64e6a359c821fe49ba9cc04190e2b6a2453423ac11b00df7fe05dea4d5b1de0a

Analysis

max time kernel
1199s
max time network
1172s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
04-06-2024 15:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

new-york-airports-v2-x-kjfk-klga-kteb.html
Size

208KB
MD5

af010076ec1b443d6d80504aa7d80766
SHA1

d292329df01d485a1c55d67b2bc3519aa997f348
SHA256

64e6a359c821fe49ba9cc04190e2b6a2453423ac11b00df7fe05dea4d5b1de0a
SHA512

5953a49ade35a4d28824a1e0560f96a07aca1de65e772a71f64f2acd75db03e63cbaa066e89256f27f929185804c4e84cd01762b87230649f7d13440af288a22
SSDEEP

1536:pg2617khb7TVtF0iBs7et4XKpJVmfgJqDqfgVmbMdcGsOZg1XgcAI+2bsawyhSM5:L7xtycGsOZg1XgcAI+2wawiXGiaBnsd

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133619887278367253"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1232	chrome.exe
1232	chrome.exe
220	chrome.exe
220	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1232	chrome.exe
1232	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1232 wrote to memory of 960	1232	chrome.exe	81
PID 1232 wrote to memory of 960	1232	chrome.exe	81
PID 1232 wrote to memory of 1028	1232	chrome.exe	83
PID 1232 wrote to memory of 1028	1232	chrome.exe	83
PID 1232 wrote to memory of 1028	1232	chrome.exe	83
PID 1232 wrote to memory of 1028	1232	chrome.exe	83
PID 1232 wrote to memory of 1028	1232	chrome.exe	83
PID 1232 wrote to memory of 1028	1232	chrome.exe	83
PID 1232 wrote to memory of 1028	1232	chrome.exe	83
PID 1232 wrote to memory of 1028	1232	chrome.exe	83
PID 1232 wrote to memory of 1028	1232	chrome.exe	83
PID 1232 wrote to memory of 1028	1232	chrome.exe	83
PID 1232 wrote to memory of 1028	1232	chrome.exe	83
PID 1232 wrote to memory of 1028	1232	chrome.exe	83
PID 1232 wrote to memory of 1028	1232	chrome.exe	83
PID 1232 wrote to memory of 1028	1232	chrome.exe	83
PID 1232 wrote to memory of 1028	1232	chrome.exe	83
PID 1232 wrote to memory of 1028	1232	chrome.exe	83
PID 1232 wrote to memory of 1028	1232	chrome.exe	83
PID 1232 wrote to memory of 1028	1232	chrome.exe	83
PID 1232 wrote to memory of 1028	1232	chrome.exe	83
PID 1232 wrote to memory of 1028	1232	chrome.exe	83
PID 1232 wrote to memory of 1028	1232	chrome.exe	83
PID 1232 wrote to memory of 1028	1232	chrome.exe	83
PID 1232 wrote to memory of 1028	1232	chrome.exe	83
PID 1232 wrote to memory of 1028	1232	chrome.exe	83
PID 1232 wrote to memory of 1028	1232	chrome.exe	83
PID 1232 wrote to memory of 1028	1232	chrome.exe	83
PID 1232 wrote to memory of 1028	1232	chrome.exe	83
PID 1232 wrote to memory of 1028	1232	chrome.exe	83
PID 1232 wrote to memory of 1028	1232	chrome.exe	83
PID 1232 wrote to memory of 1028	1232	chrome.exe	83
PID 1232 wrote to memory of 1028	1232	chrome.exe	83
PID 1232 wrote to memory of 2764	1232	chrome.exe	84
PID 1232 wrote to memory of 2764	1232	chrome.exe	84
PID 1232 wrote to memory of 2268	1232	chrome.exe	85
PID 1232 wrote to memory of 2268	1232	chrome.exe	85
PID 1232 wrote to memory of 2268	1232	chrome.exe	85
PID 1232 wrote to memory of 2268	1232	chrome.exe	85
PID 1232 wrote to memory of 2268	1232	chrome.exe	85
PID 1232 wrote to memory of 2268	1232	chrome.exe	85
PID 1232 wrote to memory of 2268	1232	chrome.exe	85
PID 1232 wrote to memory of 2268	1232	chrome.exe	85
PID 1232 wrote to memory of 2268	1232	chrome.exe	85
PID 1232 wrote to memory of 2268	1232	chrome.exe	85
PID 1232 wrote to memory of 2268	1232	chrome.exe	85
PID 1232 wrote to memory of 2268	1232	chrome.exe	85
PID 1232 wrote to memory of 2268	1232	chrome.exe	85
PID 1232 wrote to memory of 2268	1232	chrome.exe	85
PID 1232 wrote to memory of 2268	1232	chrome.exe	85
PID 1232 wrote to memory of 2268	1232	chrome.exe	85
PID 1232 wrote to memory of 2268	1232	chrome.exe	85
PID 1232 wrote to memory of 2268	1232	chrome.exe	85
PID 1232 wrote to memory of 2268	1232	chrome.exe	85
PID 1232 wrote to memory of 2268	1232	chrome.exe	85
PID 1232 wrote to memory of 2268	1232	chrome.exe	85
PID 1232 wrote to memory of 2268	1232	chrome.exe	85
PID 1232 wrote to memory of 2268	1232	chrome.exe	85
PID 1232 wrote to memory of 2268	1232	chrome.exe	85
PID 1232 wrote to memory of 2268	1232	chrome.exe	85
PID 1232 wrote to memory of 2268	1232	chrome.exe	85
PID 1232 wrote to memory of 2268	1232	chrome.exe	85
PID 1232 wrote to memory of 2268	1232	chrome.exe	85
PID 1232 wrote to memory of 2268	1232	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\new-york-airports-v2-x-kjfk-klga-kteb.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff80838ab58,0x7ff80838ab68,0x7ff80838ab78
  2⤵
  PID:960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1560 --field-trial-handle=1820,i,15563750746936598416,7371854022490351267,131072 /prefetch:2
  2⤵
  PID:1028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 --field-trial-handle=1820,i,15563750746936598416,7371854022490351267,131072 /prefetch:8
  2⤵
  PID:2764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2124 --field-trial-handle=1820,i,15563750746936598416,7371854022490351267,131072 /prefetch:8
  2⤵
  PID:2268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3036 --field-trial-handle=1820,i,15563750746936598416,7371854022490351267,131072 /prefetch:1
  2⤵
  PID:4748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3176 --field-trial-handle=1820,i,15563750746936598416,7371854022490351267,131072 /prefetch:1
  2⤵
  PID:4384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1492 --field-trial-handle=1820,i,15563750746936598416,7371854022490351267,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1528 --field-trial-handle=1820,i,15563750746936598416,7371854022490351267,131072 /prefetch:8
  2⤵
  PID:1164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4256 --field-trial-handle=1820,i,15563750746936598416,7371854022490351267,131072 /prefetch:8
  2⤵
  PID:4800

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
308ef16b8fdaf12e9b5e7a48b10719d7

SHA1
610529d5385608de4a495fb0e7d95c1000233447

SHA256
0ed76bde81cfc6f03972b66cfb87816a2bb00b42cfb73ea31999589b0ad15a1c

SHA512
6b355fc9da0fab5d4069483d0d545bb21ddec235b05283d491dd9eda0071c9f3e32a437c59afa6705bde20baca64a90f95a1b74dbed264f37391e4f5b1b3f5c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
4851a591545453466e09b107df9586c7

SHA1
687ea92aa0e85c6575b868fccbd7de7845ae94f0

SHA256
e977889ce25b9a1cdd429057dbd2aabbbfdc41e28a3edc9c9cf155f072933253

SHA512
7cf93c8ce5913ff20bfc6d542607437146c429005dee6d13046ae546b55c4b89e2b4cb57ba9f5ea4612c3461307d635e3b2ab791ce343ef861ed98c16b0f0d8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
43b54787647d8c0cc4fde217e4be2ca9

SHA1
e9e05f0e41be239700f4a8e53b3f5d35197dee8b

SHA256
993d6f235f1dbf5256bc40642cb3c09c1cb648bced0dd57db086ae7f70b89f62

SHA512
2299b05ab487df308871089d5bc5dfdcbb5f73b94bb19392eb5e3bbc189515c58dbcf9f6042a9bc1176ecffde2253781f24e4998f53e29b9278ecb9afa38b9cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
129KB

MD5
42328fb5237be25b1b465a7d6e08b7f5

SHA1
8c22cc4bbbbed0a57394fa973b9abb5da0c276cf

SHA256
d5aefcbc296cdaa7e24931ce5e4dfea63a510a3c5db61754ec2d0101d090fe83

SHA512
f255415ef5a910b7e3dc3cea4cbfce6888304b3c2691b2fbd4dadaf6a7f508b30bcf4f7858f28feb909c336b0cb90a0ecb2357a0276f8d12f124e020a812075b

Download Submit