509396"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3948	chrome.exe
3948	chrome.exe
3924	chrome.exe
3924	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3948	chrome.exe
Token: SeCreatePagefilePrivilege	3948	chrome.exe
Token: SeShutdownPrivilege	3948	chrome.exe
Token: SeCreatePagefilePrivilege	3948	chrome.exe
Token: SeShutdownPrivilege	3948	chrome.exe
Token: SeCreatePagefilePrivilege	3948	chrome.exe
Token: SeShutdownPrivilege	3948	chrome.exe
Token: SeCreatePagefilePrivilege	3948	chrome.exe
Token: SeShutdownPrivilege	3948	chrome.exe
Token: SeCreatePagefilePrivilege	3948	chrome.exe
Token: SeShutdownPrivilege	3948	chrome.exe
Token: SeCreatePagefilePrivilege	3948	chrome.exe
Token: SeShutdownPrivilege	3948	chrome.exe
Token: SeCreatePagefilePrivilege	3948	chrome.exe
Token: SeShutdownPrivilege	3948	chrome.exe
Token: SeCreatePagefilePrivilege	3948	chrome.exe
Token: SeShutdownPrivilege	3948	chrome.exe
Token: SeCreatePagefilePrivilege	3948	chrome.exe
Token: SeShutdownPrivilege	3948	chrome.exe
Token: SeCreatePagefilePrivilege	3948	chrome.exe
Token: SeShutdownPrivilege	3948	chrome.exe
Token: SeCreatePagefilePrivilege	3948	chrome.exe
Token: SeShutdownPrivilege	3948	chrome.exe
Token: SeCreatePagefilePrivilege	3948	chrome.exe
Token: SeShutdownPrivilege	3948	chrome.exe
Token: SeCreatePagefilePrivilege	3948	chrome.exe
Token: SeShutdownPrivilege	3948	chrome.exe
Token: SeCreatePagefilePrivilege	3948	chrome.exe
Token: SeShutdownPrivilege	3948	chrome.exe
Token: SeCreatePagefilePrivilege	3948	chrome.exe
Token: SeShutdownPrivilege	3948	chrome.exe
Token: SeCreatePagefilePrivilege	3948	chrome.exe
Token: SeShutdownPrivilege	3948	chrome.exe
Token: SeCreatePagefilePrivilege	3948	chrome.exe
Token: SeShutdownPrivilege	3948	chrome.exe
Token: SeCreatePagefilePrivilege	3948	chrome.exe
Token: SeShutdownPrivilege	3948	chrome.exe
Token: SeCreatePagefilePrivilege	3948	chrome.exe
Token: SeShutdownPrivilege	3948	chrome.exe
Token: SeCreatePagefilePrivilege	3948	chrome.exe
Token: SeShutdownPrivilege	3948	chrome.exe
Token: SeCreatePagefilePrivilege	3948	chrome.exe
Token: SeShutdownPrivilege	3948	chrome.exe
Token: SeCreatePagefilePrivilege	3948	chrome.exe
Token: SeShutdownPrivilege	3948	chrome.exe
Token: SeCreatePagefilePrivilege	3948	chrome.exe
Token: SeShutdownPrivilege	3948	chrome.exe
Token: SeCreatePagefilePrivilege	3948	chrome.exe
Token: SeShutdownPrivilege	3948	chrome.exe
Token: SeCreatePagefilePrivilege	3948	chrome.exe
Token: SeShutdownPrivilege	3948	chrome.exe
Token: SeCreatePagefilePrivilege	3948	chrome.exe
Token: SeShutdownPrivilege	3948	chrome.exe
Token: SeCreatePagefilePrivilege	3948	chrome.exe
Token: SeShutdownPrivilege	3948	chrome.exe
Token: SeCreatePagefilePrivilege	3948	chrome.exe
Token: SeShutdownPrivilege	3948	chrome.exe
Token: SeCreatePagefilePrivilege	3948	chrome.exe
Token: SeShutdownPrivilege	3948	chrome.exe
Token: SeCreatePagefilePrivilege	3948	chrome.exe
Token: SeShutdownPrivilege	3948	chrome.exe
Token: SeCreatePagefilePrivilege	3948	chrome.exe
Token: SeShutdownPrivilege	3948	chrome.exe
Token: SeCreatePagefilePrivilege	3948	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3948 wrote to memory of 4304	3948	chrome.exe	84
PID 3948 wrote to memory of 4304	3948	chrome.exe	84
PID 3948 wrote to memory of 2604	3948	chrome.exe	86
PID 3948 wrote to memory of 2604	3948	chrome.exe	86
PID 3948 wrote to memory of 2604	3948	chrome.exe	86
PID 3948 wrote to memory of 2604	3948	chrome.exe	86
PID 3948 wrote to memory of 2604	3948	chrome.exe	86
PID 3948 wrote to memory of 2604	3948	chrome.exe	86
PID 3948 wrote to memory of 2604	3948	chrome.exe	86
PID 3948 wrote to memory of 2604	3948	chrome.exe	86
PID 3948 wrote to memory of 2604	3948	chrome.exe	86
PID 3948 wrote to memory of 2604	3948	chrome.exe	86
PID 3948 wrote to memory of 2604	3948	chrome.exe	86
PID 3948 wrote to memory of 2604	3948	chrome.exe	86
PID 3948 wrote to memory of 2604	3948	chrome.exe	86
PID 3948 wrote to memory of 2604	3948	chrome.exe	86
PID 3948 wrote to memory of 2604	3948	chrome.exe	86
PID 3948 wrote to memory of 2604	3948	chrome.exe	86
PID 3948 wrote to memory of 2604	3948	chrome.exe	86
PID 3948 wrote to memory of 2604	3948	chrome.exe	86
PID 3948 wrote to memory of 2604	3948	chrome.exe	86
PID 3948 wrote to memory of 2604	3948	chrome.exe	86
PID 3948 wrote to memory of 2604	3948	chrome.exe	86
PID 3948 wrote to memory of 2604	3948	chrome.exe	86
PID 3948 wrote to memory of 2604	3948	chrome.exe	86
PID 3948 wrote to memory of 2604	3948	chrome.exe	86
PID 3948 wrote to memory of 2604	3948	chrome.exe	86
PID 3948 wrote to memory of 2604	3948	chrome.exe	86
PID 3948 wrote to memory of 2604	3948	chrome.exe	86
PID 3948 wrote to memory of 2604	3948	chrome.exe	86
PID 3948 wrote to memory of 2604	3948	chrome.exe	86
PID 3948 wrote to memory of 2604	3948	chrome.exe	86
PID 3948 wrote to memory of 2604	3948	chrome.exe	86
PID 3948 wrote to memory of 4840	3948	chrome.exe	87
PID 3948 wrote to memory of 4840	3948	chrome.exe	87
PID 3948 wrote to memory of 2804	3948	chrome.exe	88
PID 3948 wrote to memory of 2804	3948	chrome.exe	88
PID 3948 wrote to memory of 2804	3948	chrome.exe	88
PID 3948 wrote to memory of 2804	3948	chrome.exe	88
PID 3948 wrote to memory of 2804	3948	chrome.exe	88
PID 3948 wrote to memory of 2804	3948	chrome.exe	88
PID 3948 wrote to memory of 2804	3948	chrome.exe	88
PID 3948 wrote to memory of 2804	3948	chrome.exe	88
PID 3948 wrote to memory of 2804	3948	chrome.exe	88
PID 3948 wrote to memory of 2804	3948	chrome.exe	88
PID 3948 wrote to memory of 2804	3948	chrome.exe	88
PID 3948 wrote to memory of 2804	3948	chrome.exe	88
PID 3948 wrote to memory of 2804	3948	chrome.exe	88
PID 3948 wrote to memory of 2804	3948	chrome.exe	88
PID 3948 wrote to memory of 2804	3948	chrome.exe	88
PID 3948 wrote to memory of 2804	3948	chrome.exe	88
PID 3948 wrote to memory of 2804	3948	chrome.exe	88
PID 3948 wrote to memory of 2804	3948	chrome.exe	88
PID 3948 wrote to memory of 2804	3948	chrome.exe	88
PID 3948 wrote to memory of 2804	3948	chrome.exe	88
PID 3948 wrote to memory of 2804	3948	chrome.exe	88
PID 3948 wrote to memory of 2804	3948	chrome.exe	88
PID 3948 wrote to memory of 2804	3948	chrome.exe	88
PID 3948 wrote to memory of 2804	3948	chrome.exe	88
PID 3948 wrote to memory of 2804	3948	chrome.exe	88
PID 3948 wrote to memory of 2804	3948	chrome.exe	88
PID 3948 wrote to memory of 2804	3948	chrome.exe	88
PID 3948 wrote to memory of 2804	3948	chrome.exe	88
PID 3948 wrote to memory of 2804	3948	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://71.26.131.97/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff4673ab58,0x7fff4673ab68,0x7fff4673ab78
  2⤵
  PID:4304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1664 --field-trial-handle=1948,i,1879289376618080169,2133594814178087363,131072 /prefetch:2
  2⤵
  PID:2604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1912 --field-trial-handle=1948,i,1879289376618080169,2133594814178087363,131072 /prefetch:8
  2⤵
  PID:4840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2236 --field-trial-handle=1948,i,1879289376618080169,2133594814178087363,131072 /prefetch:8
  2⤵
  PID:2804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3032 --field-trial-handle=1948,i,1879289376618080169,2133594814178087363,131072 /prefetch:1
  2⤵
  PID:1676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3036 --field-trial-handle=1948,i,1879289376618080169,2133594814178087363,131072 /prefetch:1
  2⤵
  PID:4940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4376 --field-trial-handle=1948,i,1879289376618080169,2133594814178087363,131072 /prefetch:1
  2⤵
  PID:1924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4756 --field-trial-handle=1948,i,1879289376618080169,2133594814178087363,131072 /prefetch:8
  2⤵
  PID:3432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4788 --field-trial-handle=1948,i,1879289376618080169,2133594814178087363,131072 /prefetch:8
  2⤵
  PID:2164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4836 --field-trial-handle=1948,i,1879289376618080169,2133594814178087363,131072 /prefetch:1
  2⤵
  PID:4940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2704 --field-trial-handle=1948,i,1879289376618080169,2133594814178087363,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3924

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
8a7acb521468824c09acc14b6684ef91

SHA1
438bd12620dd5cb447e55b8ce96e204288d64aca

SHA256
7b04f3fdd5ffc5e754d648fb53a99d9908117e2c31399d9bba70472cc15d2330

SHA512
41cc8fde8412648ae6ed65a5ac05dd0e27e1d05d4efa8b51e6b05f39b832a7d3edc5595d4adbd8223cfa3fe8b94b21a23202b06762f4d4ea963590781311c19a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
e3c00671cb047b3ee2969fc596c8a572

SHA1
6fdf1350915d598aaad73ef5cab15025702f4f6b

SHA256
0ab6a3f00cef7c187ddb1d0ed4d455f70c859bec7c81d2a4157db6c6845055c6

SHA512
a62f2cea85ee6cf9527c7e9cd3ba031cfbedbbc241fbcd848515be54f59517c980e6c925a939498e3087f824a8ae5f1e27cf3f22b188916b8d127c44d959c679

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
c57c157e9b54aefd402f8046b1c66735

SHA1
9b82363d1073fd0bd2d44f3ef25c9691055db2c3

SHA256
5b3a21515b38bf5c2f8961eb0ebf4a09a8dc2ebd412bd7de74cef8c6a9b93379

SHA512
4a9940384b3cf47485857cb528e0ff4e09ed90e1ca7d699d6830b0808ebbed928c824fa6998ffa1607b00d3dda1f71af21c30e259aad81b24aebf946cf4bfe62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
d79fd538818cec42dcd1e47a69eb60b7

SHA1
2e3fe82a7c421c90aa4ca799f50bbcbbedd37d89

SHA256
120f3b8ef17588a1516f8ca6efa2308d02efcacc67f027589349ee50837a5451

SHA512
421e8738dc13cac3f74a983671fdf774830dc5ea7ebaa0e67b36d9700f7cd89aa29e2e13a971d99c376e78f1764510f76132ec2312cd38513a084c01f284d4d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
0c835185dd1ff5c2e976fb2c18e2d828

SHA1
9ab360f0dfe2408cf1cdc28aa3844c6ac1102dd0

SHA256
503bc2ff4646a631af60131114352a1943d0114addab573f32906d038a3eddff

SHA512
f13d36ac3c32a2ea5ca6cb7f041fee26436697a2bdb8682480e9538a4992f093e40ef92d2b9eb8aeedf0fc02e4ad0656a7379aae216c20480a2a55592bf7c236

Download Submit