Analysis
-
max time kernel
299s -
max time network
273s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
12/06/2024, 15:29
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://proximate-entresol-9827a14fb221.herokuapp.com/u?mid=66674c9034a55200015def4b
Resource
win10v2004-20240611-en
General
-
Target
https://proximate-entresol-9827a14fb221.herokuapp.com/u?mid=66674c9034a55200015def4b
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1268 chrome.exe 1268 chrome.exe 1480 chrome.exe 1480 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 1268 chrome.exe 1268 chrome.exe 1268 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1268 chrome.exe Token: SeCreatePagefilePrivilege 1268 chrome.exe Token: SeShutdownPrivilege 1268 chrome.exe Token: SeCreatePagefilePrivilege 1268 chrome.exe Token: SeShutdownPrivilege 1268 chrome.exe Token: SeCreatePagefilePrivilege 1268 chrome.exe Token: SeShutdownPrivilege 1268 chrome.exe Token: SeCreatePagefilePrivilege 1268 chrome.exe Token: SeShutdownPrivilege 1268 chrome.exe Token: SeCreatePagefilePrivilege 1268 chrome.exe Token: SeShutdownPrivilege 1268 chrome.exe Token: SeCreatePagefilePrivilege 1268 chrome.exe Token: SeShutdownPrivilege 1268 chrome.exe Token: SeCreatePagefilePrivilege 1268 chrome.exe Token: SeShutdownPrivilege 1268 chrome.exe Token: SeCreatePagefilePrivilege 1268 chrome.exe Token: SeShutdownPrivilege 1268 chrome.exe Token: SeCreatePagefilePrivilege 1268 chrome.exe Token: SeShutdownPrivilege 1268 chrome.exe Token: SeCreatePagefilePrivilege 1268 chrome.exe Token: SeShutdownPrivilege 1268 chrome.exe Token: SeCreatePagefilePrivilege 1268 chrome.exe Token: SeShutdownPrivilege 1268 chrome.exe Token: SeCreatePagefilePrivilege 1268 chrome.exe Token: SeShutdownPrivilege 1268 chrome.exe Token: SeCreatePagefilePrivilege 1268 chrome.exe Token: SeShutdownPrivilege 1268 chrome.exe Token: SeCreatePagefilePrivilege 1268 chrome.exe Token: SeShutdownPrivilege 1268 chrome.exe Token: SeCreatePagefilePrivilege 1268 chrome.exe Token: SeShutdownPrivilege 1268 chrome.exe Token: SeCreatePagefilePrivilege 1268 chrome.exe Token: SeShutdownPrivilege 1268 chrome.exe Token: SeCreatePagefilePrivilege 1268 chrome.exe Token: SeShutdownPrivilege 1268 chrome.exe Token: SeCreatePagefilePrivilege 1268 chrome.exe Token: SeShutdownPrivilege 1268 chrome.exe Token: SeCreatePagefilePrivilege 1268 chrome.exe Token: SeShutdownPrivilege 1268 chrome.exe Token: SeCreatePagefilePrivilege 1268 chrome.exe Token: SeShutdownPrivilege 1268 chrome.exe Token: SeCreatePagefilePrivilege 1268 chrome.exe Token: SeShutdownPrivilege 1268 chrome.exe Token: SeCreatePagefilePrivilege 1268 chrome.exe Token: SeShutdownPrivilege 1268 chrome.exe Token: SeCreatePagefilePrivilege 1268 chrome.exe Token: SeShutdownPrivilege 1268 chrome.exe Token: SeCreatePagefilePrivilege 1268 chrome.exe Token: SeShutdownPrivilege 1268 chrome.exe Token: SeCreatePagefilePrivilege 1268 chrome.exe Token: SeShutdownPrivilege 1268 chrome.exe Token: SeCreatePagefilePrivilege 1268 chrome.exe Token: SeShutdownPrivilege 1268 chrome.exe Token: SeCreatePagefilePrivilege 1268 chrome.exe Token: SeShutdownPrivilege 1268 chrome.exe Token: SeCreatePagefilePrivilege 1268 chrome.exe Token: SeShutdownPrivilege 1268 chrome.exe Token: SeCreatePagefilePrivilege 1268 chrome.exe Token: SeShutdownPrivilege 1268 chrome.exe Token: SeCreatePagefilePrivilege 1268 chrome.exe Token: SeShutdownPrivilege 1268 chrome.exe Token: SeCreatePagefilePrivilege 1268 chrome.exe Token: SeShutdownPrivilege 1268 chrome.exe Token: SeCreatePagefilePrivilege 1268 chrome.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 1268 chrome.exe 1268 chrome.exe 1268 chrome.exe 1268 chrome.exe 1268 chrome.exe 1268 chrome.exe 1268 chrome.exe 1268 chrome.exe 1268 chrome.exe 1268 chrome.exe 1268 chrome.exe 1268 chrome.exe 1268 chrome.exe 1268 chrome.exe 1268 chrome.exe 1268 chrome.exe 1268 chrome.exe 1268 chrome.exe 1268 chrome.exe 1268 chrome.exe 1268 chrome.exe 1268 chrome.exe 1268 chrome.exe 1268 chrome.exe 1268 chrome.exe 1268 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1268 chrome.exe 1268 chrome.exe 1268 chrome.exe 1268 chrome.exe 1268 chrome.exe 1268 chrome.exe 1268 chrome.exe 1268 chrome.exe 1268 chrome.exe 1268 chrome.exe 1268 chrome.exe 1268 chrome.exe 1268 chrome.exe 1268 chrome.exe 1268 chrome.exe 1268 chrome.exe 1268 chrome.exe 1268 chrome.exe 1268 chrome.exe 1268 chrome.exe 1268 chrome.exe 1268 chrome.exe 1268 chrome.exe 1268 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1268 wrote to memory of 2468 1268 chrome.exe 81 PID 1268 wrote to memory of 2468 1268 chrome.exe 81 PID 1268 wrote to memory of 4900 1268 chrome.exe 82 PID 1268 wrote to memory of 4900 1268 chrome.exe 82 PID 1268 wrote to memory of 4900 1268 chrome.exe 82 PID 1268 wrote to memory of 4900 1268 chrome.exe 82 PID 1268 wrote to memory of 4900 1268 chrome.exe 82 PID 1268 wrote to memory of 4900 1268 chrome.exe 82 PID 1268 wrote to memory of 4900 1268 chrome.exe 82 PID 1268 wrote to memory of 4900 1268 chrome.exe 82 PID 1268 wrote to memory of 4900 1268 chrome.exe 82 PID 1268 wrote to memory of 4900 1268 chrome.exe 82 PID 1268 wrote to memory of 4900 1268 chrome.exe 82 PID 1268 wrote to memory of 4900 1268 chrome.exe 82 PID 1268 wrote to memory of 4900 1268 chrome.exe 82 PID 1268 wrote to memory of 4900 1268 chrome.exe 82 PID 1268 wrote to memory of 4900 1268 chrome.exe 82 PID 1268 wrote to memory of 4900 1268 chrome.exe 82 PID 1268 wrote to memory of 4900 1268 chrome.exe 82 PID 1268 wrote to memory of 4900 1268 chrome.exe 82 PID 1268 wrote to memory of 4900 1268 chrome.exe 82 PID 1268 wrote to memory of 4900 1268 chrome.exe 82 PID 1268 wrote to memory of 4900 1268 chrome.exe 82 PID 1268 wrote to memory of 4900 1268 chrome.exe 82 PID 1268 wrote to memory of 4900 1268 chrome.exe 82 PID 1268 wrote to memory of 4900 1268 chrome.exe 82 PID 1268 wrote to memory of 4900 1268 chrome.exe 82 PID 1268 wrote to memory of 4900 1268 chrome.exe 82 PID 1268 wrote to memory of 4900 1268 chrome.exe 82 PID 1268 wrote to memory of 4900 1268 chrome.exe 82 PID 1268 wrote to memory of 4900 1268 chrome.exe 82 PID 1268 wrote to memory of 4900 1268 chrome.exe 82 PID 1268 wrote to memory of 4900 1268 chrome.exe 82 PID 1268 wrote to memory of 4680 1268 chrome.exe 83 PID 1268 wrote to memory of 4680 1268 chrome.exe 83 PID 1268 wrote to memory of 768 1268 chrome.exe 84 PID 1268 wrote to memory of 768 1268 chrome.exe 84 PID 1268 wrote to memory of 768 1268 chrome.exe 84 PID 1268 wrote to memory of 768 1268 chrome.exe 84 PID 1268 wrote to memory of 768 1268 chrome.exe 84 PID 1268 wrote to memory of 768 1268 chrome.exe 84 PID 1268 wrote to memory of 768 1268 chrome.exe 84 PID 1268 wrote to memory of 768 1268 chrome.exe 84 PID 1268 wrote to memory of 768 1268 chrome.exe 84 PID 1268 wrote to memory of 768 1268 chrome.exe 84 PID 1268 wrote to memory of 768 1268 chrome.exe 84 PID 1268 wrote to memory of 768 1268 chrome.exe 84 PID 1268 wrote to memory of 768 1268 chrome.exe 84 PID 1268 wrote to memory of 768 1268 chrome.exe 84 PID 1268 wrote to memory of 768 1268 chrome.exe 84 PID 1268 wrote to memory of 768 1268 chrome.exe 84 PID 1268 wrote to memory of 768 1268 chrome.exe 84 PID 1268 wrote to memory of 768 1268 chrome.exe 84 PID 1268 wrote to memory of 768 1268 chrome.exe 84 PID 1268 wrote to memory of 768 1268 chrome.exe 84 PID 1268 wrote to memory of 768 1268 chrome.exe 84 PID 1268 wrote to memory of 768 1268 chrome.exe 84 PID 1268 wrote to memory of 768 1268 chrome.exe 84 PID 1268 wrote to memory of 768 1268 chrome.exe 84 PID 1268 wrote to memory of 768 1268 chrome.exe 84 PID 1268 wrote to memory of 768 1268 chrome.exe 84 PID 1268 wrote to memory of 768 1268 chrome.exe 84 PID 1268 wrote to memory of 768 1268 chrome.exe 84 PID 1268 wrote to memory of 768 1268 chrome.exe 84
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://proximate-entresol-9827a14fb221.herokuapp.com/u?mid=66674c9034a55200015def4b1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcac9cab58,0x7ffcac9cab68,0x7ffcac9cab782⤵PID:2468
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1628 --field-trial-handle=1308,i,12368572554890191649,16967231640401654422,131072 /prefetch:22⤵PID:4900
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1916 --field-trial-handle=1308,i,12368572554890191649,16967231640401654422,131072 /prefetch:82⤵PID:4680
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2200 --field-trial-handle=1308,i,12368572554890191649,16967231640401654422,131072 /prefetch:82⤵PID:768
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3032 --field-trial-handle=1308,i,12368572554890191649,16967231640401654422,131072 /prefetch:12⤵PID:3340
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3040 --field-trial-handle=1308,i,12368572554890191649,16967231640401654422,131072 /prefetch:12⤵PID:3276
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3604 --field-trial-handle=1308,i,12368572554890191649,16967231640401654422,131072 /prefetch:12⤵PID:2976
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3920 --field-trial-handle=1308,i,12368572554890191649,16967231640401654422,131072 /prefetch:82⤵PID:1976
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4600 --field-trial-handle=1308,i,12368572554890191649,16967231640401654422,131072 /prefetch:82⤵PID:1180
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1856 --field-trial-handle=1308,i,12368572554890191649,16967231640401654422,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1480
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:824
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168B
MD503411398e0ccb680dd5696bf949961f4
SHA17f7f762f452dd3d05fe783f80dc9b31ced04b877
SHA256f046b4b75e89fab957736f6274ddc682029665d39593b33745a7e5da414cd960
SHA512221ccfe9b971bc628fc35b35eb047a5b6c4daa8152a2197c625eb2e43a0e8501798d6bbf8756009662b41d79992c784f36e9aecc09d5b974b1cd034aeac7a8d0
-
Filesize
2KB
MD529f22e6e5cdd54b068fa88454173997b
SHA119df3868881058a8c950a6207d0e821ddd815709
SHA2566cfc9ca4763cb64335a389d7cf8b5318c8251c864a47c3bfd15bc708bbc02b20
SHA5129297bc8cbc499406752bb30edbe9c89dbe9707ed18fed9d206c61872b29db4f9388f3c49f4f2eefd241b40331f7f463bfb252b85a3b9183da5504bb526262e87
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
692B
MD514929e5e46568cbc5eecd1cad5ba5c7c
SHA18a9b6b7d31feff79c165db0a44d540f3adc790d7
SHA2569e8141ab8fed6ac05f0b262c72236a67d756c2235deb3bc2df569eb01ca2f380
SHA51270c3cba378bad8340b5093afe6cf21f871e0fb572f771a7ccb6b07f92d45688be110fb2528f849e0ed14e12df1cd438a9933a3147ea38a95c4b944f0ebfc5b46
-
Filesize
6KB
MD5dcb954dac6fda8d276144d4e619d647c
SHA1fa1d61f504852b5d86987773b0a7126d20269032
SHA25699a7ce77c31d8a702c7b683cd591d0f3b4d10ddb73bb73f05902f49240ecc229
SHA5127547207164b4a158c5ff93cc3607b79eaf0ab75870ae5b8102134fa4acdb10eab4dcdada50dbb9c8eccfaf2f54c435538afa8de86471d0a80cb110b5136aecd7
-
Filesize
6KB
MD5096e1538743e052fd066c2efb3bc85ec
SHA17bcfc37d59b321f672c76e085378e3ecb5bb8c0e
SHA2566d2274e301c84943171369bded24c0886f5366ca473fe8d71c512b0ab87714f2
SHA512f3528524e78ed4a0190af7c6203b73219d05eeb91cd36f6f00b4342d1ba954b3dc023ffb538201cf994c03617cb1ed274aa53301b3a412a9a848e1829a29180b
-
Filesize
138KB
MD5b1e9858646b0a1da0ca03733a40ba5b3
SHA135ce644ce72125ba9bbd57ec3f17958cba84abd1
SHA25699ab1057175c17f86458d3d9226cdfe7b1b962d0bdfecf6c1070018c12d24778
SHA5123fee9d74ca7d5c866cd01022ff3f0ae1ad5a7ce58bcde6127d80771770893a4356cabc45d554c1bd50c264ef0cb46a25b8bcd02764e75ded6712bb4c679856c0