hxxps://oxy[.]st/d/YzTh

Analysis

max time kernel
1200s
max time network
1174s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
07/06/2024, 21:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://oxy.st/d/YzTh

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133622704490027456"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3564	chrome.exe
3564	chrome.exe
2884	chrome.exe
2884	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3564 wrote to memory of 1052	3564	chrome.exe	80
PID 3564 wrote to memory of 1052	3564	chrome.exe	80
PID 3564 wrote to memory of 424	3564	chrome.exe	82
PID 3564 wrote to memory of 424	3564	chrome.exe	82
PID 3564 wrote to memory of 424	3564	chrome.exe	82
PID 3564 wrote to memory of 424	3564	chrome.exe	82
PID 3564 wrote to memory of 424	3564	chrome.exe	82
PID 3564 wrote to memory of 424	3564	chrome.exe	82
PID 3564 wrote to memory of 424	3564	chrome.exe	82
PID 3564 wrote to memory of 424	3564	chrome.exe	82
PID 3564 wrote to memory of 424	3564	chrome.exe	82
PID 3564 wrote to memory of 424	3564	chrome.exe	82
PID 3564 wrote to memory of 424	3564	chrome.exe	82
PID 3564 wrote to memory of 424	3564	chrome.exe	82
PID 3564 wrote to memory of 424	3564	chrome.exe	82
PID 3564 wrote to memory of 424	3564	chrome.exe	82
PID 3564 wrote to memory of 424	3564	chrome.exe	82
PID 3564 wrote to memory of 424	3564	chrome.exe	82
PID 3564 wrote to memory of 424	3564	chrome.exe	82
PID 3564 wrote to memory of 424	3564	chrome.exe	82
PID 3564 wrote to memory of 424	3564	chrome.exe	82
PID 3564 wrote to memory of 424	3564	chrome.exe	82
PID 3564 wrote to memory of 424	3564	chrome.exe	82
PID 3564 wrote to memory of 424	3564	chrome.exe	82
PID 3564 wrote to memory of 424	3564	chrome.exe	82
PID 3564 wrote to memory of 424	3564	chrome.exe	82
PID 3564 wrote to memory of 424	3564	chrome.exe	82
PID 3564 wrote to memory of 424	3564	chrome.exe	82
PID 3564 wrote to memory of 424	3564	chrome.exe	82
PID 3564 wrote to memory of 424	3564	chrome.exe	82
PID 3564 wrote to memory of 424	3564	chrome.exe	82
PID 3564 wrote to memory of 424	3564	chrome.exe	82
PID 3564 wrote to memory of 424	3564	chrome.exe	82
PID 3564 wrote to memory of 3964	3564	chrome.exe	83
PID 3564 wrote to memory of 3964	3564	chrome.exe	83
PID 3564 wrote to memory of 816	3564	chrome.exe	84
PID 3564 wrote to memory of 816	3564	chrome.exe	84
PID 3564 wrote to memory of 816	3564	chrome.exe	84
PID 3564 wrote to memory of 816	3564	chrome.exe	84
PID 3564 wrote to memory of 816	3564	chrome.exe	84
PID 3564 wrote to memory of 816	3564	chrome.exe	84
PID 3564 wrote to memory of 816	3564	chrome.exe	84
PID 3564 wrote to memory of 816	3564	chrome.exe	84
PID 3564 wrote to memory of 816	3564	chrome.exe	84
PID 3564 wrote to memory of 816	3564	chrome.exe	84
PID 3564 wrote to memory of 816	3564	chrome.exe	84
PID 3564 wrote to memory of 816	3564	chrome.exe	84
PID 3564 wrote to memory of 816	3564	chrome.exe	84
PID 3564 wrote to memory of 816	3564	chrome.exe	84
PID 3564 wrote to memory of 816	3564	chrome.exe	84
PID 3564 wrote to memory of 816	3564	chrome.exe	84
PID 3564 wrote to memory of 816	3564	chrome.exe	84
PID 3564 wrote to memory of 816	3564	chrome.exe	84
PID 3564 wrote to memory of 816	3564	chrome.exe	84
PID 3564 wrote to memory of 816	3564	chrome.exe	84
PID 3564 wrote to memory of 816	3564	chrome.exe	84
PID 3564 wrote to memory of 816	3564	chrome.exe	84
PID 3564 wrote to memory of 816	3564	chrome.exe	84
PID 3564 wrote to memory of 816	3564	chrome.exe	84
PID 3564 wrote to memory of 816	3564	chrome.exe	84
PID 3564 wrote to memory of 816	3564	chrome.exe	84
PID 3564 wrote to memory of 816	3564	chrome.exe	84
PID 3564 wrote to memory of 816	3564	chrome.exe	84
PID 3564 wrote to memory of 816	3564	chrome.exe	84

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://oxy.st/d/YzTh
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff14a9ab58,0x7fff14a9ab68,0x7fff14a9ab78
  2⤵
  PID:1052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1588 --field-trial-handle=1832,i,1807728171304431478,959215947432998036,131072 /prefetch:2
  2⤵
  PID:424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1832,i,1807728171304431478,959215947432998036,131072 /prefetch:8
  2⤵
  PID:3964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2156 --field-trial-handle=1832,i,1807728171304431478,959215947432998036,131072 /prefetch:8
  2⤵
  PID:816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2876 --field-trial-handle=1832,i,1807728171304431478,959215947432998036,131072 /prefetch:1
  2⤵
  PID:2588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2892 --field-trial-handle=1832,i,1807728171304431478,959215947432998036,131072 /prefetch:1
  2⤵
  PID:2900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3688 --field-trial-handle=1832,i,1807728171304431478,959215947432998036,131072 /prefetch:1
  2⤵
  PID:4720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4040 --field-trial-handle=1832,i,1807728171304431478,959215947432998036,131072 /prefetch:1
  2⤵
  PID:3840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4344 --field-trial-handle=1832,i,1807728171304431478,959215947432998036,131072 /prefetch:1
  2⤵
  PID:3772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4176 --field-trial-handle=1832,i,1807728171304431478,959215947432998036,131072 /prefetch:8
  2⤵
  PID:4956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2988 --field-trial-handle=1832,i,1807728171304431478,959215947432998036,131072 /prefetch:8
  2⤵
  PID:4020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1512 --field-trial-handle=1832,i,1807728171304431478,959215947432998036,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2884

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
552B

MD5
52c7a723aeb45d6912d396b9c5a7aa7b

SHA1
abf73d93c2efedd63e9da33395c8a38f9674a9e4

SHA256
d73f9d20690597db362d82350ac5675f975a553425a982b828b833b8c247ee9f

SHA512
f0ce2f453d0060ed8fdae55267567c32c653773ec818263a69934383d0e0920e869205ca4315d9fbbb92f6c38ac6e02f9f472953b0a3e19fda73e2addbf3b16c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
584a929062bb7e29dc96eaab9a96da56

SHA1
91168227c6280c3a6c8971a5b1124d9485d1c393

SHA256
b2cc9e057ef0b886ec0d7ce43cd58974da34dca7fe3034e7aea1fa47debb6e8f

SHA512
09e5410034c0c3ae98e064720f4c6f7096d862948894020e35bc2a035575bacbd0e57938ae8f0e93e6ce6e5b3c1ac910add027502933eef2e33dd2f9700e92bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
e3cc488efef8249c774466aa63eb4a85

SHA1
7d37c55e07804365f32840e3db5b945f6605868d

SHA256
2b0e8765afb9ef65e6cff19a5a76238320daec664eabf3ad23a4162c8b4d7872

SHA512
08aa83e62a0225304f80fb5a0b8bf17e24a2ec2eca4d1b9080eac5a241563594c980262f9638e2b20333118a6daf0bf8a758f29c833822927ac9a26f106362b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
3512f38825deec397b8285668834dc4e

SHA1
dacb435ee619d2dba1c89e7b2ad7601b1449325e

SHA256
b1c3be43ee7b831ca2654de0a6c8c9062d1991f504c017cae2e0206c8ca44730

SHA512
6864e5424883d8cf1dc3106f22e55870d75d3457e6f665e20212c90c32b3cb814403fa2c800c85c5059a2867c1f92e03e326ea0c683fe60f29717117712d7d9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
23d587275819eeee8d124446912af69c

SHA1
2e33d5659fa1e417edf910eee4d1450d1f110f8a

SHA256
8b307d9caf59a0648e3c14ca90430d77009397b68c0e7f4fbbe3b6c3f485c039

SHA512
4b115a593243f6ddebeaeed5ce49d361584ece34c630889e2ca9237b67ed16041f3ab0876fe7aa319394b2808605214801752864e8849b5803fda5875eea1599

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
255KB

MD5
2398ebac3b1ffbb9b57b2c66bdfd71fe

SHA1
0cc049d95b1637ef13eccff25c0a23ed137244c6

SHA256
f9e9a1adb15196535ae559c3c47e742b3a62820845ab998a42c62f50f11ece29

SHA512
d8e70a8d28239092c5eb515fdc483a795b7d35f0f536c083eb5d00991f71968390d2ee02ed80dbec8117c6358e9a8960926c7bf65c935ad0733f3014f0a47bb8

Download Submit