hxxp://info[.]lsta[.]org/e/561262/age-eventid-a015G00000kEhOJQA0/3x815b/1721334981/h/2InSfQ2CQMK8I9Y4MDeAb6zKKHRjxwiUwAghaqddSUI

Analysis

max time kernel
599s
max time network
594s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22/05/2024, 05:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://info.lsta.org/e/561262/age-eventid-a015G00000kEhOJQA0/3x815b/1721334981/h/2InSfQ2CQMK8I9Y4MDeAb6zKKHRjxwiUwAghaqddSUI

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133608301866383050"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3968	chrome.exe
3968	chrome.exe
908	chrome.exe
908	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3968 wrote to memory of 1344	3968	chrome.exe	83
PID 3968 wrote to memory of 1344	3968	chrome.exe	83
PID 3968 wrote to memory of 2024	3968	chrome.exe	85
PID 3968 wrote to memory of 2024	3968	chrome.exe	85
PID 3968 wrote to memory of 2024	3968	chrome.exe	85
PID 3968 wrote to memory of 2024	3968	chrome.exe	85
PID 3968 wrote to memory of 2024	3968	chrome.exe	85
PID 3968 wrote to memory of 2024	3968	chrome.exe	85
PID 3968 wrote to memory of 2024	3968	chrome.exe	85
PID 3968 wrote to memory of 2024	3968	chrome.exe	85
PID 3968 wrote to memory of 2024	3968	chrome.exe	85
PID 3968 wrote to memory of 2024	3968	chrome.exe	85
PID 3968 wrote to memory of 2024	3968	chrome.exe	85
PID 3968 wrote to memory of 2024	3968	chrome.exe	85
PID 3968 wrote to memory of 2024	3968	chrome.exe	85
PID 3968 wrote to memory of 2024	3968	chrome.exe	85
PID 3968 wrote to memory of 2024	3968	chrome.exe	85
PID 3968 wrote to memory of 2024	3968	chrome.exe	85
PID 3968 wrote to memory of 2024	3968	chrome.exe	85
PID 3968 wrote to memory of 2024	3968	chrome.exe	85
PID 3968 wrote to memory of 2024	3968	chrome.exe	85
PID 3968 wrote to memory of 2024	3968	chrome.exe	85
PID 3968 wrote to memory of 2024	3968	chrome.exe	85
PID 3968 wrote to memory of 2024	3968	chrome.exe	85
PID 3968 wrote to memory of 2024	3968	chrome.exe	85
PID 3968 wrote to memory of 2024	3968	chrome.exe	85
PID 3968 wrote to memory of 2024	3968	chrome.exe	85
PID 3968 wrote to memory of 2024	3968	chrome.exe	85
PID 3968 wrote to memory of 2024	3968	chrome.exe	85
PID 3968 wrote to memory of 2024	3968	chrome.exe	85
PID 3968 wrote to memory of 2024	3968	chrome.exe	85
PID 3968 wrote to memory of 2024	3968	chrome.exe	85
PID 3968 wrote to memory of 2024	3968	chrome.exe	85
PID 3968 wrote to memory of 436	3968	chrome.exe	86
PID 3968 wrote to memory of 436	3968	chrome.exe	86
PID 3968 wrote to memory of 4432	3968	chrome.exe	87
PID 3968 wrote to memory of 4432	3968	chrome.exe	87
PID 3968 wrote to memory of 4432	3968	chrome.exe	87
PID 3968 wrote to memory of 4432	3968	chrome.exe	87
PID 3968 wrote to memory of 4432	3968	chrome.exe	87
PID 3968 wrote to memory of 4432	3968	chrome.exe	87
PID 3968 wrote to memory of 4432	3968	chrome.exe	87
PID 3968 wrote to memory of 4432	3968	chrome.exe	87
PID 3968 wrote to memory of 4432	3968	chrome.exe	87
PID 3968 wrote to memory of 4432	3968	chrome.exe	87
PID 3968 wrote to memory of 4432	3968	chrome.exe	87
PID 3968 wrote to memory of 4432	3968	chrome.exe	87
PID 3968 wrote to memory of 4432	3968	chrome.exe	87
PID 3968 wrote to memory of 4432	3968	chrome.exe	87
PID 3968 wrote to memory of 4432	3968	chrome.exe	87
PID 3968 wrote to memory of 4432	3968	chrome.exe	87
PID 3968 wrote to memory of 4432	3968	chrome.exe	87
PID 3968 wrote to memory of 4432	3968	chrome.exe	87
PID 3968 wrote to memory of 4432	3968	chrome.exe	87
PID 3968 wrote to memory of 4432	3968	chrome.exe	87
PID 3968 wrote to memory of 4432	3968	chrome.exe	87
PID 3968 wrote to memory of 4432	3968	chrome.exe	87
PID 3968 wrote to memory of 4432	3968	chrome.exe	87
PID 3968 wrote to memory of 4432	3968	chrome.exe	87
PID 3968 wrote to memory of 4432	3968	chrome.exe	87
PID 3968 wrote to memory of 4432	3968	chrome.exe	87
PID 3968 wrote to memory of 4432	3968	chrome.exe	87
PID 3968 wrote to memory of 4432	3968	chrome.exe	87
PID 3968 wrote to memory of 4432	3968	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://info.lsta.org/e/561262/age-eventid-a015G00000kEhOJQA0/3x815b/1721334981/h/2InSfQ2CQMK8I9Y4MDeAb6zKKHRjxwiUwAghaqddSUI
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffafda7ab58,0x7ffafda7ab68,0x7ffafda7ab78
  2⤵
  PID:1344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1936,i,7954395034700722482,10469220641451142055,131072 /prefetch:2
  2⤵
  PID:2024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1708 --field-trial-handle=1936,i,7954395034700722482,10469220641451142055,131072 /prefetch:8
  2⤵
  PID:436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2240 --field-trial-handle=1936,i,7954395034700722482,10469220641451142055,131072 /prefetch:8
  2⤵
  PID:4432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2800 --field-trial-handle=1936,i,7954395034700722482,10469220641451142055,131072 /prefetch:1
  2⤵
  PID:856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2808 --field-trial-handle=1936,i,7954395034700722482,10469220641451142055,131072 /prefetch:1
  2⤵
  PID:1492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4124 --field-trial-handle=1936,i,7954395034700722482,10469220641451142055,131072 /prefetch:1
  2⤵
  PID:4260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4140 --field-trial-handle=1936,i,7954395034700722482,10469220641451142055,131072 /prefetch:8
  2⤵
  PID:3924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4588 --field-trial-handle=1936,i,7954395034700722482,10469220641451142055,131072 /prefetch:8
  2⤵
  PID:4264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1600 --field-trial-handle=1936,i,7954395034700722482,10469220641451142055,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:908

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
a58fac774a2c4147419535e75565097b

SHA1
c9a879aa5591e4356925190ed3ea8c4328cbdb0a

SHA256
3c48564f7eca0e838790ed28d1e509f5741c01f96099abe5a40449a073a6c779

SHA512
36e9066fde2cc3170f1066caa4c642f40f3e9308d767bae8d9a43eeafa1cae4d9bdbd59e201947879ac01e0966100aaa38fd00fec0946037a799433e10f65a35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
576032171eb553cdb99ad5b5ac0f16ec

SHA1
9b8b1359ef1aafdb787e3a98b0108b33ad28329f

SHA256
bb9fd5a20241001a5177ad549e9118febc09a3cc574fbc15c2d9107d5eedc7fb

SHA512
42dfd364b9ada75a27478d51e8cb64f8eb03eac50e9bf0e058fc029f246a033ac0059b1a04a626be2dcb20be250f7ce1304965bd244b64de8d2c0da2fe91d1b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
b771e5cb5a2fe185886ac356a0d8aba0

SHA1
8cd59dc41c069f504574d166e321d798f1d55bc0

SHA256
ab98f9e9b0d2ff64147320002f4637037c3e17d661fbbc55db5ee5a7fae9492e

SHA512
dfc6b4bdc9c5492f66ae7909f8004fa1f00826524fd21a53b195cf054689f4cf16d91720680db02ac521684037cb814e2ef8705aa557945ee30d609339751e7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\f012f633-185c-42bd-943f-eb82bf0445e4.tmp

Filesize
1KB

MD5
38d786fd84b777078fa04eff6cbdc8b4

SHA1
83b217d2a707f615d2948746d62a27eaa35a432b

SHA256
3c2c664d79e83952212c17f9ef1a85eb4299d8e0e589a89d2bd59c70684c49f7

SHA512
83b9ddc61055903c73da50cf340ce5eb2e8d3dcd3dfa3fa47e392bfbdec3bc5943e13d754d5785bab0de45355a8801ac0bac2f412dbb6534525a7a9a45441f34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
053df4ae60e827c614720d66fc2b492d

SHA1
28fa45d325bb459ed7fbd419e3146c46af829f1c

SHA256
fc2f8d6c0f8dc0a07891aeb2fdabf78e1135c4ca3efc7285c2a4710a14a08735

SHA512
451ba8c2acb003dd2cdd03603b3af05d620149e428817f345555939ac0cc7a7aa04b4a00f06cda26c8be74845ee16745ec4ded78efcc6847a46cda230f24e0e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
6aa77c05d430295e67d3d3729d8c6086

SHA1
6cd8e3c5a19f8b045a88472d257b355dd13f32e6

SHA256
47c953ab08881e8c82e743a49d425223b62ea0fd4c694d350116e161080dfec4

SHA512
edde1418342c47ed1f9aee3af6920f35d0cd6ed2914302ba0c040b05b0da3560d670810159a92d1ec389fd85b1d344ca637fa0d93c19931b906b36ff052e5463

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
6052b64c7c13a753d935b40fcaaa4509

SHA1
5e5621f63734a85e459c777446a431e45f701e34

SHA256
342936f63108f70d77eb8fddfcad579fcc5fc3acfa614bf773013a3a342a8965

SHA512
dd61ca93d60d54862542dbb8eca0418ef470557a3c8a9ed7e158e2d805c76eb40914a97359d9a50c04cd9a7f5bf97de23bf7f1d07b34d1fa1332c590428f7bd8

Download Submit