hxxps://496gf0lz[.]r[.]ap-south-1[.]awstrack[.]me/L0/https[:]%2F%2Frzp[.]io%2Fi%2FVpbcgtkG/1/0109018f9c542536-9ebeffd8-99d5-4150-bef2-2752354145a7-000000/iLEtOLjzdw2j8OuHQzI_b6LZ2II=156

Analysis

max time kernel
195s
max time network
190s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
21/05/2024, 19:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://496gf0lz.r.ap-south-1.awstrack.me/L0/https:%2F%2Frzp.io%2Fi%2FVpbcgtkG/1/0109018f9c542536-9ebeffd8-99d5-4150-bef2-2752354145a7-000000/iLEtOLjzdw2j8OuHQzI_b6LZ2II=156

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133607946983890175"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4992	chrome.exe
4992	chrome.exe
2040	chrome.exe
2040	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4992 wrote to memory of 5088	4992	chrome.exe	79
PID 4992 wrote to memory of 5088	4992	chrome.exe	79
PID 4992 wrote to memory of 5060	4992	chrome.exe	80
PID 4992 wrote to memory of 5060	4992	chrome.exe	80
PID 4992 wrote to memory of 5060	4992	chrome.exe	80
PID 4992 wrote to memory of 5060	4992	chrome.exe	80
PID 4992 wrote to memory of 5060	4992	chrome.exe	80
PID 4992 wrote to memory of 5060	4992	chrome.exe	80
PID 4992 wrote to memory of 5060	4992	chrome.exe	80
PID 4992 wrote to memory of 5060	4992	chrome.exe	80
PID 4992 wrote to memory of 5060	4992	chrome.exe	80
PID 4992 wrote to memory of 5060	4992	chrome.exe	80
PID 4992 wrote to memory of 5060	4992	chrome.exe	80
PID 4992 wrote to memory of 5060	4992	chrome.exe	80
PID 4992 wrote to memory of 5060	4992	chrome.exe	80
PID 4992 wrote to memory of 5060	4992	chrome.exe	80
PID 4992 wrote to memory of 5060	4992	chrome.exe	80
PID 4992 wrote to memory of 5060	4992	chrome.exe	80
PID 4992 wrote to memory of 5060	4992	chrome.exe	80
PID 4992 wrote to memory of 5060	4992	chrome.exe	80
PID 4992 wrote to memory of 5060	4992	chrome.exe	80
PID 4992 wrote to memory of 5060	4992	chrome.exe	80
PID 4992 wrote to memory of 5060	4992	chrome.exe	80
PID 4992 wrote to memory of 5060	4992	chrome.exe	80
PID 4992 wrote to memory of 5060	4992	chrome.exe	80
PID 4992 wrote to memory of 5060	4992	chrome.exe	80
PID 4992 wrote to memory of 5060	4992	chrome.exe	80
PID 4992 wrote to memory of 5060	4992	chrome.exe	80
PID 4992 wrote to memory of 5060	4992	chrome.exe	80
PID 4992 wrote to memory of 5060	4992	chrome.exe	80
PID 4992 wrote to memory of 5060	4992	chrome.exe	80
PID 4992 wrote to memory of 5060	4992	chrome.exe	80
PID 4992 wrote to memory of 5060	4992	chrome.exe	80
PID 4992 wrote to memory of 1028	4992	chrome.exe	81
PID 4992 wrote to memory of 1028	4992	chrome.exe	81
PID 4992 wrote to memory of 1240	4992	chrome.exe	82
PID 4992 wrote to memory of 1240	4992	chrome.exe	82
PID 4992 wrote to memory of 1240	4992	chrome.exe	82
PID 4992 wrote to memory of 1240	4992	chrome.exe	82
PID 4992 wrote to memory of 1240	4992	chrome.exe	82
PID 4992 wrote to memory of 1240	4992	chrome.exe	82
PID 4992 wrote to memory of 1240	4992	chrome.exe	82
PID 4992 wrote to memory of 1240	4992	chrome.exe	82
PID 4992 wrote to memory of 1240	4992	chrome.exe	82
PID 4992 wrote to memory of 1240	4992	chrome.exe	82
PID 4992 wrote to memory of 1240	4992	chrome.exe	82
PID 4992 wrote to memory of 1240	4992	chrome.exe	82
PID 4992 wrote to memory of 1240	4992	chrome.exe	82
PID 4992 wrote to memory of 1240	4992	chrome.exe	82
PID 4992 wrote to memory of 1240	4992	chrome.exe	82
PID 4992 wrote to memory of 1240	4992	chrome.exe	82
PID 4992 wrote to memory of 1240	4992	chrome.exe	82
PID 4992 wrote to memory of 1240	4992	chrome.exe	82
PID 4992 wrote to memory of 1240	4992	chrome.exe	82
PID 4992 wrote to memory of 1240	4992	chrome.exe	82
PID 4992 wrote to memory of 1240	4992	chrome.exe	82
PID 4992 wrote to memory of 1240	4992	chrome.exe	82
PID 4992 wrote to memory of 1240	4992	chrome.exe	82
PID 4992 wrote to memory of 1240	4992	chrome.exe	82
PID 4992 wrote to memory of 1240	4992	chrome.exe	82
PID 4992 wrote to memory of 1240	4992	chrome.exe	82
PID 4992 wrote to memory of 1240	4992	chrome.exe	82
PID 4992 wrote to memory of 1240	4992	chrome.exe	82
PID 4992 wrote to memory of 1240	4992	chrome.exe	82

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://496gf0lz.r.ap-south-1.awstrack.me/L0/https:%2F%2Frzp.io%2Fi%2FVpbcgtkG/1/0109018f9c542536-9ebeffd8-99d5-4150-bef2-2752354145a7-000000/iLEtOLjzdw2j8OuHQzI_b6LZ2II=156
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffaea4ab58,0x7fffaea4ab68,0x7fffaea4ab78
  2⤵
  PID:5088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1508 --field-trial-handle=1740,i,14900358076864619700,12567300845397191500,131072 /prefetch:2
  2⤵
  PID:5060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=1740,i,14900358076864619700,12567300845397191500,131072 /prefetch:8
  2⤵
  PID:1028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2156 --field-trial-handle=1740,i,14900358076864619700,12567300845397191500,131072 /prefetch:8
  2⤵
  PID:1240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2928 --field-trial-handle=1740,i,14900358076864619700,12567300845397191500,131072 /prefetch:1
  2⤵
  PID:3552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2940 --field-trial-handle=1740,i,14900358076864619700,12567300845397191500,131072 /prefetch:1
  2⤵
  PID:3508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4016 --field-trial-handle=1740,i,14900358076864619700,12567300845397191500,131072 /prefetch:1
  2⤵
  PID:4028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4520 --field-trial-handle=1740,i,14900358076864619700,12567300845397191500,131072 /prefetch:8
  2⤵
  PID:808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3148 --field-trial-handle=1740,i,14900358076864619700,12567300845397191500,131072 /prefetch:8
  2⤵
  PID:1976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3240 --field-trial-handle=1740,i,14900358076864619700,12567300845397191500,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2040

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
50d65571e54fa9fcfefa6904a1047517

SHA1
15da882c7c03e1bff372fb93a7c60180683c012c

SHA256
18d32087964b926f205019a889d9e48d55db2ca603d124d7bafa0d8e36c310cc

SHA512
2f2b6f25db249e8b15518d1106c49ad5ddb66182d0582e74be3a1e900ee80b557789beab520e1a4b36a9168c3e25b417dbac06a46147c55f7dcf3c057a034b43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
a44ec3c044084ff0e6714852b90a177d

SHA1
6690e4995ad50574db3b90835650937ea0074ae8

SHA256
27a5fa8fa6fd544986ec125a0c49c2e4e21f57053cb4a3d856ad89aafb297ec1

SHA512
842804065a0202fedfb6987462165b121e9f6250c6966c13f50f36adcd943d12f51f90847a70fb9f7f025eff83c1adf2aaa9f6c9e4b96fcea0a760eec2080bf2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
1c3eff55d75596f080fb931968dcfc8a

SHA1
f789aca50caea83f480a3e666bab7ecb49e0fb01

SHA256
8a792eca8681dc401ecd7c554a042186b28c89b29ba2b35bd3b33424e5a7df47

SHA512
1a4cacf4d4496384a3312fed77850e5e5ac38948e0ea99fc738b83014414f97878774ccc855cf1a74e71e8a757752d5c7d43d3d881184b8fdb625a232bafb8c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
892b9d380983876499cff18d918d8111

SHA1
fcb03a92082504733e9732039a8d34698c91ff00

SHA256
06853f0b1e6ed09cf22ef3fe1705e1f14f9e3f82e470561ca4b45fc3d90d3f0d

SHA512
8296dabbbd2640b92aede50bf3670a15c9641ee75a4109548fa3ddb0e279e42f6cc307edfbcec03092626680b05b0ed35198e230807d7b2b5c2f338656bb51da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
1174a53c0a49255a4fee94e1336c6668

SHA1
da0db5249472553a696d7c7843a4ae699db4e2da

SHA256
a27b89f5a73159902237bfe77df1c4c19ead7a889063f4d707fac49be143bb03

SHA512
42a93c9a1b1b7cb0791197f6221dba817487c8c3e4f445618cc08a3bd40def02a310c27241f693dd019693da478c66969d4de26ebb642abc5203857c580a9d6f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
59654218fa245ea1f7764961374cfcb4

SHA1
0a9579b26c6a67906cdcde1091b5e0b4196c4c59

SHA256
d5ad918be41d626bc3718ed862ddb4e9bdc9a15020918505beee48efb6deb78d

SHA512
62b1709927526852f1e79fa8f17453070e6a2fe1ba0b50a590abdfffb6ac9cdaa59a27e96c74f22897af3d5bdf4320cedf5e9475dc709a3d0a32d1eb2a063af3

Download Submit