Analysis
-
max time kernel
120s -
max time network
100s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
29-05-2024 09:46
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://ulsan.lt.emlnk.com/Prod/link-tracker?notrack=1&redirectUrl=aHR0cHMlM0ElMkYlMkZnYXRld2F5LmxpZ2h0aG91c2Uuc3RvcmFnZSUyRmlwZnMlMkZRbWY1UXdRcGNoTEpwYlYzalBVUFVybjloYmtXUEJBSnFETldtNXdvQ1luM3JNJTJG&sig=FDyDQpV2zkwzTpc9gB6HbMb3pktZEbJpev5MJyWBnWqL&iat=1716802816&a=%7C%7C802090301%7C%7C&account=ulsan%2Eactivehosted%2Ecom&email=uR1ljqUGzWn%2F3rYB4t1bTZZr2SBaiR96NETMO%2F53K9Av7co%2ByA%3D%3D%3A0iktz%2F5e5TCScgjt9tDuNH0usKRySOeH&s=90d336c5c6ee30524ab085005369ba8d&i=6A8A0A13#[email protected]
Resource
win10-20240404-en
General
-
Target
https://ulsan.lt.emlnk.com/Prod/link-tracker?notrack=1&redirectUrl=aHR0cHMlM0ElMkYlMkZnYXRld2F5LmxpZ2h0aG91c2Uuc3RvcmFnZSUyRmlwZnMlMkZRbWY1UXdRcGNoTEpwYlYzalBVUFVybjloYmtXUEJBSnFETldtNXdvQ1luM3JNJTJG&sig=FDyDQpV2zkwzTpc9gB6HbMb3pktZEbJpev5MJyWBnWqL&iat=1716802816&a=%7C%7C802090301%7C%7C&account=ulsan%2Eactivehosted%2Ecom&email=uR1ljqUGzWn%2F3rYB4t1bTZZr2SBaiR96NETMO%2F53K9Av7co%2ByA%3D%3D%3A0iktz%2F5e5TCScgjt9tDuNH0usKRySOeH&s=90d336c5c6ee30524ab085005369ba8d&i=6A8A0A13#[email protected]
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133614496063836548" chrome.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1428 chrome.exe 1428 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 1428 chrome.exe 1428 chrome.exe 1428 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1428 chrome.exe Token: SeCreatePagefilePrivilege 1428 chrome.exe Token: SeShutdownPrivilege 1428 chrome.exe Token: SeCreatePagefilePrivilege 1428 chrome.exe Token: SeShutdownPrivilege 1428 chrome.exe Token: SeCreatePagefilePrivilege 1428 chrome.exe Token: SeShutdownPrivilege 1428 chrome.exe Token: SeCreatePagefilePrivilege 1428 chrome.exe Token: SeShutdownPrivilege 1428 chrome.exe Token: SeCreatePagefilePrivilege 1428 chrome.exe Token: SeShutdownPrivilege 1428 chrome.exe Token: SeCreatePagefilePrivilege 1428 chrome.exe Token: SeShutdownPrivilege 1428 chrome.exe Token: SeCreatePagefilePrivilege 1428 chrome.exe Token: SeShutdownPrivilege 1428 chrome.exe Token: SeCreatePagefilePrivilege 1428 chrome.exe Token: SeShutdownPrivilege 1428 chrome.exe Token: SeCreatePagefilePrivilege 1428 chrome.exe Token: SeShutdownPrivilege 1428 chrome.exe Token: SeCreatePagefilePrivilege 1428 chrome.exe Token: SeShutdownPrivilege 1428 chrome.exe Token: SeCreatePagefilePrivilege 1428 chrome.exe Token: SeShutdownPrivilege 1428 chrome.exe Token: SeCreatePagefilePrivilege 1428 chrome.exe Token: SeShutdownPrivilege 1428 chrome.exe Token: SeCreatePagefilePrivilege 1428 chrome.exe Token: SeShutdownPrivilege 1428 chrome.exe Token: SeCreatePagefilePrivilege 1428 chrome.exe Token: SeShutdownPrivilege 1428 chrome.exe Token: SeCreatePagefilePrivilege 1428 chrome.exe Token: SeShutdownPrivilege 1428 chrome.exe Token: SeCreatePagefilePrivilege 1428 chrome.exe Token: SeShutdownPrivilege 1428 chrome.exe Token: SeCreatePagefilePrivilege 1428 chrome.exe Token: SeShutdownPrivilege 1428 chrome.exe Token: SeCreatePagefilePrivilege 1428 chrome.exe Token: SeShutdownPrivilege 1428 chrome.exe Token: SeCreatePagefilePrivilege 1428 chrome.exe Token: SeShutdownPrivilege 1428 chrome.exe Token: SeCreatePagefilePrivilege 1428 chrome.exe Token: SeShutdownPrivilege 1428 chrome.exe Token: SeCreatePagefilePrivilege 1428 chrome.exe Token: SeShutdownPrivilege 1428 chrome.exe Token: SeCreatePagefilePrivilege 1428 chrome.exe Token: SeShutdownPrivilege 1428 chrome.exe Token: SeCreatePagefilePrivilege 1428 chrome.exe Token: SeShutdownPrivilege 1428 chrome.exe Token: SeCreatePagefilePrivilege 1428 chrome.exe Token: SeShutdownPrivilege 1428 chrome.exe Token: SeCreatePagefilePrivilege 1428 chrome.exe Token: SeShutdownPrivilege 1428 chrome.exe Token: SeCreatePagefilePrivilege 1428 chrome.exe Token: SeShutdownPrivilege 1428 chrome.exe Token: SeCreatePagefilePrivilege 1428 chrome.exe Token: SeShutdownPrivilege 1428 chrome.exe Token: SeCreatePagefilePrivilege 1428 chrome.exe Token: SeShutdownPrivilege 1428 chrome.exe Token: SeCreatePagefilePrivilege 1428 chrome.exe Token: SeShutdownPrivilege 1428 chrome.exe Token: SeCreatePagefilePrivilege 1428 chrome.exe Token: SeShutdownPrivilege 1428 chrome.exe Token: SeCreatePagefilePrivilege 1428 chrome.exe Token: SeShutdownPrivilege 1428 chrome.exe Token: SeCreatePagefilePrivilege 1428 chrome.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 1428 chrome.exe 1428 chrome.exe 1428 chrome.exe 1428 chrome.exe 1428 chrome.exe 1428 chrome.exe 1428 chrome.exe 1428 chrome.exe 1428 chrome.exe 1428 chrome.exe 1428 chrome.exe 1428 chrome.exe 1428 chrome.exe 1428 chrome.exe 1428 chrome.exe 1428 chrome.exe 1428 chrome.exe 1428 chrome.exe 1428 chrome.exe 1428 chrome.exe 1428 chrome.exe 1428 chrome.exe 1428 chrome.exe 1428 chrome.exe 1428 chrome.exe 1428 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1428 chrome.exe 1428 chrome.exe 1428 chrome.exe 1428 chrome.exe 1428 chrome.exe 1428 chrome.exe 1428 chrome.exe 1428 chrome.exe 1428 chrome.exe 1428 chrome.exe 1428 chrome.exe 1428 chrome.exe 1428 chrome.exe 1428 chrome.exe 1428 chrome.exe 1428 chrome.exe 1428 chrome.exe 1428 chrome.exe 1428 chrome.exe 1428 chrome.exe 1428 chrome.exe 1428 chrome.exe 1428 chrome.exe 1428 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1428 wrote to memory of 3200 1428 chrome.exe 72 PID 1428 wrote to memory of 3200 1428 chrome.exe 72 PID 1428 wrote to memory of 2108 1428 chrome.exe 74 PID 1428 wrote to memory of 2108 1428 chrome.exe 74 PID 1428 wrote to memory of 2108 1428 chrome.exe 74 PID 1428 wrote to memory of 2108 1428 chrome.exe 74 PID 1428 wrote to memory of 2108 1428 chrome.exe 74 PID 1428 wrote to memory of 2108 1428 chrome.exe 74 PID 1428 wrote to memory of 2108 1428 chrome.exe 74 PID 1428 wrote to memory of 2108 1428 chrome.exe 74 PID 1428 wrote to memory of 2108 1428 chrome.exe 74 PID 1428 wrote to memory of 2108 1428 chrome.exe 74 PID 1428 wrote to memory of 2108 1428 chrome.exe 74 PID 1428 wrote to memory of 2108 1428 chrome.exe 74 PID 1428 wrote to memory of 2108 1428 chrome.exe 74 PID 1428 wrote to memory of 2108 1428 chrome.exe 74 PID 1428 wrote to memory of 2108 1428 chrome.exe 74 PID 1428 wrote to memory of 2108 1428 chrome.exe 74 PID 1428 wrote to memory of 2108 1428 chrome.exe 74 PID 1428 wrote to memory of 2108 1428 chrome.exe 74 PID 1428 wrote to memory of 2108 1428 chrome.exe 74 PID 1428 wrote to memory of 2108 1428 chrome.exe 74 PID 1428 wrote to memory of 2108 1428 chrome.exe 74 PID 1428 wrote to memory of 2108 1428 chrome.exe 74 PID 1428 wrote to memory of 2108 1428 chrome.exe 74 PID 1428 wrote to memory of 2108 1428 chrome.exe 74 PID 1428 wrote to memory of 2108 1428 chrome.exe 74 PID 1428 wrote to memory of 2108 1428 chrome.exe 74 PID 1428 wrote to memory of 2108 1428 chrome.exe 74 PID 1428 wrote to memory of 2108 1428 chrome.exe 74 PID 1428 wrote to memory of 2108 1428 chrome.exe 74 PID 1428 wrote to memory of 2108 1428 chrome.exe 74 PID 1428 wrote to memory of 2108 1428 chrome.exe 74 PID 1428 wrote to memory of 2108 1428 chrome.exe 74 PID 1428 wrote to memory of 2108 1428 chrome.exe 74 PID 1428 wrote to memory of 2108 1428 chrome.exe 74 PID 1428 wrote to memory of 2108 1428 chrome.exe 74 PID 1428 wrote to memory of 2108 1428 chrome.exe 74 PID 1428 wrote to memory of 2108 1428 chrome.exe 74 PID 1428 wrote to memory of 2108 1428 chrome.exe 74 PID 1428 wrote to memory of 1436 1428 chrome.exe 75 PID 1428 wrote to memory of 1436 1428 chrome.exe 75 PID 1428 wrote to memory of 2456 1428 chrome.exe 76 PID 1428 wrote to memory of 2456 1428 chrome.exe 76 PID 1428 wrote to memory of 2456 1428 chrome.exe 76 PID 1428 wrote to memory of 2456 1428 chrome.exe 76 PID 1428 wrote to memory of 2456 1428 chrome.exe 76 PID 1428 wrote to memory of 2456 1428 chrome.exe 76 PID 1428 wrote to memory of 2456 1428 chrome.exe 76 PID 1428 wrote to memory of 2456 1428 chrome.exe 76 PID 1428 wrote to memory of 2456 1428 chrome.exe 76 PID 1428 wrote to memory of 2456 1428 chrome.exe 76 PID 1428 wrote to memory of 2456 1428 chrome.exe 76 PID 1428 wrote to memory of 2456 1428 chrome.exe 76 PID 1428 wrote to memory of 2456 1428 chrome.exe 76 PID 1428 wrote to memory of 2456 1428 chrome.exe 76 PID 1428 wrote to memory of 2456 1428 chrome.exe 76 PID 1428 wrote to memory of 2456 1428 chrome.exe 76 PID 1428 wrote to memory of 2456 1428 chrome.exe 76 PID 1428 wrote to memory of 2456 1428 chrome.exe 76 PID 1428 wrote to memory of 2456 1428 chrome.exe 76 PID 1428 wrote to memory of 2456 1428 chrome.exe 76 PID 1428 wrote to memory of 2456 1428 chrome.exe 76 PID 1428 wrote to memory of 2456 1428 chrome.exe 76
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://ulsan.lt.emlnk.com/Prod/link-tracker?notrack=1&redirectUrl=aHR0cHMlM0ElMkYlMkZnYXRld2F5LmxpZ2h0aG91c2Uuc3RvcmFnZSUyRmlwZnMlMkZRbWY1UXdRcGNoTEpwYlYzalBVUFVybjloYmtXUEJBSnFETldtNXdvQ1luM3JNJTJG&sig=FDyDQpV2zkwzTpc9gB6HbMb3pktZEbJpev5MJyWBnWqL&iat=1716802816&a=%7C%7C802090301%7C%7C&account=ulsan%2Eactivehosted%2Ecom&email=uR1ljqUGzWn%2F3rYB4t1bTZZr2SBaiR96NETMO%2F53K9Av7co%2ByA%3D%3D%3A0iktz%2F5e5TCScgjt9tDuNH0usKRySOeH&s=90d336c5c6ee30524ab085005369ba8d&i=6A8A0A13#[email protected]1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0x88,0xd8,0x7ffc1cbe9758,0x7ffc1cbe9768,0x7ffc1cbe97782⤵PID:3200
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1632 --field-trial-handle=1868,i,3069181588414902048,1206806459789149314,131072 /prefetch:22⤵PID:2108
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1792 --field-trial-handle=1868,i,3069181588414902048,1206806459789149314,131072 /prefetch:82⤵PID:1436
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2064 --field-trial-handle=1868,i,3069181588414902048,1206806459789149314,131072 /prefetch:82⤵PID:2456
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2864 --field-trial-handle=1868,i,3069181588414902048,1206806459789149314,131072 /prefetch:12⤵PID:1580
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2896 --field-trial-handle=1868,i,3069181588414902048,1206806459789149314,131072 /prefetch:12⤵PID:3180
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3736 --field-trial-handle=1868,i,3069181588414902048,1206806459789149314,131072 /prefetch:12⤵PID:2364
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2952 --field-trial-handle=1868,i,3069181588414902048,1206806459789149314,131072 /prefetch:82⤵PID:4700
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4948 --field-trial-handle=1868,i,3069181588414902048,1206806459789149314,131072 /prefetch:82⤵PID:4832
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:1480
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
644B
MD57520d4796a01f1e6fdf403691494d2d3
SHA15e06de918c5add609bff6aaed7d4861c7904e93f
SHA25696ab7437da14d27f4a52e2d3d4e7f8b41db331583fc5a5e6f3cf23ce2a120766
SHA512c85404ad4aa283683ff61cc5003c9464c2fd77dcfbb62828985afea5babc903f69f1a27ce8be36a6b738d0251142807cd73b8ad0b0f27625a5ac1f65256ac774
-
Filesize
6KB
MD52c3c85e2de0252351f67b11c485371c9
SHA1219169a52956c222cedf838be8ae04f534c481cf
SHA2564904ef509f03df04ed727e39f049d2d4094a9528296eaae8e23ffa98c06b4fcb
SHA512d6c5e202e1c2673fa648f5cbe43b6c1a46ab28a325acde379aac5f10f69de751d4c2d4a0ba0531f84b7f1f62f8e978ff1b213486e30ae91a0b81dbf6f1afd23a
-
Filesize
6KB
MD5526e122bce237fef54c206cb7c7893e2
SHA10453a8fe5e00b2c67506833fea531584a65a194e
SHA256225f95509d0e4ea7961d5b51755a76c3340c37d0c58bd48951e75a7117c67769
SHA512acdfe22c03a748f96c17cbe9c37130b0d09d6ba70f5fcb422cfdf5447c442dc29b2c9fc6abc36d0d8238ff3c241ba05e737111d333ae945b32a851882467e7c8
-
Filesize
6KB
MD5037225b9994a032056c3d722d85dee63
SHA15cc4eaa6612cfa773e3af3af79fa9b66d262595e
SHA256dab74bbca6576542b6e42d5a957ff1cd7f2ca58a46178d0be03810d98316b806
SHA512dd34b4abc1e010beb35c3b5885106e8bb7b599266f83a1446cad64c4faa9a949b9bc05fbd2e4701917322a02c084950ae87810924b4e22e715c958a004cd2d1d
-
Filesize
136KB
MD5df5eea1bfe2c8bd585a7026d26a492bb
SHA132bae53d02685126e88747ae0834f94a2c131a4c
SHA25669a45ec6b2da5da3fe6efc6fc2851476cd410c3dd002c853dc691bca4b431ea1
SHA5125dffd3d728cc34e0e1dac92f27b3cc878d538c3b00f7c5d07d31fdf450f489b871f9522dcf3e58a57c6ccf794e35dd807e9ea8ec575cffdadab4f4852730ecf0
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd