hxxps://capa-consult[.]com/erwhq7/?98793823

Resubmissions

28/05/2024, 16:31

240528-t1nedabh2x 1

28/05/2024, 16:20

240528-ts74tabe8z 1

Analysis

max time kernel
112s
max time network
111s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28/05/2024, 16:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://capa-consult.com/erwhq7/?98793823

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133613875044953376"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4332	chrome.exe
4332	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4332	chrome.exe
Token: SeCreatePagefilePrivilege	4332	chrome.exe
Token: SeShutdownPrivilege	4332	chrome.exe
Token: SeCreatePagefilePrivilege	4332	chrome.exe
Token: SeShutdownPrivilege	4332	chrome.exe
Token: SeCreatePagefilePrivilege	4332	chrome.exe
Token: SeShutdownPrivilege	4332	chrome.exe
Token: SeCreatePagefilePrivilege	4332	chrome.exe
Token: SeShutdownPrivilege	4332	chrome.exe
Token: SeCreatePagefilePrivilege	4332	chrome.exe
Token: SeShutdownPrivilege	4332	chrome.exe
Token: SeCreatePagefilePrivilege	4332	chrome.exe
Token: SeShutdownPrivilege	4332	chrome.exe
Token: SeCreatePagefilePrivilege	4332	chrome.exe
Token: SeShutdownPrivilege	4332	chrome.exe
Token: SeCreatePagefilePrivilege	4332	chrome.exe
Token: SeShutdownPrivilege	4332	chrome.exe
Token: SeCreatePagefilePrivilege	4332	chrome.exe
Token: SeShutdownPrivilege	4332	chrome.exe
Token: SeCreatePagefilePrivilege	4332	chrome.exe
Token: SeShutdownPrivilege	4332	chrome.exe
Token: SeCreatePagefilePrivilege	4332	chrome.exe
Token: SeShutdownPrivilege	4332	chrome.exe
Token: SeCreatePagefilePrivilege	4332	chrome.exe
Token: SeShutdownPrivilege	4332	chrome.exe
Token: SeCreatePagefilePrivilege	4332	chrome.exe
Token: SeShutdownPrivilege	4332	chrome.exe
Token: SeCreatePagefilePrivilege	4332	chrome.exe
Token: SeShutdownPrivilege	4332	chrome.exe
Token: SeCreatePagefilePrivilege	4332	chrome.exe
Token: SeShutdownPrivilege	4332	chrome.exe
Token: SeCreatePagefilePrivilege	4332	chrome.exe
Token: SeShutdownPrivilege	4332	chrome.exe
Token: SeCreatePagefilePrivilege	4332	chrome.exe
Token: SeShutdownPrivilege	4332	chrome.exe
Token: SeCreatePagefilePrivilege	4332	chrome.exe
Token: SeShutdownPrivilege	4332	chrome.exe
Token: SeCreatePagefilePrivilege	4332	chrome.exe
Token: SeShutdownPrivilege	4332	chrome.exe
Token: SeCreatePagefilePrivilege	4332	chrome.exe
Token: SeShutdownPrivilege	4332	chrome.exe
Token: SeCreatePagefilePrivilege	4332	chrome.exe
Token: SeShutdownPrivilege	4332	chrome.exe
Token: SeCreatePagefilePrivilege	4332	chrome.exe
Token: SeShutdownPrivilege	4332	chrome.exe
Token: SeCreatePagefilePrivilege	4332	chrome.exe
Token: SeShutdownPrivilege	4332	chrome.exe
Token: SeCreatePagefilePrivilege	4332	chrome.exe
Token: SeShutdownPrivilege	4332	chrome.exe
Token: SeCreatePagefilePrivilege	4332	chrome.exe
Token: SeShutdownPrivilege	4332	chrome.exe
Token: SeCreatePagefilePrivilege	4332	chrome.exe
Token: SeShutdownPrivilege	4332	chrome.exe
Token: SeCreatePagefilePrivilege	4332	chrome.exe
Token: SeShutdownPrivilege	4332	chrome.exe
Token: SeCreatePagefilePrivilege	4332	chrome.exe
Token: SeShutdownPrivilege	4332	chrome.exe
Token: SeCreatePagefilePrivilege	4332	chrome.exe
Token: SeShutdownPrivilege	4332	chrome.exe
Token: SeCreatePagefilePrivilege	4332	chrome.exe
Token: SeShutdownPrivilege	4332	chrome.exe
Token: SeCreatePagefilePrivilege	4332	chrome.exe
Token: SeShutdownPrivilege	4332	chrome.exe
Token: SeCreatePagefilePrivilege	4332	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4332 wrote to memory of 4576	4332	chrome.exe	90
PID 4332 wrote to memory of 4576	4332	chrome.exe	90
PID 4332 wrote to memory of 3320	4332	chrome.exe	91
PID 4332 wrote to memory of 3320	4332	chrome.exe	91
PID 4332 wrote to memory of 3320	4332	chrome.exe	91
PID 4332 wrote to memory of 3320	4332	chrome.exe	91
PID 4332 wrote to memory of 3320	4332	chrome.exe	91
PID 4332 wrote to memory of 3320	4332	chrome.exe	91
PID 4332 wrote to memory of 3320	4332	chrome.exe	91
PID 4332 wrote to memory of 3320	4332	chrome.exe	91
PID 4332 wrote to memory of 3320	4332	chrome.exe	91
PID 4332 wrote to memory of 3320	4332	chrome.exe	91
PID 4332 wrote to memory of 3320	4332	chrome.exe	91
PID 4332 wrote to memory of 3320	4332	chrome.exe	91
PID 4332 wrote to memory of 3320	4332	chrome.exe	91
PID 4332 wrote to memory of 3320	4332	chrome.exe	91
PID 4332 wrote to memory of 3320	4332	chrome.exe	91
PID 4332 wrote to memory of 3320	4332	chrome.exe	91
PID 4332 wrote to memory of 3320	4332	chrome.exe	91
PID 4332 wrote to memory of 3320	4332	chrome.exe	91
PID 4332 wrote to memory of 3320	4332	chrome.exe	91
PID 4332 wrote to memory of 3320	4332	chrome.exe	91
PID 4332 wrote to memory of 3320	4332	chrome.exe	91
PID 4332 wrote to memory of 3320	4332	chrome.exe	91
PID 4332 wrote to memory of 3320	4332	chrome.exe	91
PID 4332 wrote to memory of 3320	4332	chrome.exe	91
PID 4332 wrote to memory of 3320	4332	chrome.exe	91
PID 4332 wrote to memory of 3320	4332	chrome.exe	91
PID 4332 wrote to memory of 3320	4332	chrome.exe	91
PID 4332 wrote to memory of 3320	4332	chrome.exe	91
PID 4332 wrote to memory of 3320	4332	chrome.exe	91
PID 4332 wrote to memory of 3320	4332	chrome.exe	91
PID 4332 wrote to memory of 3320	4332	chrome.exe	91
PID 4332 wrote to memory of 756	4332	chrome.exe	92
PID 4332 wrote to memory of 756	4332	chrome.exe	92
PID 4332 wrote to memory of 3680	4332	chrome.exe	93
PID 4332 wrote to memory of 3680	4332	chrome.exe	93
PID 4332 wrote to memory of 3680	4332	chrome.exe	93
PID 4332 wrote to memory of 3680	4332	chrome.exe	93
PID 4332 wrote to memory of 3680	4332	chrome.exe	93
PID 4332 wrote to memory of 3680	4332	chrome.exe	93
PID 4332 wrote to memory of 3680	4332	chrome.exe	93
PID 4332 wrote to memory of 3680	4332	chrome.exe	93
PID 4332 wrote to memory of 3680	4332	chrome.exe	93
PID 4332 wrote to memory of 3680	4332	chrome.exe	93
PID 4332 wrote to memory of 3680	4332	chrome.exe	93
PID 4332 wrote to memory of 3680	4332	chrome.exe	93
PID 4332 wrote to memory of 3680	4332	chrome.exe	93
PID 4332 wrote to memory of 3680	4332	chrome.exe	93
PID 4332 wrote to memory of 3680	4332	chrome.exe	93
PID 4332 wrote to memory of 3680	4332	chrome.exe	93
PID 4332 wrote to memory of 3680	4332	chrome.exe	93
PID 4332 wrote to memory of 3680	4332	chrome.exe	93
PID 4332 wrote to memory of 3680	4332	chrome.exe	93
PID 4332 wrote to memory of 3680	4332	chrome.exe	93
PID 4332 wrote to memory of 3680	4332	chrome.exe	93
PID 4332 wrote to memory of 3680	4332	chrome.exe	93
PID 4332 wrote to memory of 3680	4332	chrome.exe	93
PID 4332 wrote to memory of 3680	4332	chrome.exe	93
PID 4332 wrote to memory of 3680	4332	chrome.exe	93
PID 4332 wrote to memory of 3680	4332	chrome.exe	93
PID 4332 wrote to memory of 3680	4332	chrome.exe	93
PID 4332 wrote to memory of 3680	4332	chrome.exe	93
PID 4332 wrote to memory of 3680	4332	chrome.exe	93

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://capa-consult.com/erwhq7/?98793823
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc07d4ab58,0x7ffc07d4ab68,0x7ffc07d4ab78
  2⤵
  PID:4576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1596 --field-trial-handle=1988,i,4118449500719923053,2747131280418572050,131072 /prefetch:2
  2⤵
  PID:3320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1928 --field-trial-handle=1988,i,4118449500719923053,2747131280418572050,131072 /prefetch:8
  2⤵
  PID:756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1240 --field-trial-handle=1988,i,4118449500719923053,2747131280418572050,131072 /prefetch:8
  2⤵
  PID:3680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3064 --field-trial-handle=1988,i,4118449500719923053,2747131280418572050,131072 /prefetch:1
  2⤵
  PID:4812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3100 --field-trial-handle=1988,i,4118449500719923053,2747131280418572050,131072 /prefetch:1
  2⤵
  PID:2036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4392 --field-trial-handle=1988,i,4118449500719923053,2747131280418572050,131072 /prefetch:8
  2⤵
  PID:1224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4548 --field-trial-handle=1988,i,4118449500719923053,2747131280418572050,131072 /prefetch:8
  2⤵
  PID:4108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4420 --field-trial-handle=1988,i,4118449500719923053,2747131280418572050,131072 /prefetch:1
  2⤵
  PID:2924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4856 --field-trial-handle=1988,i,4118449500719923053,2747131280418572050,131072 /prefetch:1
  2⤵
  PID:5280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3092 --field-trial-handle=1988,i,4118449500719923053,2747131280418572050,131072 /prefetch:8
  2⤵
  PID:5432

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4168,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=1280 /prefetch:8
1⤵
PID:5188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
c441b015af9862bf87b0f912cb663b45

SHA1
64f6960d640cabca3b832deea3220189499f5d76

SHA256
d0c6e26a31d76e2ca6dbf8aad93f49e66763833fe246ef69bb9dff2679048e9b

SHA512
1452aa8e0e4fa098561292520165fdbda8d23000c6665bb974becdb5a3c1fab6d288f02d24e025c9385d740114eed8f91b9988fb63bc7651bc216cbf46a7ff81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
03f4b3d3fd9568f07f00cefb5f4ab2ec

SHA1
6465469e8b934df1aad12b030603d78c18854f90

SHA256
cb738ac1ef4ac919c13cecf51b8384606cea707704839af4641804086c3e26a6

SHA512
b2d7947bac8f73f470e79efb8321dddcb0fafdcb5e8e6bc5e087932c0fbfd285f39ea0aa56c501a2851816f0dce30f3bbc3c7de59335ceb7f83e3248182cc6c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
857B

MD5
df9b175c13849b11f3087789ea3cfbd0

SHA1
dcf97e83757be80c3370753a87bfe287bde2e830

SHA256
f4ac6d298a38e02e0168a9aa40f63c281fe060ea6b1352ac86059ee5b72a5617

SHA512
87ea78b340984e610305653fb8c251bd3878d7e79e555aebd1bebe9df220804083b7a63a166ddecdf5a1ed6a25e5cb4af2c59ec49b5e78db2e4ee634972b29a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
e9d6c1039eb62cfa6c8ce98372ae9bda

SHA1
3e1c1073254f790186d0055fc13645f3f6cea723

SHA256
440f651a26f886c7c0eba362fc5507f15f04e1d7c4c17c741c37bbdc35721be1

SHA512
b94ee489b5eab49832192b6daff769b45e2e930e550d4743890f83ede822e6f2fd82576c1b8d85886577b9971d8f40af1b4326423ee39fc665309e511468243d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
255KB

MD5
0ec0c18ee65d69a02cbc08226b74d110

SHA1
0c487d3016a5c9f80b4c0ea4067e69773d83e90c

SHA256
ccaa5f7cff865db9678609b0ff138d8b19520a4b241988f1c54b40f24d80f085

SHA512
f8821d8e659e7e33d57b3f25e84e1184089082560418f5959511adc213fad702d50899e647ca63b30b980b497c6f84d8dcda0bb613065e245ca0f96e40dc8eed

Download Submit