Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 01:14
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://officediraccoltaanabelacosta.net/66d68cedafdad73c83226asnd81948966d68ce73c83226a.php
Resource
win10v2004-20240611-en
General
-
Target
https://officediraccoltaanabelacosta.net/66d68cedafdad73c83226asnd81948966d68ce73c83226a.php
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133627149004508799" chrome.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 5052 chrome.exe 5052 chrome.exe 1312 chrome.exe 1312 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 5052 chrome.exe Token: SeCreatePagefilePrivilege 5052 chrome.exe Token: SeShutdownPrivilege 5052 chrome.exe Token: SeCreatePagefilePrivilege 5052 chrome.exe Token: SeShutdownPrivilege 5052 chrome.exe Token: SeCreatePagefilePrivilege 5052 chrome.exe Token: SeShutdownPrivilege 5052 chrome.exe Token: SeCreatePagefilePrivilege 5052 chrome.exe Token: SeShutdownPrivilege 5052 chrome.exe Token: SeCreatePagefilePrivilege 5052 chrome.exe Token: SeShutdownPrivilege 5052 chrome.exe Token: SeCreatePagefilePrivilege 5052 chrome.exe Token: 33 4572 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4572 AUDIODG.EXE Token: SeShutdownPrivilege 5052 chrome.exe Token: SeCreatePagefilePrivilege 5052 chrome.exe Token: SeShutdownPrivilege 5052 chrome.exe Token: SeCreatePagefilePrivilege 5052 chrome.exe Token: SeShutdownPrivilege 5052 chrome.exe Token: SeCreatePagefilePrivilege 5052 chrome.exe Token: SeShutdownPrivilege 5052 chrome.exe Token: SeCreatePagefilePrivilege 5052 chrome.exe Token: SeShutdownPrivilege 5052 chrome.exe Token: SeCreatePagefilePrivilege 5052 chrome.exe Token: SeShutdownPrivilege 5052 chrome.exe Token: SeCreatePagefilePrivilege 5052 chrome.exe Token: SeShutdownPrivilege 5052 chrome.exe Token: SeCreatePagefilePrivilege 5052 chrome.exe Token: SeShutdownPrivilege 5052 chrome.exe Token: SeCreatePagefilePrivilege 5052 chrome.exe Token: SeShutdownPrivilege 5052 chrome.exe Token: SeCreatePagefilePrivilege 5052 chrome.exe Token: SeShutdownPrivilege 5052 chrome.exe Token: SeCreatePagefilePrivilege 5052 chrome.exe Token: SeShutdownPrivilege 5052 chrome.exe Token: SeCreatePagefilePrivilege 5052 chrome.exe Token: SeShutdownPrivilege 5052 chrome.exe Token: SeCreatePagefilePrivilege 5052 chrome.exe Token: SeShutdownPrivilege 5052 chrome.exe Token: SeCreatePagefilePrivilege 5052 chrome.exe Token: SeShutdownPrivilege 5052 chrome.exe Token: SeCreatePagefilePrivilege 5052 chrome.exe Token: SeShutdownPrivilege 5052 chrome.exe Token: SeCreatePagefilePrivilege 5052 chrome.exe Token: SeShutdownPrivilege 5052 chrome.exe Token: SeCreatePagefilePrivilege 5052 chrome.exe Token: SeShutdownPrivilege 5052 chrome.exe Token: SeCreatePagefilePrivilege 5052 chrome.exe Token: SeShutdownPrivilege 5052 chrome.exe Token: SeCreatePagefilePrivilege 5052 chrome.exe Token: SeShutdownPrivilege 5052 chrome.exe Token: SeCreatePagefilePrivilege 5052 chrome.exe Token: SeShutdownPrivilege 5052 chrome.exe Token: SeCreatePagefilePrivilege 5052 chrome.exe Token: SeShutdownPrivilege 5052 chrome.exe Token: SeCreatePagefilePrivilege 5052 chrome.exe Token: SeShutdownPrivilege 5052 chrome.exe Token: SeCreatePagefilePrivilege 5052 chrome.exe Token: SeShutdownPrivilege 5052 chrome.exe Token: SeCreatePagefilePrivilege 5052 chrome.exe Token: SeShutdownPrivilege 5052 chrome.exe Token: SeCreatePagefilePrivilege 5052 chrome.exe Token: SeShutdownPrivilege 5052 chrome.exe Token: SeCreatePagefilePrivilege 5052 chrome.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe 5052 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5052 wrote to memory of 3312 5052 chrome.exe 84 PID 5052 wrote to memory of 3312 5052 chrome.exe 84 PID 5052 wrote to memory of 1792 5052 chrome.exe 85 PID 5052 wrote to memory of 1792 5052 chrome.exe 85 PID 5052 wrote to memory of 1792 5052 chrome.exe 85 PID 5052 wrote to memory of 1792 5052 chrome.exe 85 PID 5052 wrote to memory of 1792 5052 chrome.exe 85 PID 5052 wrote to memory of 1792 5052 chrome.exe 85 PID 5052 wrote to memory of 1792 5052 chrome.exe 85 PID 5052 wrote to memory of 1792 5052 chrome.exe 85 PID 5052 wrote to memory of 1792 5052 chrome.exe 85 PID 5052 wrote to memory of 1792 5052 chrome.exe 85 PID 5052 wrote to memory of 1792 5052 chrome.exe 85 PID 5052 wrote to memory of 1792 5052 chrome.exe 85 PID 5052 wrote to memory of 1792 5052 chrome.exe 85 PID 5052 wrote to memory of 1792 5052 chrome.exe 85 PID 5052 wrote to memory of 1792 5052 chrome.exe 85 PID 5052 wrote to memory of 1792 5052 chrome.exe 85 PID 5052 wrote to memory of 1792 5052 chrome.exe 85 PID 5052 wrote to memory of 1792 5052 chrome.exe 85 PID 5052 wrote to memory of 1792 5052 chrome.exe 85 PID 5052 wrote to memory of 1792 5052 chrome.exe 85 PID 5052 wrote to memory of 1792 5052 chrome.exe 85 PID 5052 wrote to memory of 1792 5052 chrome.exe 85 PID 5052 wrote to memory of 1792 5052 chrome.exe 85 PID 5052 wrote to memory of 1792 5052 chrome.exe 85 PID 5052 wrote to memory of 1792 5052 chrome.exe 85 PID 5052 wrote to memory of 1792 5052 chrome.exe 85 PID 5052 wrote to memory of 1792 5052 chrome.exe 85 PID 5052 wrote to memory of 1792 5052 chrome.exe 85 PID 5052 wrote to memory of 1792 5052 chrome.exe 85 PID 5052 wrote to memory of 1792 5052 chrome.exe 85 PID 5052 wrote to memory of 1792 5052 chrome.exe 85 PID 5052 wrote to memory of 2844 5052 chrome.exe 86 PID 5052 wrote to memory of 2844 5052 chrome.exe 86 PID 5052 wrote to memory of 4032 5052 chrome.exe 87 PID 5052 wrote to memory of 4032 5052 chrome.exe 87 PID 5052 wrote to memory of 4032 5052 chrome.exe 87 PID 5052 wrote to memory of 4032 5052 chrome.exe 87 PID 5052 wrote to memory of 4032 5052 chrome.exe 87 PID 5052 wrote to memory of 4032 5052 chrome.exe 87 PID 5052 wrote to memory of 4032 5052 chrome.exe 87 PID 5052 wrote to memory of 4032 5052 chrome.exe 87 PID 5052 wrote to memory of 4032 5052 chrome.exe 87 PID 5052 wrote to memory of 4032 5052 chrome.exe 87 PID 5052 wrote to memory of 4032 5052 chrome.exe 87 PID 5052 wrote to memory of 4032 5052 chrome.exe 87 PID 5052 wrote to memory of 4032 5052 chrome.exe 87 PID 5052 wrote to memory of 4032 5052 chrome.exe 87 PID 5052 wrote to memory of 4032 5052 chrome.exe 87 PID 5052 wrote to memory of 4032 5052 chrome.exe 87 PID 5052 wrote to memory of 4032 5052 chrome.exe 87 PID 5052 wrote to memory of 4032 5052 chrome.exe 87 PID 5052 wrote to memory of 4032 5052 chrome.exe 87 PID 5052 wrote to memory of 4032 5052 chrome.exe 87 PID 5052 wrote to memory of 4032 5052 chrome.exe 87 PID 5052 wrote to memory of 4032 5052 chrome.exe 87 PID 5052 wrote to memory of 4032 5052 chrome.exe 87 PID 5052 wrote to memory of 4032 5052 chrome.exe 87 PID 5052 wrote to memory of 4032 5052 chrome.exe 87 PID 5052 wrote to memory of 4032 5052 chrome.exe 87 PID 5052 wrote to memory of 4032 5052 chrome.exe 87 PID 5052 wrote to memory of 4032 5052 chrome.exe 87 PID 5052 wrote to memory of 4032 5052 chrome.exe 87
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://officediraccoltaanabelacosta.net/66d68cedafdad73c83226asnd81948966d68ce73c83226a.php1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaa00cab58,0x7ffaa00cab68,0x7ffaa00cab782⤵PID:3312
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1712 --field-trial-handle=1872,i,3256665445217127843,5718263281110143999,131072 /prefetch:22⤵PID:1792
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 --field-trial-handle=1872,i,3256665445217127843,5718263281110143999,131072 /prefetch:82⤵PID:2844
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2216 --field-trial-handle=1872,i,3256665445217127843,5718263281110143999,131072 /prefetch:82⤵PID:4032
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3012 --field-trial-handle=1872,i,3256665445217127843,5718263281110143999,131072 /prefetch:12⤵PID:5108
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3028 --field-trial-handle=1872,i,3256665445217127843,5718263281110143999,131072 /prefetch:12⤵PID:3584
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4168 --field-trial-handle=1872,i,3256665445217127843,5718263281110143999,131072 /prefetch:12⤵PID:2400
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4448 --field-trial-handle=1872,i,3256665445217127843,5718263281110143999,131072 /prefetch:82⤵PID:2896
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4864 --field-trial-handle=1872,i,3256665445217127843,5718263281110143999,131072 /prefetch:82⤵PID:3704
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4612 --field-trial-handle=1872,i,3256665445217127843,5718263281110143999,131072 /prefetch:82⤵PID:3012
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1872,i,3256665445217127843,5718263281110143999,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1312
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:1900
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x520 0x1541⤵
- Suspicious use of AdjustPrivilegeToken
PID:4572
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
840B
MD58ff4ea55dd77245213236e78adecadfa
SHA126459907a9cf27382d5ce2d2b4241731ad931353
SHA256437af34511f9d853b0212c9ca7237642aef1bd87111604252af6520ca4a085e1
SHA5128e3541197724d3c7c5c9dd7613e1fbe6207d11940635a154f8aa74bcccdbcb8d6eb4ea41336bda05d0d6e4ae5c0ecf97840c3072e7076a8ce80cb672ff8b23b2
-
Filesize
4KB
MD5e7a33e646e62f26f2e606876418063ef
SHA128090d742e6a6585ae46b4f9187bf2ac6cf16f2e
SHA256a4eb4be4f4c41eb749b51e3153a4113d3d0c07aa618ff6221b94d73086ba8979
SHA512ef8a1bde9886968eae279f20ae408dac1216498d2b91ae67e6f581b1fcafd18a411c708dda01da10656546a7e877e2f3053e66fa1a28b5d59d1a7e6c4e6f3ccf
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
1KB
MD5d94882c15b641b1f5c9b0d51ea705b94
SHA1181ef97a23ea2e572edf35255147310763885953
SHA25652b630118f28a0eccfba36422004f9e2814fd065ee7e471962545c75508ca286
SHA512334cec1489329a019a7861263ca6c7d35a40e1e50ac95ebd3578adc40d98d50bc6c8c7c1539363e72f3caf6558c909a889d50b72a7d095fd112c3147da4fc4ce
-
Filesize
1KB
MD50a2dc922b82af4892f56210203f5fae2
SHA1c40acc12303b803c32cec02d70543dd398ff4a19
SHA2561d07e6830948e6e9884cf1f889e98b0b3a7628d778c081034b57c486d73ef047
SHA5128eff1745177a7941ec843e19171e1cd41e1061b356a70b59c11c6cf9fd662dea1477939957742ffe041c96ad7a0957f252f114eb4efd904ed0408ea4762b87f5
-
Filesize
1KB
MD5a882faf0d2d955c6bf4e96a5a86326e9
SHA1526c2d7c049439ac7db0776f22fe975daaa68794
SHA2569f8168cede80027f6a3f49883ab2cadb8bc6d1fa7d280bb5d6eea6905d62f837
SHA512f357b167235ad82c2ce10b545b2c4829e96822503738fb2b44fecd2a15b12119aafdf87666ca8f8e015342458f9009a64e73e0e48c0f7361d88c7c075abf91f8
-
Filesize
7KB
MD5511e94bcfa4b9bdaf8579a2e9eb27c20
SHA14424f3499cb7bc0dc0c293f6c7950056c47ea962
SHA256c2a487dfdd39c5562930a1d7912dd384627c43c73dbf1c41c86e1fa9238e1694
SHA51264811331c45643deb866e54aec8464e3cdaf0a861c3dfe31cc4b789b4a74eaa5054e816f47347e99958d93533f4a7a6490934327530caae5100aa2e69434d7fd
-
Filesize
138KB
MD55afdef4104a729b16781f7f5f89efec9
SHA1c82b1130419af881a28b6a1dfbd28cba9275d92a
SHA256cb46f8151596e03a2322757b7d386de0491ea8aeb6a2c207104853d7c653d121
SHA51278e4ed323146474581578a48f06e8f591108488d3a2cd56482ec835788f78402df6f785cf2e1e27ae1ab416ce3471c0bec8a7aeda154158e9c475017502a2211