hxxps://jq61pmbi[.]r[.]us-east-1[.]awstrack[.]me/I0/0100018f96e8ce41-91499282-111b-4fbb-929e-f4f11a5a0890-000000/aEasZJcno-SyH8KxfZWq9QAmuNo=374

Analysis

max time kernel
149s
max time network
137s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
21/05/2024, 00:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://jq61pmbi.r.us-east-1.awstrack.me/I0/0100018f96e8ce41-91499282-111b-4fbb-929e-f4f11a5a0890-000000/aEasZJcno-SyH8KxfZWq9QAmuNo=374

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133607235815616417"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4588	chrome.exe
4588	chrome.exe
1984	chrome.exe
1984	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4588	chrome.exe
4588	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4588 wrote to memory of 4028	4588	chrome.exe	73
PID 4588 wrote to memory of 4028	4588	chrome.exe	73
PID 4588 wrote to memory of 5088	4588	chrome.exe	75
PID 4588 wrote to memory of 5088	4588	chrome.exe	75
PID 4588 wrote to memory of 5088	4588	chrome.exe	75
PID 4588 wrote to memory of 5088	4588	chrome.exe	75
PID 4588 wrote to memory of 5088	4588	chrome.exe	75
PID 4588 wrote to memory of 5088	4588	chrome.exe	75
PID 4588 wrote to memory of 5088	4588	chrome.exe	75
PID 4588 wrote to memory of 5088	4588	chrome.exe	75
PID 4588 wrote to memory of 5088	4588	chrome.exe	75
PID 4588 wrote to memory of 5088	4588	chrome.exe	75
PID 4588 wrote to memory of 5088	4588	chrome.exe	75
PID 4588 wrote to memory of 5088	4588	chrome.exe	75
PID 4588 wrote to memory of 5088	4588	chrome.exe	75
PID 4588 wrote to memory of 5088	4588	chrome.exe	75
PID 4588 wrote to memory of 5088	4588	chrome.exe	75
PID 4588 wrote to memory of 5088	4588	chrome.exe	75
PID 4588 wrote to memory of 5088	4588	chrome.exe	75
PID 4588 wrote to memory of 5088	4588	chrome.exe	75
PID 4588 wrote to memory of 5088	4588	chrome.exe	75
PID 4588 wrote to memory of 5088	4588	chrome.exe	75
PID 4588 wrote to memory of 5088	4588	chrome.exe	75
PID 4588 wrote to memory of 5088	4588	chrome.exe	75
PID 4588 wrote to memory of 5088	4588	chrome.exe	75
PID 4588 wrote to memory of 5088	4588	chrome.exe	75
PID 4588 wrote to memory of 5088	4588	chrome.exe	75
PID 4588 wrote to memory of 5088	4588	chrome.exe	75
PID 4588 wrote to memory of 5088	4588	chrome.exe	75
PID 4588 wrote to memory of 5088	4588	chrome.exe	75
PID 4588 wrote to memory of 5088	4588	chrome.exe	75
PID 4588 wrote to memory of 5088	4588	chrome.exe	75
PID 4588 wrote to memory of 5088	4588	chrome.exe	75
PID 4588 wrote to memory of 5088	4588	chrome.exe	75
PID 4588 wrote to memory of 5088	4588	chrome.exe	75
PID 4588 wrote to memory of 5088	4588	chrome.exe	75
PID 4588 wrote to memory of 5088	4588	chrome.exe	75
PID 4588 wrote to memory of 5088	4588	chrome.exe	75
PID 4588 wrote to memory of 5088	4588	chrome.exe	75
PID 4588 wrote to memory of 5088	4588	chrome.exe	75
PID 4588 wrote to memory of 4976	4588	chrome.exe	76
PID 4588 wrote to memory of 4976	4588	chrome.exe	76
PID 4588 wrote to memory of 216	4588	chrome.exe	77
PID 4588 wrote to memory of 216	4588	chrome.exe	77
PID 4588 wrote to memory of 216	4588	chrome.exe	77
PID 4588 wrote to memory of 216	4588	chrome.exe	77
PID 4588 wrote to memory of 216	4588	chrome.exe	77
PID 4588 wrote to memory of 216	4588	chrome.exe	77
PID 4588 wrote to memory of 216	4588	chrome.exe	77
PID 4588 wrote to memory of 216	4588	chrome.exe	77
PID 4588 wrote to memory of 216	4588	chrome.exe	77
PID 4588 wrote to memory of 216	4588	chrome.exe	77
PID 4588 wrote to memory of 216	4588	chrome.exe	77
PID 4588 wrote to memory of 216	4588	chrome.exe	77
PID 4588 wrote to memory of 216	4588	chrome.exe	77
PID 4588 wrote to memory of 216	4588	chrome.exe	77
PID 4588 wrote to memory of 216	4588	chrome.exe	77
PID 4588 wrote to memory of 216	4588	chrome.exe	77
PID 4588 wrote to memory of 216	4588	chrome.exe	77
PID 4588 wrote to memory of 216	4588	chrome.exe	77
PID 4588 wrote to memory of 216	4588	chrome.exe	77
PID 4588 wrote to memory of 216	4588	chrome.exe	77
PID 4588 wrote to memory of 216	4588	chrome.exe	77
PID 4588 wrote to memory of 216	4588	chrome.exe	77

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://jq61pmbi.r.us-east-1.awstrack.me/I0/0100018f96e8ce41-91499282-111b-4fbb-929e-f4f11a5a0890-000000/aEasZJcno-SyH8KxfZWq9QAmuNo=374
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffe39159758,0x7ffe39159768,0x7ffe39159778
  2⤵
  PID:4028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1520 --field-trial-handle=1764,i,8957723494874331572,331303529973357874,131072 /prefetch:2
  2⤵
  PID:5088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1824 --field-trial-handle=1764,i,8957723494874331572,331303529973357874,131072 /prefetch:8
  2⤵
  PID:4976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2100 --field-trial-handle=1764,i,8957723494874331572,331303529973357874,131072 /prefetch:8
  2⤵
  PID:216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2908 --field-trial-handle=1764,i,8957723494874331572,331303529973357874,131072 /prefetch:1
  2⤵
  PID:1240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2916 --field-trial-handle=1764,i,8957723494874331572,331303529973357874,131072 /prefetch:1
  2⤵
  PID:3352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4624 --field-trial-handle=1764,i,8957723494874331572,331303529973357874,131072 /prefetch:8
  2⤵
  PID:1204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4620 --field-trial-handle=1764,i,8957723494874331572,331303529973357874,131072 /prefetch:8
  2⤵
  PID:1632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4360 --field-trial-handle=1764,i,8957723494874331572,331303529973357874,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1984

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
59493a5b4f74dedc98787af9433d2a8d

SHA1
2203f7251be613b2f079da8a370661b7f6ddd4c5

SHA256
fa976b290befa5c5014a96d497f70ac9b57ab450455e20faaa4a0ecd99f7dd77

SHA512
f3d36d5ea61fe11be3e0c52025edc512570c0a028d8109651ec7da95dcb7b53f6744caf920acbe27ecfce6e321ca143cdd816b077f4ce5675df52c26498400c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
9c6f8113e223371eb4e10b9dd4fa7b80

SHA1
b4e42bd2d4709b365d12586173e4b8b0ec12bcf0

SHA256
97f7a6ea0ddb0b530dfbcbbfc6f1add7b7d18dafdb669ad70fb1977c67eb0495

SHA512
31f39a571db6e3c2e76634e13df6ba39d04d6c5d3af0cb3b0578f0f7adb60dd8303314bf087c4bf98dafba80c81c59829b5cb1b4007db7746a042eebd714073e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
4dcc0c2da0370125dfa2d29f2326a715

SHA1
0d7094acf2027f1179590e4def7dab0775c2ba29

SHA256
e840deec2f9ebeb564c17c9775223609e6accb052804e9cb585b43ec510bc02d

SHA512
bd092446a4b33b8f30687e64fa051a94c3726a570d533d25189c03e11c5d69b4c4ed74b28673326acf84e73961024433029bc22e0b1dbbcfd87da03e55fbbfb2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
41275cfe594c705818d1b80265a67abe

SHA1
eacbdee35e90f5a2df3719f7085bb9636bdcde67

SHA256
2e00d1a0026b5197e0ffccdde7bc9b4b77df0476a834616e5806c1e6767b828f

SHA512
8784295a125379b450395cbd23a9c5f265088bde7aceee93a22378b3b507520a65b0d1cfaa845d14213b264cb1e0fe83aeca46ea77cdcafab9b241c75def952c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit