hxxp://node1[.]smallshi[.]com

Analysis

max time kernel
79s
max time network
81s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
09-07-2024 15:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://node1.smallshi.com

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133650122404188460"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2184	chrome.exe
2184	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2184	chrome.exe
Token: SeCreatePagefilePrivilege	2184	chrome.exe
Token: SeShutdownPrivilege	2184	chrome.exe
Token: SeCreatePagefilePrivilege	2184	chrome.exe
Token: SeShutdownPrivilege	2184	chrome.exe
Token: SeCreatePagefilePrivilege	2184	chrome.exe
Token: SeShutdownPrivilege	2184	chrome.exe
Token: SeCreatePagefilePrivilege	2184	chrome.exe
Token: SeShutdownPrivilege	2184	chrome.exe
Token: SeCreatePagefilePrivilege	2184	chrome.exe
Token: SeShutdownPrivilege	2184	chrome.exe
Token: SeCreatePagefilePrivilege	2184	chrome.exe
Token: SeShutdownPrivilege	2184	chrome.exe
Token: SeCreatePagefilePrivilege	2184	chrome.exe
Token: SeShutdownPrivilege	2184	chrome.exe
Token: SeCreatePagefilePrivilege	2184	chrome.exe
Token: SeShutdownPrivilege	2184	chrome.exe
Token: SeCreatePagefilePrivilege	2184	chrome.exe
Token: SeShutdownPrivilege	2184	chrome.exe
Token: SeCreatePagefilePrivilege	2184	chrome.exe
Token: SeShutdownPrivilege	2184	chrome.exe
Token: SeCreatePagefilePrivilege	2184	chrome.exe
Token: SeShutdownPrivilege	2184	chrome.exe
Token: SeCreatePagefilePrivilege	2184	chrome.exe
Token: SeShutdownPrivilege	2184	chrome.exe
Token: SeCreatePagefilePrivilege	2184	chrome.exe
Token: SeShutdownPrivilege	2184	chrome.exe
Token: SeCreatePagefilePrivilege	2184	chrome.exe
Token: SeShutdownPrivilege	2184	chrome.exe
Token: SeCreatePagefilePrivilege	2184	chrome.exe
Token: SeShutdownPrivilege	2184	chrome.exe
Token: SeCreatePagefilePrivilege	2184	chrome.exe
Token: SeShutdownPrivilege	2184	chrome.exe
Token: SeCreatePagefilePrivilege	2184	chrome.exe
Token: SeShutdownPrivilege	2184	chrome.exe
Token: SeCreatePagefilePrivilege	2184	chrome.exe
Token: SeShutdownPrivilege	2184	chrome.exe
Token: SeCreatePagefilePrivilege	2184	chrome.exe
Token: SeShutdownPrivilege	2184	chrome.exe
Token: SeCreatePagefilePrivilege	2184	chrome.exe
Token: SeShutdownPrivilege	2184	chrome.exe
Token: SeCreatePagefilePrivilege	2184	chrome.exe
Token: SeShutdownPrivilege	2184	chrome.exe
Token: SeCreatePagefilePrivilege	2184	chrome.exe
Token: SeShutdownPrivilege	2184	chrome.exe
Token: SeCreatePagefilePrivilege	2184	chrome.exe
Token: SeShutdownPrivilege	2184	chrome.exe
Token: SeCreatePagefilePrivilege	2184	chrome.exe
Token: SeShutdownPrivilege	2184	chrome.exe
Token: SeCreatePagefilePrivilege	2184	chrome.exe
Token: SeShutdownPrivilege	2184	chrome.exe
Token: SeCreatePagefilePrivilege	2184	chrome.exe
Token: SeShutdownPrivilege	2184	chrome.exe
Token: SeCreatePagefilePrivilege	2184	chrome.exe
Token: SeShutdownPrivilege	2184	chrome.exe
Token: SeCreatePagefilePrivilege	2184	chrome.exe
Token: SeShutdownPrivilege	2184	chrome.exe
Token: SeCreatePagefilePrivilege	2184	chrome.exe
Token: SeShutdownPrivilege	2184	chrome.exe
Token: SeCreatePagefilePrivilege	2184	chrome.exe
Token: SeShutdownPrivilege	2184	chrome.exe
Token: SeCreatePagefilePrivilege	2184	chrome.exe
Token: SeShutdownPrivilege	2184	chrome.exe
Token: SeCreatePagefilePrivilege	2184	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 3940	2184	chrome.exe	83
PID 2184 wrote to memory of 3940	2184	chrome.exe	83
PID 2184 wrote to memory of 2120	2184	chrome.exe	85
PID 2184 wrote to memory of 2120	2184	chrome.exe	85
PID 2184 wrote to memory of 2120	2184	chrome.exe	85
PID 2184 wrote to memory of 2120	2184	chrome.exe	85
PID 2184 wrote to memory of 2120	2184	chrome.exe	85
PID 2184 wrote to memory of 2120	2184	chrome.exe	85
PID 2184 wrote to memory of 2120	2184	chrome.exe	85
PID 2184 wrote to memory of 2120	2184	chrome.exe	85
PID 2184 wrote to memory of 2120	2184	chrome.exe	85
PID 2184 wrote to memory of 2120	2184	chrome.exe	85
PID 2184 wrote to memory of 2120	2184	chrome.exe	85
PID 2184 wrote to memory of 2120	2184	chrome.exe	85
PID 2184 wrote to memory of 2120	2184	chrome.exe	85
PID 2184 wrote to memory of 2120	2184	chrome.exe	85
PID 2184 wrote to memory of 2120	2184	chrome.exe	85
PID 2184 wrote to memory of 2120	2184	chrome.exe	85
PID 2184 wrote to memory of 2120	2184	chrome.exe	85
PID 2184 wrote to memory of 2120	2184	chrome.exe	85
PID 2184 wrote to memory of 2120	2184	chrome.exe	85
PID 2184 wrote to memory of 2120	2184	chrome.exe	85
PID 2184 wrote to memory of 2120	2184	chrome.exe	85
PID 2184 wrote to memory of 2120	2184	chrome.exe	85
PID 2184 wrote to memory of 2120	2184	chrome.exe	85
PID 2184 wrote to memory of 2120	2184	chrome.exe	85
PID 2184 wrote to memory of 2120	2184	chrome.exe	85
PID 2184 wrote to memory of 2120	2184	chrome.exe	85
PID 2184 wrote to memory of 2120	2184	chrome.exe	85
PID 2184 wrote to memory of 2120	2184	chrome.exe	85
PID 2184 wrote to memory of 2120	2184	chrome.exe	85
PID 2184 wrote to memory of 2120	2184	chrome.exe	85
PID 2184 wrote to memory of 2120	2184	chrome.exe	85
PID 2184 wrote to memory of 4748	2184	chrome.exe	86
PID 2184 wrote to memory of 4748	2184	chrome.exe	86
PID 2184 wrote to memory of 1148	2184	chrome.exe	87
PID 2184 wrote to memory of 1148	2184	chrome.exe	87
PID 2184 wrote to memory of 1148	2184	chrome.exe	87
PID 2184 wrote to memory of 1148	2184	chrome.exe	87
PID 2184 wrote to memory of 1148	2184	chrome.exe	87
PID 2184 wrote to memory of 1148	2184	chrome.exe	87
PID 2184 wrote to memory of 1148	2184	chrome.exe	87
PID 2184 wrote to memory of 1148	2184	chrome.exe	87
PID 2184 wrote to memory of 1148	2184	chrome.exe	87
PID 2184 wrote to memory of 1148	2184	chrome.exe	87
PID 2184 wrote to memory of 1148	2184	chrome.exe	87
PID 2184 wrote to memory of 1148	2184	chrome.exe	87
PID 2184 wrote to memory of 1148	2184	chrome.exe	87
PID 2184 wrote to memory of 1148	2184	chrome.exe	87
PID 2184 wrote to memory of 1148	2184	chrome.exe	87
PID 2184 wrote to memory of 1148	2184	chrome.exe	87
PID 2184 wrote to memory of 1148	2184	chrome.exe	87
PID 2184 wrote to memory of 1148	2184	chrome.exe	87
PID 2184 wrote to memory of 1148	2184	chrome.exe	87
PID 2184 wrote to memory of 1148	2184	chrome.exe	87
PID 2184 wrote to memory of 1148	2184	chrome.exe	87
PID 2184 wrote to memory of 1148	2184	chrome.exe	87
PID 2184 wrote to memory of 1148	2184	chrome.exe	87
PID 2184 wrote to memory of 1148	2184	chrome.exe	87
PID 2184 wrote to memory of 1148	2184	chrome.exe	87
PID 2184 wrote to memory of 1148	2184	chrome.exe	87
PID 2184 wrote to memory of 1148	2184	chrome.exe	87
PID 2184 wrote to memory of 1148	2184	chrome.exe	87
PID 2184 wrote to memory of 1148	2184	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://node1.smallshi.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7fff8eb4ab58,0x7fff8eb4ab68,0x7fff8eb4ab78
  2⤵
  PID:3940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1704 --field-trial-handle=1856,i,11633427140227653885,12656222151429670585,131072 /prefetch:2
  2⤵
  PID:2120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1856,i,11633427140227653885,12656222151429670585,131072 /prefetch:8
  2⤵
  PID:4748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2204 --field-trial-handle=1856,i,11633427140227653885,12656222151429670585,131072 /prefetch:8
  2⤵
  PID:1148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2972 --field-trial-handle=1856,i,11633427140227653885,12656222151429670585,131072 /prefetch:1
  2⤵
  PID:220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2996 --field-trial-handle=1856,i,11633427140227653885,12656222151429670585,131072 /prefetch:1
  2⤵
  PID:4276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4404 --field-trial-handle=1856,i,11633427140227653885,12656222151429670585,131072 /prefetch:8
  2⤵
  PID:2596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4644 --field-trial-handle=1856,i,11633427140227653885,12656222151429670585,131072 /prefetch:8
  2⤵
  PID:4484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4380 --field-trial-handle=1856,i,11633427140227653885,12656222151429670585,131072 /prefetch:1
  2⤵
  PID:1972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4348 --field-trial-handle=1856,i,11633427140227653885,12656222151429670585,131072 /prefetch:1
  2⤵
  PID:1420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4344 --field-trial-handle=1856,i,11633427140227653885,12656222151429670585,131072 /prefetch:1
  2⤵
  PID:1944

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
dd4b30491a5c954b210e442955b2eb5f

SHA1
24e543b0b7a2f1e3d44f8fb5805d0e2c01cc7502

SHA256
973aaead38baac5b4e2f806659ca46b55cfa41110408e74bc6dd54e81a39e336

SHA512
c01174fe1e6d240407b0e1fc9324cb4cb3ad62670196a174adaccc4690f5d9351ef5edefca22f07283e7358cbb5696814903994f37e403694635d5d4f4c49151

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
2b06193effee0af3d5440407160b413e

SHA1
c786540e51c9388d5dd349f3afe648a0530a8ac2

SHA256
3795e8e8c664e10f26bb5a693e15a9ea04c7dc92ff92d28aa207c82e10079f9f

SHA512
838d7b2b9a650f62cd9970810e7341a5d54e99e2102ffe948da10e94ae8d968ca36e15bb7444d5e83ca92c04889e4146edc44c215646e809b4191158250765ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
17d9e1624b0c5cfe3e3b51a4c889e3c2

SHA1
49b6ccc9163e66ed106939ca344664c2196e0299

SHA256
78352cc7027cec12c54bd50251b01e298e3c94e3eee922e8dd4b29cf72ec0ab1

SHA512
5fe7c65eeddd6fade9d2cdd132b0203006a150baeff8bad39fc36e1cf8979234ac0dcbc5d78ebe4618d10e826e4d68467fca2d6e3fedaed305f9e5ad9aa1a022

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
03c2277b89374fcd129db9203b9452a9

SHA1
9cea82dbd485ead8aee4ce7ec5c2f87ad7bc759e

SHA256
82f0f86edf44b84bde6b6a8ad74aa5216f499a25edb61ad201ab5e28fbda3345

SHA512
1bdb67d6f2ceda01cd32b8f70f11eb7428f951104941b3df45af39ee45636098ca917054baf319aaeb84a67d7b6dcb87bb4b0e0022fc9241d50588875043e122

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
e811a9f1bcb38a1fe13f2d907ceb4bc4

SHA1
c23206250db7ce3c164a99b3b07f3ca18ae4644c

SHA256
2acc91df8c78f0038cdcfa168551d1bff222308cce5952675eb459958b4650d6

SHA512
ffac831ddc4c244ff40b215c9b23ef544803217bd39833ae20170e2eecbd85f11d7565338fca96004c73236f405c4fef6f90ba5092fc697147532f2919b64c86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
144KB

MD5
c20445f92609c87fcbf5635cdabf064e

SHA1
9db94b2aba169a71163edb5ffc8902f9cb797264

SHA256
3aed19b96cdf721dc4d97628b04fcaac8ab901fc879145d1406c1ddf61adcade

SHA512
9ee88fe7e71a2a7b2abbe0311dd61014a058f7aef88bf1abbf94b0e5455d85d40f6b93ad4c76d88994d8d5adbc4c6a6e94d1203dfb70fa2c1b9a5c0d29d9ee89

Download Submit