hxxps://forms[.]gle/y3V8KvY6RMdSzKUU8

Analysis

max time kernel
299s
max time network
289s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
17/06/2024, 08:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://forms.gle/y3V8KvY6RMdSzKUU8

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133630850231126476"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2592	chrome.exe
2592	chrome.exe
2344	chrome.exe
2344	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2592 wrote to memory of 1012	2592	chrome.exe	82
PID 2592 wrote to memory of 1012	2592	chrome.exe	82
PID 2592 wrote to memory of 4832	2592	chrome.exe	84
PID 2592 wrote to memory of 4832	2592	chrome.exe	84
PID 2592 wrote to memory of 4832	2592	chrome.exe	84
PID 2592 wrote to memory of 4832	2592	chrome.exe	84
PID 2592 wrote to memory of 4832	2592	chrome.exe	84
PID 2592 wrote to memory of 4832	2592	chrome.exe	84
PID 2592 wrote to memory of 4832	2592	chrome.exe	84
PID 2592 wrote to memory of 4832	2592	chrome.exe	84
PID 2592 wrote to memory of 4832	2592	chrome.exe	84
PID 2592 wrote to memory of 4832	2592	chrome.exe	84
PID 2592 wrote to memory of 4832	2592	chrome.exe	84
PID 2592 wrote to memory of 4832	2592	chrome.exe	84
PID 2592 wrote to memory of 4832	2592	chrome.exe	84
PID 2592 wrote to memory of 4832	2592	chrome.exe	84
PID 2592 wrote to memory of 4832	2592	chrome.exe	84
PID 2592 wrote to memory of 4832	2592	chrome.exe	84
PID 2592 wrote to memory of 4832	2592	chrome.exe	84
PID 2592 wrote to memory of 4832	2592	chrome.exe	84
PID 2592 wrote to memory of 4832	2592	chrome.exe	84
PID 2592 wrote to memory of 4832	2592	chrome.exe	84
PID 2592 wrote to memory of 4832	2592	chrome.exe	84
PID 2592 wrote to memory of 4832	2592	chrome.exe	84
PID 2592 wrote to memory of 4832	2592	chrome.exe	84
PID 2592 wrote to memory of 4832	2592	chrome.exe	84
PID 2592 wrote to memory of 4832	2592	chrome.exe	84
PID 2592 wrote to memory of 4832	2592	chrome.exe	84
PID 2592 wrote to memory of 4832	2592	chrome.exe	84
PID 2592 wrote to memory of 4832	2592	chrome.exe	84
PID 2592 wrote to memory of 4832	2592	chrome.exe	84
PID 2592 wrote to memory of 4832	2592	chrome.exe	84
PID 2592 wrote to memory of 4832	2592	chrome.exe	84
PID 2592 wrote to memory of 4936	2592	chrome.exe	85
PID 2592 wrote to memory of 4936	2592	chrome.exe	85
PID 2592 wrote to memory of 4544	2592	chrome.exe	86
PID 2592 wrote to memory of 4544	2592	chrome.exe	86
PID 2592 wrote to memory of 4544	2592	chrome.exe	86
PID 2592 wrote to memory of 4544	2592	chrome.exe	86
PID 2592 wrote to memory of 4544	2592	chrome.exe	86
PID 2592 wrote to memory of 4544	2592	chrome.exe	86
PID 2592 wrote to memory of 4544	2592	chrome.exe	86
PID 2592 wrote to memory of 4544	2592	chrome.exe	86
PID 2592 wrote to memory of 4544	2592	chrome.exe	86
PID 2592 wrote to memory of 4544	2592	chrome.exe	86
PID 2592 wrote to memory of 4544	2592	chrome.exe	86
PID 2592 wrote to memory of 4544	2592	chrome.exe	86
PID 2592 wrote to memory of 4544	2592	chrome.exe	86
PID 2592 wrote to memory of 4544	2592	chrome.exe	86
PID 2592 wrote to memory of 4544	2592	chrome.exe	86
PID 2592 wrote to memory of 4544	2592	chrome.exe	86
PID 2592 wrote to memory of 4544	2592	chrome.exe	86
PID 2592 wrote to memory of 4544	2592	chrome.exe	86
PID 2592 wrote to memory of 4544	2592	chrome.exe	86
PID 2592 wrote to memory of 4544	2592	chrome.exe	86
PID 2592 wrote to memory of 4544	2592	chrome.exe	86
PID 2592 wrote to memory of 4544	2592	chrome.exe	86
PID 2592 wrote to memory of 4544	2592	chrome.exe	86
PID 2592 wrote to memory of 4544	2592	chrome.exe	86
PID 2592 wrote to memory of 4544	2592	chrome.exe	86
PID 2592 wrote to memory of 4544	2592	chrome.exe	86
PID 2592 wrote to memory of 4544	2592	chrome.exe	86
PID 2592 wrote to memory of 4544	2592	chrome.exe	86
PID 2592 wrote to memory of 4544	2592	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://forms.gle/y3V8KvY6RMdSzKUU8
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa6b9bab58,0x7ffa6b9bab68,0x7ffa6b9bab78
  2⤵
  PID:1012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1680 --field-trial-handle=1960,i,344444379635017375,14665186498333293486,131072 /prefetch:2
  2⤵
  PID:4832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1928 --field-trial-handle=1960,i,344444379635017375,14665186498333293486,131072 /prefetch:8
  2⤵
  PID:4936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2256 --field-trial-handle=1960,i,344444379635017375,14665186498333293486,131072 /prefetch:8
  2⤵
  PID:4544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3028 --field-trial-handle=1960,i,344444379635017375,14665186498333293486,131072 /prefetch:1
  2⤵
  PID:4456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3036 --field-trial-handle=1960,i,344444379635017375,14665186498333293486,131072 /prefetch:1
  2⤵
  PID:4056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3892 --field-trial-handle=1960,i,344444379635017375,14665186498333293486,131072 /prefetch:1
  2⤵
  PID:540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4584 --field-trial-handle=1960,i,344444379635017375,14665186498333293486,131072 /prefetch:8
  2⤵
  PID:3224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4504 --field-trial-handle=1960,i,344444379635017375,14665186498333293486,131072 /prefetch:8
  2⤵
  PID:3100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1628 --field-trial-handle=1960,i,344444379635017375,14665186498333293486,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2344

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
c6e97ba356cba830e6ba05dba82a4cca

SHA1
fba98e796bfcf8342e1fa7c4442f877a9bfa27f8

SHA256
dab32281742851d000002cd09a6d589edd59caa92c3d60390795b43fd67d6dd8

SHA512
95ff3e508037103c06f8a9adc2db3a09d6a844a71e3430638bdd4251dd6be4d2b0b4c077694f0c71b2ee1399632862b7e042ba8afac66601266d5b570e18bc3f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
c5ad8903af23854f9610d3df8214e659

SHA1
a53881384d25b770d937be17260c655f1829b093

SHA256
b80faa4f11249bb16bc367c1d684d823b46d620ad050189f3a278472da1a975d

SHA512
9a971a922473ea53ec667f6ba305db566c39bac285240e98d2b9b77bc39e3efe24cafed581a1d61daea494405e5542b6be1f18b73a16c3ea7dd02384af9b6e63

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
fca4bc1bedb0fbea5bd70375576ccd2f

SHA1
649f91c83b2a1c31534f2db80dea0287771ae4e5

SHA256
8b448a43d88f691f7ef249788525303daa4741a11c50c965906eddd6947725fa

SHA512
b1fd7497a03ac37cc0357e01f89418e7cf2e824f54e4d5ea8ec4733c0d45f63ca5700e605ab6859b182edfdcd3f86ad9356ce195e066b795fc06ab02600087fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
f9ac1a6679a6358160d2ff7f7588310f

SHA1
ead0bf85c2bcc4ae5ca5487de59bfdb1549e662a

SHA256
8324906692db26af5fdba72b57656a3d453362ae45841676c146120c32c603c9

SHA512
9567455680ebabcea17dac0fb6a2aeb4e4fac090388553adfb62c757eb2eb965e52c2cdca3d2d9e81e1bb172063315ce4f76216ee6b52bef11534a5209a32f61

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
349395ab5ad04d717e8f17eaf9ffc99a

SHA1
5ebe847cb35193d21ecc40105af63d2aee8061e3

SHA256
27424eedf9a1c99709bc67b6d286e000770a97b5eff3111c8cb4b2ff02445a77

SHA512
94ab7d377eca918946983bcbe5c37c480161b2b3305ff6456b2fddb962cd4dbf3862388f1849a22873fe08ae7148938605f6da80d08394a75ad08c4260e1ae3c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
6ba4e83ac21f96e804e473f0456369a5

SHA1
61ab3b8bd2bcf6a079328b85d08110389023ab32

SHA256
b2e29c08d93a776f92b43d039a4a4b144e64a6f6637b2757802b9d02a57c54db

SHA512
615b5551eed383f0d61ecf5b3a2b1701cdcd448db539c1174fff2cab88b7ac2aac0abf51fc99cffa73df6dfd06ddf3dcd6ff9107464ac705313f13966230db9d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
fd8423a8d5d4ad0371f4bd083b4f5226

SHA1
656ead41cdc49284609727db32e61ae0385a5c90

SHA256
500dbf0e8f30a058cd9b1f3e6b913da092ca18cdff2d494f9b058ab7979ceac5

SHA512
2b63174cd5fec1709a4a5ee6a0dc2c424092c878aa8453963e6aa19421a0d6b59bf5a1607eab4817620954b8a991f06eb7c150fcfe63710c45b69ccf4bf821b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
138KB

MD5
a7b0b1e93dd5d7ff7aea2fd2a3b35ca4

SHA1
11f9bb3c8e0f381fc013087e16ae0c4b1b9279e4

SHA256
cdd375555563d86ffd2cc3de9a7f6446c4bc50933c908d58fdfa8397ad6da9c2

SHA512
2037424f93783ff6202607bc61ee4a5976733f95601a3329a8f674433b14aed504f5917bb671cb9faf9f6ca10c155b3b16027e80d47c9a4ec60dfb5f7910e687

Download Submit