Analysis
-
max time kernel
149s -
max time network
140s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
07-06-2024 08:24
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://pub--4a35d179db07438aa8056db61cf9597c-r2-dev.translate.goog/shtml.html?_x_tr_sl=zh-TW&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp#[email protected]
Resource
win10-20240404-en
General
-
Target
https://pub--4a35d179db07438aa8056db61cf9597c-r2-dev.translate.goog/shtml.html?_x_tr_sl=zh-TW&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp#[email protected]
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133622222837982335" chrome.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
chrome.exechrome.exepid process 4964 chrome.exe 4964 chrome.exe 1480 chrome.exe 1480 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
Processes:
chrome.exepid process 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exedescription pid process Token: SeShutdownPrivilege 4964 chrome.exe Token: SeCreatePagefilePrivilege 4964 chrome.exe Token: SeShutdownPrivilege 4964 chrome.exe Token: SeCreatePagefilePrivilege 4964 chrome.exe Token: SeShutdownPrivilege 4964 chrome.exe Token: SeCreatePagefilePrivilege 4964 chrome.exe Token: SeShutdownPrivilege 4964 chrome.exe Token: SeCreatePagefilePrivilege 4964 chrome.exe Token: SeShutdownPrivilege 4964 chrome.exe Token: SeCreatePagefilePrivilege 4964 chrome.exe Token: SeShutdownPrivilege 4964 chrome.exe Token: SeCreatePagefilePrivilege 4964 chrome.exe Token: SeShutdownPrivilege 4964 chrome.exe Token: SeCreatePagefilePrivilege 4964 chrome.exe Token: SeShutdownPrivilege 4964 chrome.exe Token: SeCreatePagefilePrivilege 4964 chrome.exe Token: SeShutdownPrivilege 4964 chrome.exe Token: SeCreatePagefilePrivilege 4964 chrome.exe Token: SeShutdownPrivilege 4964 chrome.exe Token: SeCreatePagefilePrivilege 4964 chrome.exe Token: SeShutdownPrivilege 4964 chrome.exe Token: SeCreatePagefilePrivilege 4964 chrome.exe Token: SeShutdownPrivilege 4964 chrome.exe Token: SeCreatePagefilePrivilege 4964 chrome.exe Token: SeShutdownPrivilege 4964 chrome.exe Token: SeCreatePagefilePrivilege 4964 chrome.exe Token: SeShutdownPrivilege 4964 chrome.exe Token: SeCreatePagefilePrivilege 4964 chrome.exe Token: SeShutdownPrivilege 4964 chrome.exe Token: SeCreatePagefilePrivilege 4964 chrome.exe Token: SeShutdownPrivilege 4964 chrome.exe Token: SeCreatePagefilePrivilege 4964 chrome.exe Token: SeShutdownPrivilege 4964 chrome.exe Token: SeCreatePagefilePrivilege 4964 chrome.exe Token: SeShutdownPrivilege 4964 chrome.exe Token: SeCreatePagefilePrivilege 4964 chrome.exe Token: SeShutdownPrivilege 4964 chrome.exe Token: SeCreatePagefilePrivilege 4964 chrome.exe Token: SeShutdownPrivilege 4964 chrome.exe Token: SeCreatePagefilePrivilege 4964 chrome.exe Token: SeShutdownPrivilege 4964 chrome.exe Token: SeCreatePagefilePrivilege 4964 chrome.exe Token: SeShutdownPrivilege 4964 chrome.exe Token: SeCreatePagefilePrivilege 4964 chrome.exe Token: SeShutdownPrivilege 4964 chrome.exe Token: SeCreatePagefilePrivilege 4964 chrome.exe Token: SeShutdownPrivilege 4964 chrome.exe Token: SeCreatePagefilePrivilege 4964 chrome.exe Token: SeShutdownPrivilege 4964 chrome.exe Token: SeCreatePagefilePrivilege 4964 chrome.exe Token: SeShutdownPrivilege 4964 chrome.exe Token: SeCreatePagefilePrivilege 4964 chrome.exe Token: SeShutdownPrivilege 4964 chrome.exe Token: SeCreatePagefilePrivilege 4964 chrome.exe Token: SeShutdownPrivilege 4964 chrome.exe Token: SeCreatePagefilePrivilege 4964 chrome.exe Token: SeShutdownPrivilege 4964 chrome.exe Token: SeCreatePagefilePrivilege 4964 chrome.exe Token: SeShutdownPrivilege 4964 chrome.exe Token: SeCreatePagefilePrivilege 4964 chrome.exe Token: SeShutdownPrivilege 4964 chrome.exe Token: SeCreatePagefilePrivilege 4964 chrome.exe Token: SeShutdownPrivilege 4964 chrome.exe Token: SeCreatePagefilePrivilege 4964 chrome.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
Processes:
chrome.exepid process 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
chrome.exepid process 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
chrome.exedescription pid process target process PID 4964 wrote to memory of 1508 4964 chrome.exe chrome.exe PID 4964 wrote to memory of 1508 4964 chrome.exe chrome.exe PID 4964 wrote to memory of 4364 4964 chrome.exe chrome.exe PID 4964 wrote to memory of 4364 4964 chrome.exe chrome.exe PID 4964 wrote to memory of 4364 4964 chrome.exe chrome.exe PID 4964 wrote to memory of 4364 4964 chrome.exe chrome.exe PID 4964 wrote to memory of 4364 4964 chrome.exe chrome.exe PID 4964 wrote to memory of 4364 4964 chrome.exe chrome.exe PID 4964 wrote to memory of 4364 4964 chrome.exe chrome.exe PID 4964 wrote to memory of 4364 4964 chrome.exe chrome.exe PID 4964 wrote to memory of 4364 4964 chrome.exe chrome.exe PID 4964 wrote to memory of 4364 4964 chrome.exe chrome.exe PID 4964 wrote to memory of 4364 4964 chrome.exe chrome.exe PID 4964 wrote to memory of 4364 4964 chrome.exe chrome.exe PID 4964 wrote to memory of 4364 4964 chrome.exe chrome.exe PID 4964 wrote to memory of 4364 4964 chrome.exe chrome.exe PID 4964 wrote to memory of 4364 4964 chrome.exe chrome.exe PID 4964 wrote to memory of 4364 4964 chrome.exe chrome.exe PID 4964 wrote to memory of 4364 4964 chrome.exe chrome.exe PID 4964 wrote to memory of 4364 4964 chrome.exe chrome.exe PID 4964 wrote to memory of 4364 4964 chrome.exe chrome.exe PID 4964 wrote to memory of 4364 4964 chrome.exe chrome.exe PID 4964 wrote to memory of 4364 4964 chrome.exe chrome.exe PID 4964 wrote to memory of 4364 4964 chrome.exe chrome.exe PID 4964 wrote to memory of 4364 4964 chrome.exe chrome.exe PID 4964 wrote to memory of 4364 4964 chrome.exe chrome.exe PID 4964 wrote to memory of 4364 4964 chrome.exe chrome.exe PID 4964 wrote to memory of 4364 4964 chrome.exe chrome.exe PID 4964 wrote to memory of 4364 4964 chrome.exe chrome.exe PID 4964 wrote to memory of 4364 4964 chrome.exe chrome.exe PID 4964 wrote to memory of 4364 4964 chrome.exe chrome.exe PID 4964 wrote to memory of 4364 4964 chrome.exe chrome.exe PID 4964 wrote to memory of 4364 4964 chrome.exe chrome.exe PID 4964 wrote to memory of 4364 4964 chrome.exe chrome.exe PID 4964 wrote to memory of 4364 4964 chrome.exe chrome.exe PID 4964 wrote to memory of 4364 4964 chrome.exe chrome.exe PID 4964 wrote to memory of 4364 4964 chrome.exe chrome.exe PID 4964 wrote to memory of 4364 4964 chrome.exe chrome.exe PID 4964 wrote to memory of 4364 4964 chrome.exe chrome.exe PID 4964 wrote to memory of 4364 4964 chrome.exe chrome.exe PID 4964 wrote to memory of 3632 4964 chrome.exe chrome.exe PID 4964 wrote to memory of 3632 4964 chrome.exe chrome.exe PID 4964 wrote to memory of 592 4964 chrome.exe chrome.exe PID 4964 wrote to memory of 592 4964 chrome.exe chrome.exe PID 4964 wrote to memory of 592 4964 chrome.exe chrome.exe PID 4964 wrote to memory of 592 4964 chrome.exe chrome.exe PID 4964 wrote to memory of 592 4964 chrome.exe chrome.exe PID 4964 wrote to memory of 592 4964 chrome.exe chrome.exe PID 4964 wrote to memory of 592 4964 chrome.exe chrome.exe PID 4964 wrote to memory of 592 4964 chrome.exe chrome.exe PID 4964 wrote to memory of 592 4964 chrome.exe chrome.exe PID 4964 wrote to memory of 592 4964 chrome.exe chrome.exe PID 4964 wrote to memory of 592 4964 chrome.exe chrome.exe PID 4964 wrote to memory of 592 4964 chrome.exe chrome.exe PID 4964 wrote to memory of 592 4964 chrome.exe chrome.exe PID 4964 wrote to memory of 592 4964 chrome.exe chrome.exe PID 4964 wrote to memory of 592 4964 chrome.exe chrome.exe PID 4964 wrote to memory of 592 4964 chrome.exe chrome.exe PID 4964 wrote to memory of 592 4964 chrome.exe chrome.exe PID 4964 wrote to memory of 592 4964 chrome.exe chrome.exe PID 4964 wrote to memory of 592 4964 chrome.exe chrome.exe PID 4964 wrote to memory of 592 4964 chrome.exe chrome.exe PID 4964 wrote to memory of 592 4964 chrome.exe chrome.exe PID 4964 wrote to memory of 592 4964 chrome.exe chrome.exe
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://pub--4a35d179db07438aa8056db61cf9597c-r2-dev.translate.goog/shtml.html?_x_tr_sl=zh-TW&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp#[email protected]1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fffcad99758,0x7fffcad99768,0x7fffcad997782⤵PID:1508
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1528 --field-trial-handle=1772,i,11116439249795774557,15640461272610527333,131072 /prefetch:22⤵PID:4364
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1684 --field-trial-handle=1772,i,11116439249795774557,15640461272610527333,131072 /prefetch:82⤵PID:3632
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2112 --field-trial-handle=1772,i,11116439249795774557,15640461272610527333,131072 /prefetch:82⤵PID:592
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2808 --field-trial-handle=1772,i,11116439249795774557,15640461272610527333,131072 /prefetch:12⤵PID:1772
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2816 --field-trial-handle=1772,i,11116439249795774557,15640461272610527333,131072 /prefetch:12⤵PID:3284
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4484 --field-trial-handle=1772,i,11116439249795774557,15640461272610527333,131072 /prefetch:12⤵PID:3028
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5008 --field-trial-handle=1772,i,11116439249795774557,15640461272610527333,131072 /prefetch:82⤵PID:3076
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5088 --field-trial-handle=1772,i,11116439249795774557,15640461272610527333,131072 /prefetch:82⤵PID:3940
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4580 --field-trial-handle=1772,i,11116439249795774557,15640461272610527333,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1480
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:4068
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
576B
MD5a8363f75d5b454703ee6a7679f964411
SHA124c5cae696b99ec2ef8bb528f52aa4a1f54b7588
SHA256942226fa659ba8b276304a5de6cc580cff088dae3597e272b96fdc7e4e992be9
SHA512863786c78c9cc9c0d6c2c18889400707ce17fcb599333d20370276d1d2f03cd8778404bc00cfcf07f99d1842d9ccbfe261ccfb0598c45bd4c5ed44ca7dcf35fe
-
Filesize
3KB
MD5c9144a0d1bc8c1b8e7b8148ee1d61afc
SHA1da6a3ca1370a6c38ac8e57e0205b37c9c91c5c2b
SHA25602565532ad9e05f829c121898894c7e3d31bd2828472ca3bd264dbb4141b5431
SHA5123e659c2c233d9c5fa7fa3c60688fd852aa6089b9d2de3d4842860f2bd2bfd911a62c7707dadffd3a89590d9935022c1073008c7d3c921a49cb8a73e9d83a072b
-
Filesize
3KB
MD50866fdd1fb3f55b4ccf5f109ca64d93d
SHA15300055bb9b511d38f970f85fd51f78cec1aa0e1
SHA256d405e78a482ca68e37e4caa4d364c6a2aef631cce73ae81ad976282ee96e1174
SHA512025781eb3d9c42143b0f34de0896dee56376e3d0a52315a39332e68beabba755011f7d228659915349f00740f7ac5550361d410c1f19d60e54ff3bf0fa4b1e80
-
Filesize
1KB
MD5d19605fb111864bce4f0a60ed2b52d56
SHA1109bfc8ca710378a919aba561852742fa949c0ce
SHA2566f6289adedbca5550e268ea9d9b1eb599909e412897e976c33b38d1b89bd28e7
SHA5128938aee9d939ae768cae6f955b0200fa1973821bb2c942347b4308608ab7c33bf13fe2bcdda685725d8cda546ddbccbfb2cea9139163df5fe89fa09e9b9ffb69
-
Filesize
6KB
MD597a8a6d1c9670aac5c428bdac61fc5ce
SHA15a0ad2a5581b5aa9c014c266ec16ad4a2861a46a
SHA2560a793dfd7c29c08a630cefb607cbfd863a88b6f10878e883e31ffa61121cdf7c
SHA5124c248a032bd0d6c1722156525fd6dda3dcbdaec38e2ae7d3c2457334dfe42336ea4d53dffc39068c0ac7d96d9e147ed7064885648c02a6974bb1bfab4a4e095c
-
Filesize
6KB
MD507e51b964b32e8b05bb0ab999c71f23a
SHA17a67e6314e736a9aac02475c196bc5370c2e63cd
SHA2567101a3fa71ac17a22fc4bb22f352b011e8ca236125f056483509567e897114ff
SHA5120b930a4162e5ecbad4668bd9a4ae0fadc8734b2b48a1db7b3acb9f08fc70fda6d213cc42d0e7ea016cc041da579d3f6ff97d1dc5e6d9e3f1c1606d09e3831642
-
Filesize
6KB
MD57ff1af8a093cb7b30a37d5d5fda3a90f
SHA112586f6f870feda6990952e6f4089a407b9b4be0
SHA256a1e0fc0d77671eb1975627a2bb23fbb6e272d5c47fdcc46a19e9f488f3e2d5fb
SHA51270939e9069f4c39c59151b53d33cdc9ff3908a2f539c25deafab0838a4198394627f3a9080d8be9667da4326f287b897c553e4b3449a6c4184d9ef57297cdcd3
-
Filesize
136KB
MD5188d9ca4124e99e458cbce4435af1a93
SHA1d2b1a2b0f79e4d60f9698901042e1f9ec6c42202
SHA2561b3e79b1bd3f13a8be6788316f84c365bd9936849a6ce51b5beda6029b91acd8
SHA5122e978fd2f5c98b79fcad9e33bfa66a602af4b3dea3403a552a8a323ce4f67d0b8fbfaa4ccfe0772d75d5b8a7c17e823406f45deed9de716c941731db3950553a
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e