hxxps://portaldrive[.]net

General

Target

https://portaldrive.net

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133609610761534763"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

3508 chrome.exe
3508 chrome.exe
4016 chrome.exe
4016 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

3508 chrome.exe
3508 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3508 wrote to memory of 3524	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 3524	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 592	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 592	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 592	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 592	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 592	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 592	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 592	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 592	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 592	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 592	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 592	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 592	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 592	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 592	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 592	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 592	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 592	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 592	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 592	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 592	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 592	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 592	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 592	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 592	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 592	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 592	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 592	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 592	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 592	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 592	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 592	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 592	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 592	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 592	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 592	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 592	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 592	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 592	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 2808	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 2808	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 5048	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 5048	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 5048	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 5048	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 5048	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 5048	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 5048	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 5048	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 5048	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 5048	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 5048	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 5048	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 5048	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 5048	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 5048	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 5048	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 5048	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 5048	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 5048	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 5048	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 5048	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 5048	3508	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://portaldrive.net
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff994079758,0x7ff994079768,0x7ff994079778
2⤵
PID:3524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1508 --field-trial-handle=1912,i,11836414442782066487,1144004933271907302,131072 /prefetch:2
2⤵
PID:592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1780 --field-trial-handle=1912,i,11836414442782066487,1144004933271907302,131072 /prefetch:8
2⤵
PID:2808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2084 --field-trial-handle=1912,i,11836414442782066487,1144004933271907302,131072 /prefetch:8
2⤵
PID:5048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2864 --field-trial-handle=1912,i,11836414442782066487,1144004933271907302,131072 /prefetch:1
2⤵
PID:3256

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2932 --field-trial-handle=1912,i,11836414442782066487,1144004933271907302,131072 /prefetch:1
2⤵
PID:1640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4560 --field-trial-handle=1912,i,11836414442782066487,1144004933271907302,131072 /prefetch:8
2⤵
PID:4416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4676 --field-trial-handle=1912,i,11836414442782066487,1144004933271907302,131072 /prefetch:8
2⤵
PID:4424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2400 --field-trial-handle=1912,i,11836414442782066487,1144004933271907302,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4016

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
933B

MD5
52a3f656a92a0048fe007f24296e0ba2

SHA1
6915187deb8c8171510263f8f88476a37aa2a6ec

SHA256
2418df251be03ce481f624b818cd7d20eccb283b124e98d8cb35a4cbaf2fb775

SHA512
8b35ca08a60587d0bc72b626a933df4d6a60a0ec187d10fdc026953af20c50a60153401873e1e5997366e774dab1d24daad88fa5275e95c1db7725378336769a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
5de6a629a0ab885e25e7e4df11c85c16

SHA1
0ec1b291f9e9a1815891d37ed258947e8277d5c8

SHA256
f6db0b9cbacd98431db31f676ae5186049e8d38a274864eb0af1deb51919b987

SHA512
88bca1ae82381025fa26b9a180f35cf7ca7656c070aa0c76850ce9c9fc6e096fb3c0bf833b29fbb4424ea9ab4eb3180ac3a4cc4926e1ef97901fd8440dfb226c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
8710c3451b80a8adc9f7e6bb042a6bad

SHA1
e160dd1e72950f68f9151211eea788a7faf28577

SHA256
a438d6740f1d38e536b8f95d38a6cf8532a58ca6bf1cafc90bd0f4ef5eb7b720

SHA512
ff631ad8a3728da3dbd7fc7db00955a8c43558ac5ab292c0f83835663e762a0d13ae8ebfa67b8b317b3cff4843c36f730f48e9387c60527e7e19f5a358749d0b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
72007609cd780260a60f0755366d7184

SHA1
5ec940490ef3f141f0527563bc6332fc70410bd8

SHA256
8632bca73fc9c96629eed7a7c0e165caf451a0d5cbe029d961deccff2c05e407

SHA512
3c6f9d503ab17e06b083588f8678f5e76bb1d7a1ccf7626b4877df1aade66ebf0de4ceb279917e197a8259945f22117fe0441c68eb7681d0dd3459045e7b47d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
136KB

MD5
3cacede6339ab65f835bd869c90045b5

SHA1
9e5c2128462fafb44bf2c7751745abf2e7b15682

SHA256
cc4c8bed92d22001a404feca8c9159c236b2a9530cfd9732c701b074aea7dda2

SHA512
9acc2d3f4ea543398c63c9751ed31424ee927e62ebd7ab3afc2f640af01411bfa1d5b73071590dcdaff917ab6684b2e629763882029e1a6e1c539e32c846705d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
\??\pipe\crashpad_3508_IGBVOYLLEOVYFFIL
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads