hxxps://upload[.]disroot[.]org/r/bvt8wrU5#dy/fdMr0RcjPH0kC8wPsBDsTvUwzHKkRi7Z+jollhAs=

Analysis

max time kernel
1799s
max time network
1685s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
16/05/2024, 10:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://upload.disroot.org/r/bvt8wrU5#dy/fdMr0RcjPH0kC8wPsBDsTvUwzHKkRi7Z+jollhAs=

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133603311664599757"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2752	chrome.exe
2752	chrome.exe
5024	chrome.exe
5024	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2752	chrome.exe
2752	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2752 wrote to memory of 1464	2752	chrome.exe	73
PID 2752 wrote to memory of 1464	2752	chrome.exe	73
PID 2752 wrote to memory of 824	2752	chrome.exe	75
PID 2752 wrote to memory of 824	2752	chrome.exe	75
PID 2752 wrote to memory of 824	2752	chrome.exe	75
PID 2752 wrote to memory of 824	2752	chrome.exe	75
PID 2752 wrote to memory of 824	2752	chrome.exe	75
PID 2752 wrote to memory of 824	2752	chrome.exe	75
PID 2752 wrote to memory of 824	2752	chrome.exe	75
PID 2752 wrote to memory of 824	2752	chrome.exe	75
PID 2752 wrote to memory of 824	2752	chrome.exe	75
PID 2752 wrote to memory of 824	2752	chrome.exe	75
PID 2752 wrote to memory of 824	2752	chrome.exe	75
PID 2752 wrote to memory of 824	2752	chrome.exe	75
PID 2752 wrote to memory of 824	2752	chrome.exe	75
PID 2752 wrote to memory of 824	2752	chrome.exe	75
PID 2752 wrote to memory of 824	2752	chrome.exe	75
PID 2752 wrote to memory of 824	2752	chrome.exe	75
PID 2752 wrote to memory of 824	2752	chrome.exe	75
PID 2752 wrote to memory of 824	2752	chrome.exe	75
PID 2752 wrote to memory of 824	2752	chrome.exe	75
PID 2752 wrote to memory of 824	2752	chrome.exe	75
PID 2752 wrote to memory of 824	2752	chrome.exe	75
PID 2752 wrote to memory of 824	2752	chrome.exe	75
PID 2752 wrote to memory of 824	2752	chrome.exe	75
PID 2752 wrote to memory of 824	2752	chrome.exe	75
PID 2752 wrote to memory of 824	2752	chrome.exe	75
PID 2752 wrote to memory of 824	2752	chrome.exe	75
PID 2752 wrote to memory of 824	2752	chrome.exe	75
PID 2752 wrote to memory of 824	2752	chrome.exe	75
PID 2752 wrote to memory of 824	2752	chrome.exe	75
PID 2752 wrote to memory of 824	2752	chrome.exe	75
PID 2752 wrote to memory of 824	2752	chrome.exe	75
PID 2752 wrote to memory of 824	2752	chrome.exe	75
PID 2752 wrote to memory of 824	2752	chrome.exe	75
PID 2752 wrote to memory of 824	2752	chrome.exe	75
PID 2752 wrote to memory of 824	2752	chrome.exe	75
PID 2752 wrote to memory of 824	2752	chrome.exe	75
PID 2752 wrote to memory of 824	2752	chrome.exe	75
PID 2752 wrote to memory of 824	2752	chrome.exe	75
PID 2752 wrote to memory of 804	2752	chrome.exe	76
PID 2752 wrote to memory of 804	2752	chrome.exe	76
PID 2752 wrote to memory of 4304	2752	chrome.exe	77
PID 2752 wrote to memory of 4304	2752	chrome.exe	77
PID 2752 wrote to memory of 4304	2752	chrome.exe	77
PID 2752 wrote to memory of 4304	2752	chrome.exe	77
PID 2752 wrote to memory of 4304	2752	chrome.exe	77
PID 2752 wrote to memory of 4304	2752	chrome.exe	77
PID 2752 wrote to memory of 4304	2752	chrome.exe	77
PID 2752 wrote to memory of 4304	2752	chrome.exe	77
PID 2752 wrote to memory of 4304	2752	chrome.exe	77
PID 2752 wrote to memory of 4304	2752	chrome.exe	77
PID 2752 wrote to memory of 4304	2752	chrome.exe	77
PID 2752 wrote to memory of 4304	2752	chrome.exe	77
PID 2752 wrote to memory of 4304	2752	chrome.exe	77
PID 2752 wrote to memory of 4304	2752	chrome.exe	77
PID 2752 wrote to memory of 4304	2752	chrome.exe	77
PID 2752 wrote to memory of 4304	2752	chrome.exe	77
PID 2752 wrote to memory of 4304	2752	chrome.exe	77
PID 2752 wrote to memory of 4304	2752	chrome.exe	77
PID 2752 wrote to memory of 4304	2752	chrome.exe	77
PID 2752 wrote to memory of 4304	2752	chrome.exe	77
PID 2752 wrote to memory of 4304	2752	chrome.exe	77
PID 2752 wrote to memory of 4304	2752	chrome.exe	77

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://upload.disroot.org/r/bvt8wrU5#dy/fdMr0RcjPH0kC8wPsBDsTvUwzHKkRi7Z+jollhAs=
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fffe2289758,0x7fffe2289768,0x7fffe2289778
  2⤵
  PID:1464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1520 --field-trial-handle=1724,i,9029828233156482747,12680600426891770951,131072 /prefetch:2
  2⤵
  PID:824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2008 --field-trial-handle=1724,i,9029828233156482747,12680600426891770951,131072 /prefetch:8
  2⤵
  PID:804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2100 --field-trial-handle=1724,i,9029828233156482747,12680600426891770951,131072 /prefetch:8
  2⤵
  PID:4304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2828 --field-trial-handle=1724,i,9029828233156482747,12680600426891770951,131072 /prefetch:1
  2⤵
  PID:3600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2836 --field-trial-handle=1724,i,9029828233156482747,12680600426891770951,131072 /prefetch:1
  2⤵
  PID:4372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4320 --field-trial-handle=1724,i,9029828233156482747,12680600426891770951,131072 /prefetch:8
  2⤵
  PID:3088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4704 --field-trial-handle=1724,i,9029828233156482747,12680600426891770951,131072 /prefetch:8
  2⤵
  PID:356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=164 --field-trial-handle=1724,i,9029828233156482747,12680600426891770951,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5024

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
00af1c985ecbc4ff668e5bd96198231d

SHA1
8bbc7c096d7421db020811715dcbfcdb0b85e7a0

SHA256
bef00b3693bda15addb6390fb41c9b7ea68e65dbee1b68b3c9e917c374e0589d

SHA512
adbf7ae1949b55301a12ea5c14bbea46d5bbc9634ae5e22668076a36b3b61db48f479c1fe0b8d3596e6884885ed1870824284d2cab54b5c4f3ba3fc84a86e24d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\2fd01dd3-58bf-401f-9415-882faf3892f2.tmp

Filesize
691B

MD5
119a5689644886b07127d567042e6046

SHA1
cf4055260248712bcf8c8b391a53694804eb1b4b

SHA256
341778b666c345b8206da1d6da605960b77253770fb8c3f6d1be3e6175c73bb8

SHA512
3011d7e062f37da58b4f2fdbf842133a0d06982729248c78bfc51957e8b49982cfec61803a2d910839ed3686851c0bbddd101b8b76c7e5506ab661348b330623

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
ee9caf70be297ef429af34cfc57020d9

SHA1
f74f44648648865b2777e26ba42b279d3fcdcedc

SHA256
fb3902c03f85672cacbe6bd3468ad5c3d8ab93bee94bf10f2037b69d7aba4567

SHA512
6784599b3c864e3ef822d2c4ac9b4ee268f5b16220254eb7d59bcb10c81cc44882bc8d416d8f9686ecbdf0f9a1bd78e300adf1cd1254b14f4ab4484ea42ea44f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
896fed08a0c41792060a9d417dd3df05

SHA1
ccb7f7f4477541f621b46daa10ac664ff12fec79

SHA256
fa9d26fd3505cd6cf49fed5742912dc451e52c8c8b61dabe41ed052b17af7cdb

SHA512
36fba5e30693ef279aff79d9fa3fa499a07b427a6079c7a47da5f08c5fc47c3b86876a287e32c85da0e82baadb15d0b01a75e90a6547b082d8df51c5318f4443

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
31569a746027b4d87370f3e73fba0596

SHA1
432ae0611d975d4f4dc84f4a2fe1bb8f51a6b5bc

SHA256
5ca9b4b95ec1fd269115b10b9a466af80135061a487557eda4612d265936314b

SHA512
332575524be47b64ebd41fd0f90237b55f159781f2a6f74cf88a3d29220e49a5ab3c64c00560b6221b31f1219c4278469f919ca260c12b9575235005a21ac1aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
bbef18c4d16ec58c649081255efdb953

SHA1
9555ae2742dcc59d264841a86b7a5a5888e0d216

SHA256
07f2383d6d4f2b22a88dd3f1aa3727eac00bd18cb5187ac49e21caa906ec1526

SHA512
51b818405c8e62468571a38d877d535ec858d85c36601509f00b1a9ff8bbdc113890e86b4aace6d8fe67203402c878f51c1c15392b91627b3e49f72b9bb28399

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
c97a15a772f9409a6229a4b34e116a83

SHA1
182e51786ee8210c6c327de1af7430c9f3019565

SHA256
e6be11db30067d3b14a72ec76fd7b8c1ce9fc8aeae7b108990a7740978d77918

SHA512
afafd876fc585ab702ae95e1ca4e70f56045b15c4b68ed06accbadbd47b82b74255d6a9900d3511ca044453b928717f16b49c3be984920c9e535e5769401ad5b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit