hxxps://www[.]rededorsaoluiz[.]com[.]br/hospital/sao-luiz-sao-caetano

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10-06-2024 14:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.rededorsaoluiz.com.br/hospital/sao-luiz-sao-caetano

Score

6^/10

Malware Config

Signatures

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
101	api.ipify.org
105	api.ipify.org

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133625020382787512"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1104	chrome.exe
1104	chrome.exe
4940	chrome.exe
4940	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1104 wrote to memory of 3004	1104	chrome.exe	81
PID 1104 wrote to memory of 3004	1104	chrome.exe	81
PID 1104 wrote to memory of 4656	1104	chrome.exe	82
PID 1104 wrote to memory of 4656	1104	chrome.exe	82
PID 1104 wrote to memory of 4656	1104	chrome.exe	82
PID 1104 wrote to memory of 4656	1104	chrome.exe	82
PID 1104 wrote to memory of 4656	1104	chrome.exe	82
PID 1104 wrote to memory of 4656	1104	chrome.exe	82
PID 1104 wrote to memory of 4656	1104	chrome.exe	82
PID 1104 wrote to memory of 4656	1104	chrome.exe	82
PID 1104 wrote to memory of 4656	1104	chrome.exe	82
PID 1104 wrote to memory of 4656	1104	chrome.exe	82
PID 1104 wrote to memory of 4656	1104	chrome.exe	82
PID 1104 wrote to memory of 4656	1104	chrome.exe	82
PID 1104 wrote to memory of 4656	1104	chrome.exe	82
PID 1104 wrote to memory of 4656	1104	chrome.exe	82
PID 1104 wrote to memory of 4656	1104	chrome.exe	82
PID 1104 wrote to memory of 4656	1104	chrome.exe	82
PID 1104 wrote to memory of 4656	1104	chrome.exe	82
PID 1104 wrote to memory of 4656	1104	chrome.exe	82
PID 1104 wrote to memory of 4656	1104	chrome.exe	82
PID 1104 wrote to memory of 4656	1104	chrome.exe	82
PID 1104 wrote to memory of 4656	1104	chrome.exe	82
PID 1104 wrote to memory of 4656	1104	chrome.exe	82
PID 1104 wrote to memory of 4656	1104	chrome.exe	82
PID 1104 wrote to memory of 4656	1104	chrome.exe	82
PID 1104 wrote to memory of 4656	1104	chrome.exe	82
PID 1104 wrote to memory of 4656	1104	chrome.exe	82
PID 1104 wrote to memory of 4656	1104	chrome.exe	82
PID 1104 wrote to memory of 4656	1104	chrome.exe	82
PID 1104 wrote to memory of 4656	1104	chrome.exe	82
PID 1104 wrote to memory of 4656	1104	chrome.exe	82
PID 1104 wrote to memory of 4656	1104	chrome.exe	82
PID 1104 wrote to memory of 3724	1104	chrome.exe	83
PID 1104 wrote to memory of 3724	1104	chrome.exe	83
PID 1104 wrote to memory of 4032	1104	chrome.exe	84
PID 1104 wrote to memory of 4032	1104	chrome.exe	84
PID 1104 wrote to memory of 4032	1104	chrome.exe	84
PID 1104 wrote to memory of 4032	1104	chrome.exe	84
PID 1104 wrote to memory of 4032	1104	chrome.exe	84
PID 1104 wrote to memory of 4032	1104	chrome.exe	84
PID 1104 wrote to memory of 4032	1104	chrome.exe	84
PID 1104 wrote to memory of 4032	1104	chrome.exe	84
PID 1104 wrote to memory of 4032	1104	chrome.exe	84
PID 1104 wrote to memory of 4032	1104	chrome.exe	84
PID 1104 wrote to memory of 4032	1104	chrome.exe	84
PID 1104 wrote to memory of 4032	1104	chrome.exe	84
PID 1104 wrote to memory of 4032	1104	chrome.exe	84
PID 1104 wrote to memory of 4032	1104	chrome.exe	84
PID 1104 wrote to memory of 4032	1104	chrome.exe	84
PID 1104 wrote to memory of 4032	1104	chrome.exe	84
PID 1104 wrote to memory of 4032	1104	chrome.exe	84
PID 1104 wrote to memory of 4032	1104	chrome.exe	84
PID 1104 wrote to memory of 4032	1104	chrome.exe	84
PID 1104 wrote to memory of 4032	1104	chrome.exe	84
PID 1104 wrote to memory of 4032	1104	chrome.exe	84
PID 1104 wrote to memory of 4032	1104	chrome.exe	84
PID 1104 wrote to memory of 4032	1104	chrome.exe	84
PID 1104 wrote to memory of 4032	1104	chrome.exe	84
PID 1104 wrote to memory of 4032	1104	chrome.exe	84
PID 1104 wrote to memory of 4032	1104	chrome.exe	84
PID 1104 wrote to memory of 4032	1104	chrome.exe	84
PID 1104 wrote to memory of 4032	1104	chrome.exe	84
PID 1104 wrote to memory of 4032	1104	chrome.exe	84

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.rededorsaoluiz.com.br/hospital/sao-luiz-sao-caetano
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd6fe6ab58,0x7ffd6fe6ab68,0x7ffd6fe6ab78
  2⤵
  PID:3004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1760 --field-trial-handle=1904,i,8636787534177753982,1116692560090376416,131072 /prefetch:2
  2⤵
  PID:4656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1904,i,8636787534177753982,1116692560090376416,131072 /prefetch:8
  2⤵
  PID:3724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2192 --field-trial-handle=1904,i,8636787534177753982,1116692560090376416,131072 /prefetch:8
  2⤵
  PID:4032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3008 --field-trial-handle=1904,i,8636787534177753982,1116692560090376416,131072 /prefetch:1
  2⤵
  PID:2236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3028 --field-trial-handle=1904,i,8636787534177753982,1116692560090376416,131072 /prefetch:1
  2⤵
  PID:4204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4168 --field-trial-handle=1904,i,8636787534177753982,1116692560090376416,131072 /prefetch:1
  2⤵
  PID:4228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4896 --field-trial-handle=1904,i,8636787534177753982,1116692560090376416,131072 /prefetch:8
  2⤵
  PID:4012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4376 --field-trial-handle=1904,i,8636787534177753982,1116692560090376416,131072 /prefetch:8
  2⤵
  PID:216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1904,i,8636787534177753982,1116692560090376416,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4940

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1008B

MD5
a0a2fad8e2af8b644409fd6f4d43d687

SHA1
4f4882ae7bed63769577575f8c2def30a11c3d5b

SHA256
730308f75541814c81c17e755729d5dbab54ef16beefde40a9b832856623ff63

SHA512
bbe5bdad65de23391679664262bd6931471d403e7acd31383e7aaacc1f9bf365191e99c3d69fe457b067a5177845fd3264ffdeca8ba17654859750ec7863dab4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\85af843d-bfb3-40af-87b9-cae7cb192506.tmp

Filesize
4KB

MD5
052a5ef30cfb9c8cf2145e3d6b3fed95

SHA1
cac259a3b548bd3e17d6aaa62f34b8c3275d6113

SHA256
8cab8b6ad0b51baa4c1d8003c13574c49413d1d77ffd7ae9b465e2a45679eb16

SHA512
fb386dab438e74a91ec753eb7654289ced3bd06e1bb8c0642a37ca4774ce2f5925b5d2c0ac5d4fe26978121757b0747fcdaf6c2075b70ee9cd66d86a1e5b66f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
2472ec38c981f87a784fe830142d08b5

SHA1
f3a59b38c35e8a30801857a368bcf716cff2762f

SHA256
6d47f34b3fff7af7a10082215e0506811b548d114d6966297dd2e9a8c1c92ce5

SHA512
fc371ecb256cf426757bc140f2daaaf66b25012926e85ef2362607dcb935ffbc67a2d63a4c9de2aaed0a6e7443ce590e30c6239f25c3df1ef2787e68d87970e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
376ee674ebd7fc7552c53fc52efbf987

SHA1
2619e581f5dc1da5965ee4382387a219ee9a8a0e

SHA256
a6c347a33fb34c97e52ab3e6de0f1f7f0e28eee033028c0d1bb25ff6309c14fd

SHA512
63141138dd49dc35ea56f50c994fcacd069b8932c29085d04de7809389c925c8ccbfaf7a746aafb61cc4ceef017996406fb839237ea54a22d468abfc87fead3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
cadfa49b697c7e49a18f97ff4f8042e0

SHA1
e694ca1720218468721c1ce54ea622adcc351143

SHA256
ca2aa8b34dd1a08af2bb8f96b0f25b824b7f44225dd651d3cb6611de1331f630

SHA512
e6ba52cb394c838c307c2fe23d6108dcb9d15cc8625b7bac8df7f98d1378aecce3cae7754a961c3f8921334e311e3d256198648d656567b874a83915eac3e7f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
21873166ce0f89907f27617c62edba37

SHA1
21aa14320a095f97085fc1582e246776dafd9a5c

SHA256
1c493505e40ea49a463f76e80d8b18a34f0e693e6e7a308c5c85419f6b4a5f43

SHA512
419ed2fe9c4110a6cb28470cc853995828b40a319ac68d3d36c3236152acb27c06dc55d6a47ae0392fa0c2cf14106aa7fbb91044f2ead34cccc8046e3a15e814

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
6b612346114d804a69e62c28916afcb5

SHA1
d1d659f45748d04c86498bc9d98386249331210c

SHA256
1be4b1e1298f13d93beb2a06fdc5e4d8e341dba07edc78f110ce3d2ed28b5c5e

SHA512
edb4ce58df224a99fb56c61a8a1373cf33cf20a5f2ad059f92b5b2aaff13f84e676877b7539824f13a81406b01a610402c85fbd5919eae2e53d056eda1ede7cf

Download Submit