hxxps://qpkz3vd[.]r[.]eu-west-2[.]awstrack[.]me/I0/010b018fab491bf8-757e3333-a65c-40d0-8d43-48d01da41d0a-000000/moCV2DDHir8fQrhM_F9gM3Qqf7I=160

Analysis

max time kernel
54s
max time network
49s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
27/05/2024, 08:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://qpkz3vd.r.eu-west-2.awstrack.me/I0/010b018fab491bf8-757e3333-a65c-40d0-8d43-48d01da41d0a-000000/moCV2DDHir8fQrhM_F9gM3Qqf7I=160

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133612736432487177"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1896	chrome.exe
1896	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1896	chrome.exe
1896	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1896 wrote to memory of 3084	1896	chrome.exe	79
PID 1896 wrote to memory of 3084	1896	chrome.exe	79
PID 1896 wrote to memory of 4256	1896	chrome.exe	80
PID 1896 wrote to memory of 4256	1896	chrome.exe	80
PID 1896 wrote to memory of 4256	1896	chrome.exe	80
PID 1896 wrote to memory of 4256	1896	chrome.exe	80
PID 1896 wrote to memory of 4256	1896	chrome.exe	80
PID 1896 wrote to memory of 4256	1896	chrome.exe	80
PID 1896 wrote to memory of 4256	1896	chrome.exe	80
PID 1896 wrote to memory of 4256	1896	chrome.exe	80
PID 1896 wrote to memory of 4256	1896	chrome.exe	80
PID 1896 wrote to memory of 4256	1896	chrome.exe	80
PID 1896 wrote to memory of 4256	1896	chrome.exe	80
PID 1896 wrote to memory of 4256	1896	chrome.exe	80
PID 1896 wrote to memory of 4256	1896	chrome.exe	80
PID 1896 wrote to memory of 4256	1896	chrome.exe	80
PID 1896 wrote to memory of 4256	1896	chrome.exe	80
PID 1896 wrote to memory of 4256	1896	chrome.exe	80
PID 1896 wrote to memory of 4256	1896	chrome.exe	80
PID 1896 wrote to memory of 4256	1896	chrome.exe	80
PID 1896 wrote to memory of 4256	1896	chrome.exe	80
PID 1896 wrote to memory of 4256	1896	chrome.exe	80
PID 1896 wrote to memory of 4256	1896	chrome.exe	80
PID 1896 wrote to memory of 4256	1896	chrome.exe	80
PID 1896 wrote to memory of 4256	1896	chrome.exe	80
PID 1896 wrote to memory of 4256	1896	chrome.exe	80
PID 1896 wrote to memory of 4256	1896	chrome.exe	80
PID 1896 wrote to memory of 4256	1896	chrome.exe	80
PID 1896 wrote to memory of 4256	1896	chrome.exe	80
PID 1896 wrote to memory of 4256	1896	chrome.exe	80
PID 1896 wrote to memory of 4256	1896	chrome.exe	80
PID 1896 wrote to memory of 4256	1896	chrome.exe	80
PID 1896 wrote to memory of 2904	1896	chrome.exe	81
PID 1896 wrote to memory of 2904	1896	chrome.exe	81
PID 1896 wrote to memory of 3508	1896	chrome.exe	82
PID 1896 wrote to memory of 3508	1896	chrome.exe	82
PID 1896 wrote to memory of 3508	1896	chrome.exe	82
PID 1896 wrote to memory of 3508	1896	chrome.exe	82
PID 1896 wrote to memory of 3508	1896	chrome.exe	82
PID 1896 wrote to memory of 3508	1896	chrome.exe	82
PID 1896 wrote to memory of 3508	1896	chrome.exe	82
PID 1896 wrote to memory of 3508	1896	chrome.exe	82
PID 1896 wrote to memory of 3508	1896	chrome.exe	82
PID 1896 wrote to memory of 3508	1896	chrome.exe	82
PID 1896 wrote to memory of 3508	1896	chrome.exe	82
PID 1896 wrote to memory of 3508	1896	chrome.exe	82
PID 1896 wrote to memory of 3508	1896	chrome.exe	82
PID 1896 wrote to memory of 3508	1896	chrome.exe	82
PID 1896 wrote to memory of 3508	1896	chrome.exe	82
PID 1896 wrote to memory of 3508	1896	chrome.exe	82
PID 1896 wrote to memory of 3508	1896	chrome.exe	82
PID 1896 wrote to memory of 3508	1896	chrome.exe	82
PID 1896 wrote to memory of 3508	1896	chrome.exe	82
PID 1896 wrote to memory of 3508	1896	chrome.exe	82
PID 1896 wrote to memory of 3508	1896	chrome.exe	82
PID 1896 wrote to memory of 3508	1896	chrome.exe	82
PID 1896 wrote to memory of 3508	1896	chrome.exe	82
PID 1896 wrote to memory of 3508	1896	chrome.exe	82
PID 1896 wrote to memory of 3508	1896	chrome.exe	82
PID 1896 wrote to memory of 3508	1896	chrome.exe	82
PID 1896 wrote to memory of 3508	1896	chrome.exe	82
PID 1896 wrote to memory of 3508	1896	chrome.exe	82
PID 1896 wrote to memory of 3508	1896	chrome.exe	82
PID 1896 wrote to memory of 3508	1896	chrome.exe	82

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://qpkz3vd.r.eu-west-2.awstrack.me/I0/010b018fab491bf8-757e3333-a65c-40d0-8d43-48d01da41d0a-000000/moCV2DDHir8fQrhM_F9gM3Qqf7I=160
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8481bcc40,0x7ff8481bcc4c,0x7ff8481bcc58
  2⤵
  PID:3084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1808,i,10233530147517164247,6372720017052778291,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1816 /prefetch:2
  2⤵
  PID:4256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2044,i,10233530147517164247,6372720017052778291,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2108 /prefetch:3
  2⤵
  PID:2904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2164,i,10233530147517164247,6372720017052778291,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2520 /prefetch:8
  2⤵
  PID:3508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3080,i,10233530147517164247,6372720017052778291,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3096 /prefetch:1
  2⤵
  PID:1080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3084,i,10233530147517164247,6372720017052778291,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:2136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4556,i,10233530147517164247,6372720017052778291,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4596 /prefetch:8
  2⤵
  PID:4968

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:3532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
0b2f6565b87656973924fceddc9c017c

SHA1
e519a173201b48ca0bfe082cdfed7898925a1202

SHA256
05b5997571a0acbfc6702a16bed04deb4d2c4b26c8573f04d56c9763e30e8c10

SHA512
365f0a93a900a7a64a70920f00d05d73a163380a6f3df0147777a1ed9eb5aa27d2c7ceb28abe2b8b6b4bc4390aed8723ab1706610a3287e9dc8f1f4ba70b7ba6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
90b497ac3879fdd1bf3523ab6563e6bf

SHA1
a0a17b0a2eb35078a4f6841e89e1f702a6b2fc88

SHA256
e89e08bcdcb087ca9cf9ed10d0318dd2b2520bbeb4a6dd4a064432717d4713d9

SHA512
d3edd4c090f89d1f0795990d10323db3822e67962f4afb062b522653e90e800295a3a01f2f42eda646e53baad07f24d43b43fc225f31d12f692de222e957892d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
48a9b8dec9eeb4bdf41722a8f3ab2346

SHA1
936ef82a6a4a0d8401fa7deacb091e0dd409fe12

SHA256
2cd3e847cfc04e8248c698a5c732b0971165d8367181a67c17d6b4ed1e91120a

SHA512
fe862e7c89d40aacce485e626300539eefcceae8b2af5a32c5da4d39a8b03d2d05a0ee4dd06d8f02f35c398bf470d437397f20796bbcface698f511538c436bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
77KB

MD5
ea8c566cb3038394754ddb42f23b06cd

SHA1
69245a6f7b8d3860777d775b75ca0a8658d46ab7

SHA256
3789db00cbb14a79ce36ab1f64a5a90323b2bef5ca6d5452dc0a369f0d60e160

SHA512
f420ae431bef9979b30d2291573e29e81fcb0f9879f5f9037628368c2624219df2a86246e46a275c66375e7fb9b7e432f9d5d440402156c050041801545a3026

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
77KB

MD5
5ea75b9d0626952eb59ee85704be414f

SHA1
de4bb2cb9a2a71923b81a15597a97751774431ac

SHA256
7336f203fcd5e045334f6213682589a0af8f36cde63a900c44753423c5709709

SHA512
f08ff50c21ac6317f211401bca5e54bb96550a0c077c9e91b8eac430fc3ed1b53cc16916ee6588301dba2d4f20583ff2d5784bea6ee2829e7bd566ffc259bb56

Download Submit