hxxp://OnlySexyGirl[.]com/ID9821

Analysis

max time kernel
55s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04/06/2024, 07:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

http://OnlySexyGirl.com/ID9821

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133619590237664025"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2992	chrome.exe
2992	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 1372	2992	chrome.exe	83
PID 2992 wrote to memory of 1372	2992	chrome.exe	83
PID 2992 wrote to memory of 4104	2992	chrome.exe	85
PID 2992 wrote to memory of 4104	2992	chrome.exe	85
PID 2992 wrote to memory of 4104	2992	chrome.exe	85
PID 2992 wrote to memory of 4104	2992	chrome.exe	85
PID 2992 wrote to memory of 4104	2992	chrome.exe	85
PID 2992 wrote to memory of 4104	2992	chrome.exe	85
PID 2992 wrote to memory of 4104	2992	chrome.exe	85
PID 2992 wrote to memory of 4104	2992	chrome.exe	85
PID 2992 wrote to memory of 4104	2992	chrome.exe	85
PID 2992 wrote to memory of 4104	2992	chrome.exe	85
PID 2992 wrote to memory of 4104	2992	chrome.exe	85
PID 2992 wrote to memory of 4104	2992	chrome.exe	85
PID 2992 wrote to memory of 4104	2992	chrome.exe	85
PID 2992 wrote to memory of 4104	2992	chrome.exe	85
PID 2992 wrote to memory of 4104	2992	chrome.exe	85
PID 2992 wrote to memory of 4104	2992	chrome.exe	85
PID 2992 wrote to memory of 4104	2992	chrome.exe	85
PID 2992 wrote to memory of 4104	2992	chrome.exe	85
PID 2992 wrote to memory of 4104	2992	chrome.exe	85
PID 2992 wrote to memory of 4104	2992	chrome.exe	85
PID 2992 wrote to memory of 4104	2992	chrome.exe	85
PID 2992 wrote to memory of 4104	2992	chrome.exe	85
PID 2992 wrote to memory of 4104	2992	chrome.exe	85
PID 2992 wrote to memory of 4104	2992	chrome.exe	85
PID 2992 wrote to memory of 4104	2992	chrome.exe	85
PID 2992 wrote to memory of 4104	2992	chrome.exe	85
PID 2992 wrote to memory of 4104	2992	chrome.exe	85
PID 2992 wrote to memory of 4104	2992	chrome.exe	85
PID 2992 wrote to memory of 4104	2992	chrome.exe	85
PID 2992 wrote to memory of 4104	2992	chrome.exe	85
PID 2992 wrote to memory of 4104	2992	chrome.exe	85
PID 2992 wrote to memory of 1384	2992	chrome.exe	86
PID 2992 wrote to memory of 1384	2992	chrome.exe	86
PID 2992 wrote to memory of 1460	2992	chrome.exe	87
PID 2992 wrote to memory of 1460	2992	chrome.exe	87
PID 2992 wrote to memory of 1460	2992	chrome.exe	87
PID 2992 wrote to memory of 1460	2992	chrome.exe	87
PID 2992 wrote to memory of 1460	2992	chrome.exe	87
PID 2992 wrote to memory of 1460	2992	chrome.exe	87
PID 2992 wrote to memory of 1460	2992	chrome.exe	87
PID 2992 wrote to memory of 1460	2992	chrome.exe	87
PID 2992 wrote to memory of 1460	2992	chrome.exe	87
PID 2992 wrote to memory of 1460	2992	chrome.exe	87
PID 2992 wrote to memory of 1460	2992	chrome.exe	87
PID 2992 wrote to memory of 1460	2992	chrome.exe	87
PID 2992 wrote to memory of 1460	2992	chrome.exe	87
PID 2992 wrote to memory of 1460	2992	chrome.exe	87
PID 2992 wrote to memory of 1460	2992	chrome.exe	87
PID 2992 wrote to memory of 1460	2992	chrome.exe	87
PID 2992 wrote to memory of 1460	2992	chrome.exe	87
PID 2992 wrote to memory of 1460	2992	chrome.exe	87
PID 2992 wrote to memory of 1460	2992	chrome.exe	87
PID 2992 wrote to memory of 1460	2992	chrome.exe	87
PID 2992 wrote to memory of 1460	2992	chrome.exe	87
PID 2992 wrote to memory of 1460	2992	chrome.exe	87
PID 2992 wrote to memory of 1460	2992	chrome.exe	87
PID 2992 wrote to memory of 1460	2992	chrome.exe	87
PID 2992 wrote to memory of 1460	2992	chrome.exe	87
PID 2992 wrote to memory of 1460	2992	chrome.exe	87
PID 2992 wrote to memory of 1460	2992	chrome.exe	87
PID 2992 wrote to memory of 1460	2992	chrome.exe	87
PID 2992 wrote to memory of 1460	2992	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://OnlySexyGirl.com/ID9821
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa82fcab58,0x7ffa82fcab68,0x7ffa82fcab78
  2⤵
  PID:1372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1672 --field-trial-handle=1912,i,2710381157320774050,16649249758446105614,131072 /prefetch:2
  2⤵
  PID:4104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1912,i,2710381157320774050,16649249758446105614,131072 /prefetch:8
  2⤵
  PID:1384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2220 --field-trial-handle=1912,i,2710381157320774050,16649249758446105614,131072 /prefetch:8
  2⤵
  PID:1460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2872 --field-trial-handle=1912,i,2710381157320774050,16649249758446105614,131072 /prefetch:1
  2⤵
  PID:620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2880 --field-trial-handle=1912,i,2710381157320774050,16649249758446105614,131072 /prefetch:1
  2⤵
  PID:1828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4284 --field-trial-handle=1912,i,2710381157320774050,16649249758446105614,131072 /prefetch:1
  2⤵
  PID:748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3440 --field-trial-handle=1912,i,2710381157320774050,16649249758446105614,131072 /prefetch:8
  2⤵
  PID:1176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3416 --field-trial-handle=1912,i,2710381157320774050,16649249758446105614,131072 /prefetch:8
  2⤵
  PID:2736

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
b2812e59c411bacdcae96bbb85b07bc9

SHA1
3ac44a540916cffc89b965b1c4e5d093dce0526c

SHA256
6f1adb6b7ae9ebbe6faf27a6809e77468724c0cda47a2d50f60f996087b35cbe

SHA512
ba57753d025613afb3c5a6adfa206dab4354a8fd35bebc78077f0efc1a0778b9ac23f7543e3affb93e3207cbd1b94a9395bf37371e5f931d876ce9ff47d5d0bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
691B

MD5
61a55caff64b0fc089949e8a04b1fc88

SHA1
2f781968e2660b28df02342b8d354e9d48851afa

SHA256
379528eddb86a64c3ecd2c57f921e23994e8f228003ea9559d86a0147aad60f9

SHA512
c85fe46d9aa9e64d3c8fd22b6792169472d353d34184b45ac1e41aff8712c166b485b5946cabfff653016e49ab37da3d02979b36911d4790f3872e5a639cb58c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
0f5705f67058bc8f2f12ed1bee0f4da9

SHA1
283dc90361bbb3cc75ad1a0a6f4d4eafa66f577a

SHA256
6e005ea9c61c6e1a0d098854aa11c65ae217b15c67a6245285a1a3f321a801d1

SHA512
a297f374ff0c3f5bfe998f4d40a91cec571e954184782a747018c67609125127a4784664255bf40daca1e074912239aa241f10a877de6823e4a9742d57a89f9a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\df6f0950-a0c1-4c92-8579-4066d299d3b7.tmp

Filesize
7KB

MD5
f2aa71d16e86ec624b444274c82a36e9

SHA1
5af7e7c93995db9a7733bcf9476401e9cf1de231

SHA256
1992302a9f17c9b3f38a851ac519420545a65db119dbcdf5b5a0e80a46bc2dc2

SHA512
9b2b7ba39858282a5e0055331795cab551e27dbb48627b14c24df2ee9d7a2295cb4faf5946a05ae3bb963cc1ffcf5246d1056b32df1a24da435e4ab2425b57f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
129KB

MD5
c79586cd689c443037b04110db13b1e3

SHA1
5f68de4eff9cf3b58b9247df6a37367bac1a127f

SHA256
89837bc3735510aa4c8333b153120c41a69c12a96d7a2090d07caf711dcadb5d

SHA512
7b8f153df2c6a45738a2c42a76253ca315a851baf89aee2579b00a969edc7fb6d09d968d272e650265352a793edf025518b59c5f0ce398a784bd32106f6030b5

Download Submit