hxxps://aguasazuis[.]com[.]br

Resubmissions

14/06/2024, 21:18

240614-z546kszfmj 1

14/06/2024, 21:17

14/06/2024, 21:00

14/06/2024, 20:28

14/06/2024, 20:08

14/06/2024, 20:03

Analysis

max time kernel
40s
max time network
40s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14/06/2024, 21:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://aguasazuis.com.br

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133628734888997636"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4896	chrome.exe
4896	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4896 wrote to memory of 3288	4896	chrome.exe	83
PID 4896 wrote to memory of 3288	4896	chrome.exe	83
PID 4896 wrote to memory of 2672	4896	chrome.exe	84
PID 4896 wrote to memory of 2672	4896	chrome.exe	84
PID 4896 wrote to memory of 2672	4896	chrome.exe	84
PID 4896 wrote to memory of 2672	4896	chrome.exe	84
PID 4896 wrote to memory of 2672	4896	chrome.exe	84
PID 4896 wrote to memory of 2672	4896	chrome.exe	84
PID 4896 wrote to memory of 2672	4896	chrome.exe	84
PID 4896 wrote to memory of 2672	4896	chrome.exe	84
PID 4896 wrote to memory of 2672	4896	chrome.exe	84
PID 4896 wrote to memory of 2672	4896	chrome.exe	84
PID 4896 wrote to memory of 2672	4896	chrome.exe	84
PID 4896 wrote to memory of 2672	4896	chrome.exe	84
PID 4896 wrote to memory of 2672	4896	chrome.exe	84
PID 4896 wrote to memory of 2672	4896	chrome.exe	84
PID 4896 wrote to memory of 2672	4896	chrome.exe	84
PID 4896 wrote to memory of 2672	4896	chrome.exe	84
PID 4896 wrote to memory of 2672	4896	chrome.exe	84
PID 4896 wrote to memory of 2672	4896	chrome.exe	84
PID 4896 wrote to memory of 2672	4896	chrome.exe	84
PID 4896 wrote to memory of 2672	4896	chrome.exe	84
PID 4896 wrote to memory of 2672	4896	chrome.exe	84
PID 4896 wrote to memory of 2672	4896	chrome.exe	84
PID 4896 wrote to memory of 2672	4896	chrome.exe	84
PID 4896 wrote to memory of 2672	4896	chrome.exe	84
PID 4896 wrote to memory of 2672	4896	chrome.exe	84
PID 4896 wrote to memory of 2672	4896	chrome.exe	84
PID 4896 wrote to memory of 2672	4896	chrome.exe	84
PID 4896 wrote to memory of 2672	4896	chrome.exe	84
PID 4896 wrote to memory of 2672	4896	chrome.exe	84
PID 4896 wrote to memory of 2672	4896	chrome.exe	84
PID 4896 wrote to memory of 2672	4896	chrome.exe	84
PID 4896 wrote to memory of 5056	4896	chrome.exe	85
PID 4896 wrote to memory of 5056	4896	chrome.exe	85
PID 4896 wrote to memory of 2256	4896	chrome.exe	86
PID 4896 wrote to memory of 2256	4896	chrome.exe	86
PID 4896 wrote to memory of 2256	4896	chrome.exe	86
PID 4896 wrote to memory of 2256	4896	chrome.exe	86
PID 4896 wrote to memory of 2256	4896	chrome.exe	86
PID 4896 wrote to memory of 2256	4896	chrome.exe	86
PID 4896 wrote to memory of 2256	4896	chrome.exe	86
PID 4896 wrote to memory of 2256	4896	chrome.exe	86
PID 4896 wrote to memory of 2256	4896	chrome.exe	86
PID 4896 wrote to memory of 2256	4896	chrome.exe	86
PID 4896 wrote to memory of 2256	4896	chrome.exe	86
PID 4896 wrote to memory of 2256	4896	chrome.exe	86
PID 4896 wrote to memory of 2256	4896	chrome.exe	86
PID 4896 wrote to memory of 2256	4896	chrome.exe	86
PID 4896 wrote to memory of 2256	4896	chrome.exe	86
PID 4896 wrote to memory of 2256	4896	chrome.exe	86
PID 4896 wrote to memory of 2256	4896	chrome.exe	86
PID 4896 wrote to memory of 2256	4896	chrome.exe	86
PID 4896 wrote to memory of 2256	4896	chrome.exe	86
PID 4896 wrote to memory of 2256	4896	chrome.exe	86
PID 4896 wrote to memory of 2256	4896	chrome.exe	86
PID 4896 wrote to memory of 2256	4896	chrome.exe	86
PID 4896 wrote to memory of 2256	4896	chrome.exe	86
PID 4896 wrote to memory of 2256	4896	chrome.exe	86
PID 4896 wrote to memory of 2256	4896	chrome.exe	86
PID 4896 wrote to memory of 2256	4896	chrome.exe	86
PID 4896 wrote to memory of 2256	4896	chrome.exe	86
PID 4896 wrote to memory of 2256	4896	chrome.exe	86
PID 4896 wrote to memory of 2256	4896	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://aguasazuis.com.br
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff80fb7ab58,0x7ff80fb7ab68,0x7ff80fb7ab78
  2⤵
  PID:3288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1676 --field-trial-handle=1912,i,11359889570236910516,9061541923182033889,131072 /prefetch:2
  2⤵
  PID:2672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1912,i,11359889570236910516,9061541923182033889,131072 /prefetch:8
  2⤵
  PID:5056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2204 --field-trial-handle=1912,i,11359889570236910516,9061541923182033889,131072 /prefetch:8
  2⤵
  PID:2256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3064 --field-trial-handle=1912,i,11359889570236910516,9061541923182033889,131072 /prefetch:1
  2⤵
  PID:2788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3080 --field-trial-handle=1912,i,11359889570236910516,9061541923182033889,131072 /prefetch:1
  2⤵
  PID:2812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4648 --field-trial-handle=1912,i,11359889570236910516,9061541923182033889,131072 /prefetch:8
  2⤵
  PID:680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4068 --field-trial-handle=1912,i,11359889570236910516,9061541923182033889,131072 /prefetch:8
  2⤵
  PID:4308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=5092 --field-trial-handle=1912,i,11359889570236910516,9061541923182033889,131072 /prefetch:1
  2⤵
  PID:2344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3356 --field-trial-handle=1912,i,11359889570236910516,9061541923182033889,131072 /prefetch:1
  2⤵
  PID:3916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3260 --field-trial-handle=1912,i,11359889570236910516,9061541923182033889,131072 /prefetch:8
  2⤵
  PID:3060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5044 --field-trial-handle=1912,i,11359889570236910516,9061541923182033889,131072 /prefetch:8
  2⤵
  PID:3264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 --field-trial-handle=1912,i,11359889570236910516,9061541923182033889,131072 /prefetch:8
  2⤵
  PID:3276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4984 --field-trial-handle=1912,i,11359889570236910516,9061541923182033889,131072 /prefetch:1
  2⤵
  PID:3052

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
7297888908c6a0adabd8067dea61a91a

SHA1
b114f40ca9c3f032e1ac0acd5cfdb8d9c7594905

SHA256
9cbe77dcc9610cc82a1cf278c094ae30c02ea80fe343a98df2e9f2bbd8fd711a

SHA512
45a71c05b6824b61b7802cdbe299fd6b7e8b7dca6ffbd9a4fe336ff05e602df1e2d8ded4acc41b7222ae29ac768b6e047eaf53050110b5489f3bec3f49cc95be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
64973cca1a892322cbcd5ce1a80eea2e

SHA1
1a6327617c7b88f3ce612742d3f1636d0e45e72d

SHA256
1cce5c638854b3171f8a5b39c60bbe62e47a7346b751139c218c2b80a6f03cce

SHA512
b7d01a17afb1dae7b65b75e83caeff9c27349d39405a956b9f25742c8a2c600ec2ce3129578c5bcc62252255cc46f0ed3147bd012154c0c39fcfc2daeaa46980

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
bf61c8b0666716dbebcc7dec36f50083

SHA1
a61dfcccdb7edba630f0de6be00d5f845c0090e3

SHA256
eb842b2c70a6b66ffbd308dabec7cb7d76f9f10165d759b235d631ac265e5b68

SHA512
16a86273397f0cf48c1693250e1087b9af933e093b838bfe7d928832a53c73c4ac67ce15601d11b7a0757d81890cd78aa47f430369be5338e151d341270780fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe580b94.TMP

Filesize
88KB

MD5
35d69b08eb788fdd9443c9a05496e55a

SHA1
ecbc02401c77a1f0419fae16359b87b4d833dc4f

SHA256
fd7377876edbf112fd63ebdc947c1d404ead8375e09b2daeb8ac80ce146ba4eb

SHA512
2302dc20f39a716488b62a2210a6f5652f80bdd00dec702796def2cd285b1b85e25ff6d0a1bf09d3ea24676e6ed72b031457cd76b1b3e2f47d56206861c39145

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\dfba7b15-3b97-4787-bb20-61ff7d4c3d7c.tmp

Filesize
91KB

MD5
3632b9b1620367b11a1148b85dbebe5c

SHA1
819231e1ec3f6a1351497b11d779432588708e3f

SHA256
d43079d126eb37774ef51436b695797211a54d808aa9d93eb9b3196dbbd1942b

SHA512
ce1f5b139a79422fc4c40fe50a2eaba93baae027984ca1e1d9d6f889e8b79a6e61e0663d472d1f2bd810c7e00a0f855b739d028249299cd125d65a7f983d4aa5

Download Submit