Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
03/06/2024, 08:02
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://whatspos.com
Resource
win10v2004-20240426-en
General
-
Target
http://whatspos.com
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133618753823473805" chrome.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4832 chrome.exe 4832 chrome.exe 5024 chrome.exe 5024 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 4832 chrome.exe 4832 chrome.exe 4832 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4832 chrome.exe Token: SeCreatePagefilePrivilege 4832 chrome.exe Token: SeShutdownPrivilege 4832 chrome.exe Token: SeCreatePagefilePrivilege 4832 chrome.exe Token: SeShutdownPrivilege 4832 chrome.exe Token: SeCreatePagefilePrivilege 4832 chrome.exe Token: SeShutdownPrivilege 4832 chrome.exe Token: SeCreatePagefilePrivilege 4832 chrome.exe Token: 33 3280 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3280 AUDIODG.EXE Token: SeShutdownPrivilege 4832 chrome.exe Token: SeCreatePagefilePrivilege 4832 chrome.exe Token: SeShutdownPrivilege 4832 chrome.exe Token: SeCreatePagefilePrivilege 4832 chrome.exe Token: SeShutdownPrivilege 4832 chrome.exe Token: SeCreatePagefilePrivilege 4832 chrome.exe Token: SeShutdownPrivilege 4832 chrome.exe Token: SeCreatePagefilePrivilege 4832 chrome.exe Token: SeShutdownPrivilege 4832 chrome.exe Token: SeCreatePagefilePrivilege 4832 chrome.exe Token: SeShutdownPrivilege 4832 chrome.exe Token: SeCreatePagefilePrivilege 4832 chrome.exe Token: SeShutdownPrivilege 4832 chrome.exe Token: SeCreatePagefilePrivilege 4832 chrome.exe Token: SeShutdownPrivilege 4832 chrome.exe Token: SeCreatePagefilePrivilege 4832 chrome.exe Token: SeShutdownPrivilege 4832 chrome.exe Token: SeCreatePagefilePrivilege 4832 chrome.exe Token: SeShutdownPrivilege 4832 chrome.exe Token: SeCreatePagefilePrivilege 4832 chrome.exe Token: SeShutdownPrivilege 4832 chrome.exe Token: SeCreatePagefilePrivilege 4832 chrome.exe Token: SeShutdownPrivilege 4832 chrome.exe Token: SeCreatePagefilePrivilege 4832 chrome.exe Token: SeShutdownPrivilege 4832 chrome.exe Token: SeCreatePagefilePrivilege 4832 chrome.exe Token: SeShutdownPrivilege 4832 chrome.exe Token: SeCreatePagefilePrivilege 4832 chrome.exe Token: SeShutdownPrivilege 4832 chrome.exe Token: SeCreatePagefilePrivilege 4832 chrome.exe Token: SeShutdownPrivilege 4832 chrome.exe Token: SeCreatePagefilePrivilege 4832 chrome.exe Token: SeShutdownPrivilege 4832 chrome.exe Token: SeCreatePagefilePrivilege 4832 chrome.exe Token: SeShutdownPrivilege 4832 chrome.exe Token: SeCreatePagefilePrivilege 4832 chrome.exe Token: SeShutdownPrivilege 4832 chrome.exe Token: SeCreatePagefilePrivilege 4832 chrome.exe Token: SeShutdownPrivilege 4832 chrome.exe Token: SeCreatePagefilePrivilege 4832 chrome.exe Token: SeShutdownPrivilege 4832 chrome.exe Token: SeCreatePagefilePrivilege 4832 chrome.exe Token: SeShutdownPrivilege 4832 chrome.exe Token: SeCreatePagefilePrivilege 4832 chrome.exe Token: SeShutdownPrivilege 4832 chrome.exe Token: SeCreatePagefilePrivilege 4832 chrome.exe Token: SeShutdownPrivilege 4832 chrome.exe Token: SeCreatePagefilePrivilege 4832 chrome.exe Token: SeShutdownPrivilege 4832 chrome.exe Token: SeCreatePagefilePrivilege 4832 chrome.exe Token: SeShutdownPrivilege 4832 chrome.exe Token: SeCreatePagefilePrivilege 4832 chrome.exe Token: SeShutdownPrivilege 4832 chrome.exe Token: SeCreatePagefilePrivilege 4832 chrome.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 4832 chrome.exe 4832 chrome.exe 4832 chrome.exe 4832 chrome.exe 4832 chrome.exe 4832 chrome.exe 4832 chrome.exe 4832 chrome.exe 4832 chrome.exe 4832 chrome.exe 4832 chrome.exe 4832 chrome.exe 4832 chrome.exe 4832 chrome.exe 4832 chrome.exe 4832 chrome.exe 4832 chrome.exe 4832 chrome.exe 4832 chrome.exe 4832 chrome.exe 4832 chrome.exe 4832 chrome.exe 4832 chrome.exe 4832 chrome.exe 4832 chrome.exe 4832 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4832 chrome.exe 4832 chrome.exe 4832 chrome.exe 4832 chrome.exe 4832 chrome.exe 4832 chrome.exe 4832 chrome.exe 4832 chrome.exe 4832 chrome.exe 4832 chrome.exe 4832 chrome.exe 4832 chrome.exe 4832 chrome.exe 4832 chrome.exe 4832 chrome.exe 4832 chrome.exe 4832 chrome.exe 4832 chrome.exe 4832 chrome.exe 4832 chrome.exe 4832 chrome.exe 4832 chrome.exe 4832 chrome.exe 4832 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4832 wrote to memory of 4472 4832 chrome.exe 82 PID 4832 wrote to memory of 4472 4832 chrome.exe 82 PID 4832 wrote to memory of 1064 4832 chrome.exe 83 PID 4832 wrote to memory of 1064 4832 chrome.exe 83 PID 4832 wrote to memory of 1064 4832 chrome.exe 83 PID 4832 wrote to memory of 1064 4832 chrome.exe 83 PID 4832 wrote to memory of 1064 4832 chrome.exe 83 PID 4832 wrote to memory of 1064 4832 chrome.exe 83 PID 4832 wrote to memory of 1064 4832 chrome.exe 83 PID 4832 wrote to memory of 1064 4832 chrome.exe 83 PID 4832 wrote to memory of 1064 4832 chrome.exe 83 PID 4832 wrote to memory of 1064 4832 chrome.exe 83 PID 4832 wrote to memory of 1064 4832 chrome.exe 83 PID 4832 wrote to memory of 1064 4832 chrome.exe 83 PID 4832 wrote to memory of 1064 4832 chrome.exe 83 PID 4832 wrote to memory of 1064 4832 chrome.exe 83 PID 4832 wrote to memory of 1064 4832 chrome.exe 83 PID 4832 wrote to memory of 1064 4832 chrome.exe 83 PID 4832 wrote to memory of 1064 4832 chrome.exe 83 PID 4832 wrote to memory of 1064 4832 chrome.exe 83 PID 4832 wrote to memory of 1064 4832 chrome.exe 83 PID 4832 wrote to memory of 1064 4832 chrome.exe 83 PID 4832 wrote to memory of 1064 4832 chrome.exe 83 PID 4832 wrote to memory of 1064 4832 chrome.exe 83 PID 4832 wrote to memory of 1064 4832 chrome.exe 83 PID 4832 wrote to memory of 1064 4832 chrome.exe 83 PID 4832 wrote to memory of 1064 4832 chrome.exe 83 PID 4832 wrote to memory of 1064 4832 chrome.exe 83 PID 4832 wrote to memory of 1064 4832 chrome.exe 83 PID 4832 wrote to memory of 1064 4832 chrome.exe 83 PID 4832 wrote to memory of 1064 4832 chrome.exe 83 PID 4832 wrote to memory of 1064 4832 chrome.exe 83 PID 4832 wrote to memory of 1064 4832 chrome.exe 83 PID 4832 wrote to memory of 2772 4832 chrome.exe 84 PID 4832 wrote to memory of 2772 4832 chrome.exe 84 PID 4832 wrote to memory of 4508 4832 chrome.exe 85 PID 4832 wrote to memory of 4508 4832 chrome.exe 85 PID 4832 wrote to memory of 4508 4832 chrome.exe 85 PID 4832 wrote to memory of 4508 4832 chrome.exe 85 PID 4832 wrote to memory of 4508 4832 chrome.exe 85 PID 4832 wrote to memory of 4508 4832 chrome.exe 85 PID 4832 wrote to memory of 4508 4832 chrome.exe 85 PID 4832 wrote to memory of 4508 4832 chrome.exe 85 PID 4832 wrote to memory of 4508 4832 chrome.exe 85 PID 4832 wrote to memory of 4508 4832 chrome.exe 85 PID 4832 wrote to memory of 4508 4832 chrome.exe 85 PID 4832 wrote to memory of 4508 4832 chrome.exe 85 PID 4832 wrote to memory of 4508 4832 chrome.exe 85 PID 4832 wrote to memory of 4508 4832 chrome.exe 85 PID 4832 wrote to memory of 4508 4832 chrome.exe 85 PID 4832 wrote to memory of 4508 4832 chrome.exe 85 PID 4832 wrote to memory of 4508 4832 chrome.exe 85 PID 4832 wrote to memory of 4508 4832 chrome.exe 85 PID 4832 wrote to memory of 4508 4832 chrome.exe 85 PID 4832 wrote to memory of 4508 4832 chrome.exe 85 PID 4832 wrote to memory of 4508 4832 chrome.exe 85 PID 4832 wrote to memory of 4508 4832 chrome.exe 85 PID 4832 wrote to memory of 4508 4832 chrome.exe 85 PID 4832 wrote to memory of 4508 4832 chrome.exe 85 PID 4832 wrote to memory of 4508 4832 chrome.exe 85 PID 4832 wrote to memory of 4508 4832 chrome.exe 85 PID 4832 wrote to memory of 4508 4832 chrome.exe 85 PID 4832 wrote to memory of 4508 4832 chrome.exe 85 PID 4832 wrote to memory of 4508 4832 chrome.exe 85
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://whatspos.com1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc0302ab58,0x7ffc0302ab68,0x7ffc0302ab782⤵PID:4472
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1912,i,12915135454145954785,4614435402236837735,131072 /prefetch:22⤵PID:1064
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1912,i,12915135454145954785,4614435402236837735,131072 /prefetch:82⤵PID:2772
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2224 --field-trial-handle=1912,i,12915135454145954785,4614435402236837735,131072 /prefetch:82⤵PID:4508
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2936 --field-trial-handle=1912,i,12915135454145954785,4614435402236837735,131072 /prefetch:12⤵PID:1628
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2940 --field-trial-handle=1912,i,12915135454145954785,4614435402236837735,131072 /prefetch:12⤵PID:1536
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4320 --field-trial-handle=1912,i,12915135454145954785,4614435402236837735,131072 /prefetch:12⤵PID:2632
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2940 --field-trial-handle=1912,i,12915135454145954785,4614435402236837735,131072 /prefetch:82⤵PID:4540
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4888 --field-trial-handle=1912,i,12915135454145954785,4614435402236837735,131072 /prefetch:82⤵PID:1488
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4600 --field-trial-handle=1912,i,12915135454145954785,4614435402236837735,131072 /prefetch:82⤵PID:2896
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4164 --field-trial-handle=1912,i,12915135454145954785,4614435402236837735,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:5024
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:60
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x150 0x2c81⤵
- Suspicious use of AdjustPrivilegeToken
PID:3280
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1024KB
MD5b2a5a04345df3a9bf2955c82dddfada4
SHA15fb9c821d8559c3606b1e28dbc52e8f798b9f6f7
SHA2568cfb26e43f126a6e9d56e4f84d0d1042bb5083f409a76574bc9e9ee08cc9d8cf
SHA5129115ae6936066baf3f2451e65e35f07e6e1bf9da49a47f60afab3708e5e18640b3fddb6637fac670fc103d95c5826ecbc75c844c16dffffcc088f8ab7dcfa863
-
Filesize
72B
MD5caf6e9a6ef01c9246b32ca06ec959353
SHA1fece6d34c0d285fd1ca2731b52a0c54c17bdd460
SHA256a93cef62d24fc84c2749f77087f2a6d3e77e83f199ce6cb4934bc9f085f43cb5
SHA5129752e78f804509385ba1c49d1750ae8d5b3685141f902aa43e3efb5dfd27173c679d8b64a2ef70f6c84a454575f782d1ad01b27ab2d90f276709ba5be192e6fe
-
Filesize
1008B
MD571094bd598221e35a2600d292923b480
SHA1e3cb60fd66d88e2f99f6897b67810b5c1eee3ccb
SHA25683c5f8cf9560d4e9d23c2bc5575da056624c09b594126cb851ecc210529fee21
SHA5121237478912b658e8f428db7ba281cfc249925231c75436fafb585afa959fa3c33d1f9a767ee9dd1fd64e7143f12bf395cbe8931bb3720624a4aeb51946cd6a35
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
690B
MD57bab016169358560f99a437e45720966
SHA1833f38e00afb96b18053544bcd76dfecea00d09f
SHA25604876345b6d85416a8f302204e6bdf50e847595e4e817f9b80f2ca8eada054de
SHA512231bd05233ce9f7365e8a3cea4536187b6571515d18c593c8594e61cfab4b2f98ba8d72d33ca52e667cf56954953a7640ec573f2be8175c38e87ecffb224827b
-
Filesize
7KB
MD59b1d0246c8e5d173413b4444af008542
SHA11b19e31e252158a4765fbb77d0a2e2c405fdbc53
SHA25640f8381ab1f832d6718ec00209cc20bfeef3381ea1a3ba03f364ead1ced8073c
SHA512c5e1844bafcba5eadccd6c83b4e69f23f3fea377f5d0c8553c2d484725bcddf3b4ef2eba998c2acf7eaa243c4cc3c774537936e8ae896630448477fb1deb8e09
-
Filesize
130KB
MD55e0033319336efc0b4438ba0840cf399
SHA11feb7c341d4b060b253a5e8d7bb831cf783c5f0a
SHA2568810b4b4083256d41524b965cb46de1a97ea3d9f8035b61b62e3899e0e4edb95
SHA512a10bb951a9ed67e118cd28f155fb2993d360e6d4c229dd42ae14fc3979883db6a8c4f1f058a530dfe78eb0f9ac2ee2614e58a32718e7c1f436370246e70fb8fe