hxxp://195[.]201[.]56[.]244[:]443

Analysis

max time kernel
24s
max time network
13s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28/05/2024, 06:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

http://195.201.56.244:443

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133613512715777534"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3684	chrome.exe
3684	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3684 wrote to memory of 4396	3684	chrome.exe	82
PID 3684 wrote to memory of 4396	3684	chrome.exe	82
PID 3684 wrote to memory of 3540	3684	chrome.exe	83
PID 3684 wrote to memory of 3540	3684	chrome.exe	83
PID 3684 wrote to memory of 3540	3684	chrome.exe	83
PID 3684 wrote to memory of 3540	3684	chrome.exe	83
PID 3684 wrote to memory of 3540	3684	chrome.exe	83
PID 3684 wrote to memory of 3540	3684	chrome.exe	83
PID 3684 wrote to memory of 3540	3684	chrome.exe	83
PID 3684 wrote to memory of 3540	3684	chrome.exe	83
PID 3684 wrote to memory of 3540	3684	chrome.exe	83
PID 3684 wrote to memory of 3540	3684	chrome.exe	83
PID 3684 wrote to memory of 3540	3684	chrome.exe	83
PID 3684 wrote to memory of 3540	3684	chrome.exe	83
PID 3684 wrote to memory of 3540	3684	chrome.exe	83
PID 3684 wrote to memory of 3540	3684	chrome.exe	83
PID 3684 wrote to memory of 3540	3684	chrome.exe	83
PID 3684 wrote to memory of 3540	3684	chrome.exe	83
PID 3684 wrote to memory of 3540	3684	chrome.exe	83
PID 3684 wrote to memory of 3540	3684	chrome.exe	83
PID 3684 wrote to memory of 3540	3684	chrome.exe	83
PID 3684 wrote to memory of 3540	3684	chrome.exe	83
PID 3684 wrote to memory of 3540	3684	chrome.exe	83
PID 3684 wrote to memory of 3540	3684	chrome.exe	83
PID 3684 wrote to memory of 3540	3684	chrome.exe	83
PID 3684 wrote to memory of 3540	3684	chrome.exe	83
PID 3684 wrote to memory of 3540	3684	chrome.exe	83
PID 3684 wrote to memory of 3540	3684	chrome.exe	83
PID 3684 wrote to memory of 3540	3684	chrome.exe	83
PID 3684 wrote to memory of 3540	3684	chrome.exe	83
PID 3684 wrote to memory of 3540	3684	chrome.exe	83
PID 3684 wrote to memory of 3540	3684	chrome.exe	83
PID 3684 wrote to memory of 3540	3684	chrome.exe	83
PID 3684 wrote to memory of 2672	3684	chrome.exe	84
PID 3684 wrote to memory of 2672	3684	chrome.exe	84
PID 3684 wrote to memory of 1768	3684	chrome.exe	85
PID 3684 wrote to memory of 1768	3684	chrome.exe	85
PID 3684 wrote to memory of 1768	3684	chrome.exe	85
PID 3684 wrote to memory of 1768	3684	chrome.exe	85
PID 3684 wrote to memory of 1768	3684	chrome.exe	85
PID 3684 wrote to memory of 1768	3684	chrome.exe	85
PID 3684 wrote to memory of 1768	3684	chrome.exe	85
PID 3684 wrote to memory of 1768	3684	chrome.exe	85
PID 3684 wrote to memory of 1768	3684	chrome.exe	85
PID 3684 wrote to memory of 1768	3684	chrome.exe	85
PID 3684 wrote to memory of 1768	3684	chrome.exe	85
PID 3684 wrote to memory of 1768	3684	chrome.exe	85
PID 3684 wrote to memory of 1768	3684	chrome.exe	85
PID 3684 wrote to memory of 1768	3684	chrome.exe	85
PID 3684 wrote to memory of 1768	3684	chrome.exe	85
PID 3684 wrote to memory of 1768	3684	chrome.exe	85
PID 3684 wrote to memory of 1768	3684	chrome.exe	85
PID 3684 wrote to memory of 1768	3684	chrome.exe	85
PID 3684 wrote to memory of 1768	3684	chrome.exe	85
PID 3684 wrote to memory of 1768	3684	chrome.exe	85
PID 3684 wrote to memory of 1768	3684	chrome.exe	85
PID 3684 wrote to memory of 1768	3684	chrome.exe	85
PID 3684 wrote to memory of 1768	3684	chrome.exe	85
PID 3684 wrote to memory of 1768	3684	chrome.exe	85
PID 3684 wrote to memory of 1768	3684	chrome.exe	85
PID 3684 wrote to memory of 1768	3684	chrome.exe	85
PID 3684 wrote to memory of 1768	3684	chrome.exe	85
PID 3684 wrote to memory of 1768	3684	chrome.exe	85
PID 3684 wrote to memory of 1768	3684	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://195.201.56.244:443
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffee1a8ab58,0x7ffee1a8ab68,0x7ffee1a8ab78
  2⤵
  PID:4396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1708 --field-trial-handle=1652,i,1408654041754327201,13359932777467277060,131072 /prefetch:2
  2⤵
  PID:3540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1652,i,1408654041754327201,13359932777467277060,131072 /prefetch:8
  2⤵
  PID:2672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2224 --field-trial-handle=1652,i,1408654041754327201,13359932777467277060,131072 /prefetch:8
  2⤵
  PID:1768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2964 --field-trial-handle=1652,i,1408654041754327201,13359932777467277060,131072 /prefetch:1
  2⤵
  PID:1652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2972 --field-trial-handle=1652,i,1408654041754327201,13359932777467277060,131072 /prefetch:1
  2⤵
  PID:1536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4304 --field-trial-handle=1652,i,1408654041754327201,13359932777467277060,131072 /prefetch:1
  2⤵
  PID:2668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3284 --field-trial-handle=1652,i,1408654041754327201,13359932777467277060,131072 /prefetch:8
  2⤵
  PID:4444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3440 --field-trial-handle=1652,i,1408654041754327201,13359932777467277060,131072 /prefetch:8
  2⤵
  PID:3300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3460 --field-trial-handle=1652,i,1408654041754327201,13359932777467277060,131072 /prefetch:1
  2⤵
  PID:3620

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
77e209d4dfe7c7097eb2c29b47461c7e

SHA1
223ef451b1d420b8cb3ad493d87d5f4c3ff56434

SHA256
ddcc181f2425d7f1d09ae904750bcdc316ea34d1a1d1af0bee0df24f12a4986c

SHA512
b80d464765dbbca7d836bfb4e7f32e122adee8a9ba787ac85b2146f2d19e24eb9322a43216786a8af6537a229a63458f116f1c60348e2f56b0f1fa312508ac47

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
7c0f963ff93db851e8a2aa735a45bfbd

SHA1
ea850ae9085658194d6d3a975b4ed43e9706e926

SHA256
5e74db76ba4033160a365a698870e2fa4b5e76cc2e6fb27ae7809e54c322071c

SHA512
f56553c0688e98f653a69443de7b819f8e7fa1d9c0d491a7cfac3488a4f733ac56cdaef03b7054b2e07a766cfdf8d2b566abb7b61f2934ecba5088fe7f64b79d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
88f6c92f63015a7564f14fbfc78817da

SHA1
631480dc0a1abf55a75ad948d445662eda335324

SHA256
c8d25485c5d2cdac55e3d7d4a93cd2ce1f5517223010712509bf932c91ebd9ae

SHA512
b073e2526328c92cd618c2e1d3304eaffa172384b8c3581985a0d0d0042618890ba296bd84f99fe66e18c49b7a0ddeb4482c6bd95a6bb4af8a015d3f724b2f37

Download Submit