hxxp://45[.]142[.]182[.]70

Resubmissions

25-05-2024 21:11

240525-z1s8hsba79 1

Analysis

max time kernel
32s
max time network
33s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 21:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://45.142.182.70

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133611451052048944"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1952	chrome.exe
1952	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1952	chrome.exe
1952	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe

Suspicious use of FindShellTrayWindow 47 IoCs

pid	Process
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 4136	1952	chrome.exe	83
PID 1952 wrote to memory of 4136	1952	chrome.exe	83
PID 1952 wrote to memory of 2672	1952	chrome.exe	84
PID 1952 wrote to memory of 2672	1952	chrome.exe	84
PID 1952 wrote to memory of 2672	1952	chrome.exe	84
PID 1952 wrote to memory of 2672	1952	chrome.exe	84
PID 1952 wrote to memory of 2672	1952	chrome.exe	84
PID 1952 wrote to memory of 2672	1952	chrome.exe	84
PID 1952 wrote to memory of 2672	1952	chrome.exe	84
PID 1952 wrote to memory of 2672	1952	chrome.exe	84
PID 1952 wrote to memory of 2672	1952	chrome.exe	84
PID 1952 wrote to memory of 2672	1952	chrome.exe	84
PID 1952 wrote to memory of 2672	1952	chrome.exe	84
PID 1952 wrote to memory of 2672	1952	chrome.exe	84
PID 1952 wrote to memory of 2672	1952	chrome.exe	84
PID 1952 wrote to memory of 2672	1952	chrome.exe	84
PID 1952 wrote to memory of 2672	1952	chrome.exe	84
PID 1952 wrote to memory of 2672	1952	chrome.exe	84
PID 1952 wrote to memory of 2672	1952	chrome.exe	84
PID 1952 wrote to memory of 2672	1952	chrome.exe	84
PID 1952 wrote to memory of 2672	1952	chrome.exe	84
PID 1952 wrote to memory of 2672	1952	chrome.exe	84
PID 1952 wrote to memory of 2672	1952	chrome.exe	84
PID 1952 wrote to memory of 2672	1952	chrome.exe	84
PID 1952 wrote to memory of 2672	1952	chrome.exe	84
PID 1952 wrote to memory of 2672	1952	chrome.exe	84
PID 1952 wrote to memory of 2672	1952	chrome.exe	84
PID 1952 wrote to memory of 2672	1952	chrome.exe	84
PID 1952 wrote to memory of 2672	1952	chrome.exe	84
PID 1952 wrote to memory of 2672	1952	chrome.exe	84
PID 1952 wrote to memory of 2672	1952	chrome.exe	84
PID 1952 wrote to memory of 2672	1952	chrome.exe	84
PID 1952 wrote to memory of 2672	1952	chrome.exe	84
PID 1952 wrote to memory of 2012	1952	chrome.exe	85
PID 1952 wrote to memory of 2012	1952	chrome.exe	85
PID 1952 wrote to memory of 4108	1952	chrome.exe	86
PID 1952 wrote to memory of 4108	1952	chrome.exe	86
PID 1952 wrote to memory of 4108	1952	chrome.exe	86
PID 1952 wrote to memory of 4108	1952	chrome.exe	86
PID 1952 wrote to memory of 4108	1952	chrome.exe	86
PID 1952 wrote to memory of 4108	1952	chrome.exe	86
PID 1952 wrote to memory of 4108	1952	chrome.exe	86
PID 1952 wrote to memory of 4108	1952	chrome.exe	86
PID 1952 wrote to memory of 4108	1952	chrome.exe	86
PID 1952 wrote to memory of 4108	1952	chrome.exe	86
PID 1952 wrote to memory of 4108	1952	chrome.exe	86
PID 1952 wrote to memory of 4108	1952	chrome.exe	86
PID 1952 wrote to memory of 4108	1952	chrome.exe	86
PID 1952 wrote to memory of 4108	1952	chrome.exe	86
PID 1952 wrote to memory of 4108	1952	chrome.exe	86
PID 1952 wrote to memory of 4108	1952	chrome.exe	86
PID 1952 wrote to memory of 4108	1952	chrome.exe	86
PID 1952 wrote to memory of 4108	1952	chrome.exe	86
PID 1952 wrote to memory of 4108	1952	chrome.exe	86
PID 1952 wrote to memory of 4108	1952	chrome.exe	86
PID 1952 wrote to memory of 4108	1952	chrome.exe	86
PID 1952 wrote to memory of 4108	1952	chrome.exe	86
PID 1952 wrote to memory of 4108	1952	chrome.exe	86
PID 1952 wrote to memory of 4108	1952	chrome.exe	86
PID 1952 wrote to memory of 4108	1952	chrome.exe	86
PID 1952 wrote to memory of 4108	1952	chrome.exe	86
PID 1952 wrote to memory of 4108	1952	chrome.exe	86
PID 1952 wrote to memory of 4108	1952	chrome.exe	86
PID 1952 wrote to memory of 4108	1952	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://45.142.182.70
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc63f6ab58,0x7ffc63f6ab68,0x7ffc63f6ab78
  2⤵
  PID:4136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1680 --field-trial-handle=1900,i,17055386815979109594,9348340626478441323,131072 /prefetch:2
  2⤵
  PID:2672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1900,i,17055386815979109594,9348340626478441323,131072 /prefetch:8
  2⤵
  PID:2012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2208 --field-trial-handle=1900,i,17055386815979109594,9348340626478441323,131072 /prefetch:8
  2⤵
  PID:4108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2924 --field-trial-handle=1900,i,17055386815979109594,9348340626478441323,131072 /prefetch:1
  2⤵
  PID:1020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2932 --field-trial-handle=1900,i,17055386815979109594,9348340626478441323,131072 /prefetch:1
  2⤵
  PID:1684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4364 --field-trial-handle=1900,i,17055386815979109594,9348340626478441323,131072 /prefetch:8
  2⤵
  PID:4500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4496 --field-trial-handle=1900,i,17055386815979109594,9348340626478441323,131072 /prefetch:8
  2⤵
  PID:1232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4656 --field-trial-handle=1900,i,17055386815979109594,9348340626478441323,131072 /prefetch:8
  2⤵
  PID:1816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4400 --field-trial-handle=1900,i,17055386815979109594,9348340626478441323,131072 /prefetch:8
  2⤵
  PID:3196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4656 --field-trial-handle=1900,i,17055386815979109594,9348340626478441323,131072 /prefetch:8
  2⤵
  PID:3076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4652 --field-trial-handle=1900,i,17055386815979109594,9348340626478441323,131072 /prefetch:8
  2⤵
  PID:4640

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:548

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
70d0aa60924cba8c818ff5599dad7c8c

SHA1
72b8473befa1dd67af0ecb92f4e62c0043a2ef5c

SHA256
95054abba54fdff2d868db61197ee696005eeb937471aa97f27f68546e169b39

SHA512
ba4373423f2aad27d6ca931e50467de7a11f3839158ffd01bb85e5499c48d0d48c154bbcc86eb9bb865e21a9887acafb892e4a6c435349e0d223c1c45913d41c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
0dacebebd57b3979351d7f6d9fed613d

SHA1
0799d97bd6db5945de815cee3e1a5eb0d5f00268

SHA256
397971890c99c24230ecbe39e0f0d364978899588abd454ede5876dd4ba285a5

SHA512
297b21513a90e03b56730e4c90cb8e35cca1fbfb66a7bc064a6935ba6925f023f8d2b7e6bbb62dc85e2a3ffdeb416ee69ae885caa4f14fb2996bb8ac3c84d97b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
b2aeadabca00ca67a60833ecca0bea4f

SHA1
116a4d7d1078f339379cee85103ed835d6a4e469

SHA256
8e20f235200039a2c24fbc44a5290ea220dad82ef9ac57f706980691806e4a5e

SHA512
2447b4314dae8b78ac67c5ddc1eb5dd7fd0e5e1d6e8ddd60cbf8ec62edf536a11b4de805dc79c04b66215a00b53d0a87c6c2cdc3cbf6142821d726ac4062906a

Download Submit
C:\Users\Admin\Downloads\mips.crdownload

Filesize
121KB

MD5
e0f80f25e81eb941fec55c5f9f396d7f

SHA1
028a216baf4f2e95ebcf3ef71e91109801781faf

SHA256
db714cddf2afce6b4c0773850189815085425ffc13e3a608ac744519c82a7ebc

SHA512
a76d8530783e12042cf00cd9269f50d49645068da5999f5f80d7a2c27adcf179d2327c1b283bd25e02e99ed40b0ad0e2430100bbca7b72623f464035b9cf9232

Download Submit
C:\Users\Admin\Downloads\x86.crdownload

Filesize
55KB

MD5
ba255af73932f84747b0ce42ad44337d

SHA1
253c50705cadef4674d60ba22a663288b12f1ea9

SHA256
dd3ab019b10aefc0fd02bc1a0492642b41e4c4b823d415490e036495b1e0a165

SHA512
bb5b72c4bcedfcbae10c2b0599c5d63238b5e24ff729653bc5cdadfff0327163351c8cf8c0c4f20be2e5a3ece52c0530449f166721579b1f6445924641e78427

Download Submit