hxxps://online-service-mygov-au[.]org

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 02:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://online-service-mygov-au.org

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3308	chrome.exe
3308	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3308	chrome.exe
3308	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3308 wrote to memory of 4692	3308	chrome.exe	81
PID 3308 wrote to memory of 4692	3308	chrome.exe	81
PID 3308 wrote to memory of 852	3308	chrome.exe	83
PID 3308 wrote to memory of 852	3308	chrome.exe	83
PID 3308 wrote to memory of 852	3308	chrome.exe	83
PID 3308 wrote to memory of 852	3308	chrome.exe	83
PID 3308 wrote to memory of 852	3308	chrome.exe	83
PID 3308 wrote to memory of 852	3308	chrome.exe	83
PID 3308 wrote to memory of 852	3308	chrome.exe	83
PID 3308 wrote to memory of 852	3308	chrome.exe	83
PID 3308 wrote to memory of 852	3308	chrome.exe	83
PID 3308 wrote to memory of 852	3308	chrome.exe	83
PID 3308 wrote to memory of 852	3308	chrome.exe	83
PID 3308 wrote to memory of 852	3308	chrome.exe	83
PID 3308 wrote to memory of 852	3308	chrome.exe	83
PID 3308 wrote to memory of 852	3308	chrome.exe	83
PID 3308 wrote to memory of 852	3308	chrome.exe	83
PID 3308 wrote to memory of 852	3308	chrome.exe	83
PID 3308 wrote to memory of 852	3308	chrome.exe	83
PID 3308 wrote to memory of 852	3308	chrome.exe	83
PID 3308 wrote to memory of 852	3308	chrome.exe	83
PID 3308 wrote to memory of 852	3308	chrome.exe	83
PID 3308 wrote to memory of 852	3308	chrome.exe	83
PID 3308 wrote to memory of 852	3308	chrome.exe	83
PID 3308 wrote to memory of 852	3308	chrome.exe	83
PID 3308 wrote to memory of 852	3308	chrome.exe	83
PID 3308 wrote to memory of 852	3308	chrome.exe	83
PID 3308 wrote to memory of 852	3308	chrome.exe	83
PID 3308 wrote to memory of 852	3308	chrome.exe	83
PID 3308 wrote to memory of 852	3308	chrome.exe	83
PID 3308 wrote to memory of 852	3308	chrome.exe	83
PID 3308 wrote to memory of 852	3308	chrome.exe	83
PID 3308 wrote to memory of 4792	3308	chrome.exe	84
PID 3308 wrote to memory of 4792	3308	chrome.exe	84
PID 3308 wrote to memory of 3624	3308	chrome.exe	85
PID 3308 wrote to memory of 3624	3308	chrome.exe	85
PID 3308 wrote to memory of 3624	3308	chrome.exe	85
PID 3308 wrote to memory of 3624	3308	chrome.exe	85
PID 3308 wrote to memory of 3624	3308	chrome.exe	85
PID 3308 wrote to memory of 3624	3308	chrome.exe	85
PID 3308 wrote to memory of 3624	3308	chrome.exe	85
PID 3308 wrote to memory of 3624	3308	chrome.exe	85
PID 3308 wrote to memory of 3624	3308	chrome.exe	85
PID 3308 wrote to memory of 3624	3308	chrome.exe	85
PID 3308 wrote to memory of 3624	3308	chrome.exe	85
PID 3308 wrote to memory of 3624	3308	chrome.exe	85
PID 3308 wrote to memory of 3624	3308	chrome.exe	85
PID 3308 wrote to memory of 3624	3308	chrome.exe	85
PID 3308 wrote to memory of 3624	3308	chrome.exe	85
PID 3308 wrote to memory of 3624	3308	chrome.exe	85
PID 3308 wrote to memory of 3624	3308	chrome.exe	85
PID 3308 wrote to memory of 3624	3308	chrome.exe	85
PID 3308 wrote to memory of 3624	3308	chrome.exe	85
PID 3308 wrote to memory of 3624	3308	chrome.exe	85
PID 3308 wrote to memory of 3624	3308	chrome.exe	85
PID 3308 wrote to memory of 3624	3308	chrome.exe	85
PID 3308 wrote to memory of 3624	3308	chrome.exe	85
PID 3308 wrote to memory of 3624	3308	chrome.exe	85
PID 3308 wrote to memory of 3624	3308	chrome.exe	85
PID 3308 wrote to memory of 3624	3308	chrome.exe	85
PID 3308 wrote to memory of 3624	3308	chrome.exe	85
PID 3308 wrote to memory of 3624	3308	chrome.exe	85
PID 3308 wrote to memory of 3624	3308	chrome.exe	85
PID 3308 wrote to memory of 3624	3308	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://online-service-mygov-au.org
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd84ffcc40,0x7ffd84ffcc4c,0x7ffd84ffcc58
  2⤵
  PID:4692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1572,i,5673879052095648312,9064223846477886529,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=288 /prefetch:2
  2⤵
  PID:852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2128,i,5673879052095648312,9064223846477886529,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2156 /prefetch:3
  2⤵
  PID:4792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2240,i,5673879052095648312,9064223846477886529,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2252 /prefetch:8
  2⤵
  PID:3624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3128,i,5673879052095648312,9064223846477886529,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:1168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3132,i,5673879052095648312,9064223846477886529,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:3292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4712,i,5673879052095648312,9064223846477886529,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4728 /prefetch:8
  2⤵
  PID:2612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=724,i,5673879052095648312,9064223846477886529,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4996 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1728

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:2808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
6a3d02051459eb89d9403111e95b8c47

SHA1
2fade8e4c9ec1d477941fead2bfffaba7528ba64

SHA256
98998394f305ff0ba0406f3381fcc163bac5e2c378f1788530717b4b727e7680

SHA512
bc74f0aa90805fd9f8d4ee85fbe4564a796f2825e27e0dfbc34de18fc4ca1c9454e4507d90656accac9c26cc6cba4104ee314c4984fecd42172bcaa202fb2391

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
f5e19cf920d115d5a4585b0cfcac5563

SHA1
e027584d02468d15654e30e1d403993c4f673609

SHA256
5f5cd2b7b1c71c2d5b5a7a7f6983b0c95de1a548d723d6a13fa77a6a765baab5

SHA512
e5ecba3b5a99407c1c25942ed112e64e0b784c626fead12db1301d483777b89ff7448db7d75fc78b6a33f699ec70e3fa3bafe3595e62d3eb7f16349c89a321e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
4b5373c429a68bf563b29eae0995dc6e

SHA1
3e4b16cfb6efafea8464578e284d37742440491e

SHA256
78bedcec929379041cfccf84fab08610785cc21f92ea22846e1fba5c44fa9a09

SHA512
98d025456e5298ee07bde929f41d195ab62aec8edc1ee27df47438daf64c6b4dd8917505f1fe552f51c4d46269be10b864b93776ccec4e7d85b27503e7016316

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
fd77f81b016c935c305815474daa26b6

SHA1
280cc7ee88e59cf7ef2e00ec57599df88df28efa

SHA256
a2654c6c976fda6296912ed06bb3fe9992011a6436f21e107bcd6df8654f6ac8

SHA512
ab1fc86b50bce0771aeecc8b588c941c25f3722f5f3c5ab5c4ded1452459fee994baa50054b2e4f3cf75cb70c7ee7f95a5821d50e9c13c3a256746dddb52c835

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
3b2025a5035c8757176e2cfcf0492bcd

SHA1
85318824d001b118e23d0a4d0b747992f52eba88

SHA256
812be252c4f5ad03aaa694bc60ec7aff5a492c9e2e3b50f2d45e26a3c0c5e8d6

SHA512
02b18c93762f1f575dcff7ec36dbcc472131719b04a2f82db86e1f5a8e1d12ebd78a00a0c7d7fd67d6eb052f1d229610ac8408555b7bfffdebcb355a19d21450

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
9fdd79effef2f81eec77368e34bf30dd

SHA1
afc139a3a98bdbb7db21d3f49f056222eca8a851

SHA256
7e610a65afc48a1f3663d74a453f71c5f61e4094373da820bf49373c5b2a79ca

SHA512
1654aaa54bc15b421e81a06757d7115407535ee3ea338747160c8f95a2aece5933e79206f2059bcd994a70820222854311eb1b2792ba270f7fbc38612b627d47

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\aeb20ece-5cfc-4b28-9a18-9045dc6dc916.tmp

Filesize
8KB

MD5
cb015c66e8c9d4187b272b707c560d99

SHA1
5b3cadaef8096af810b94a87a6f4f526e25e3d62

SHA256
d87af2b47949c8864aafb805a6f20494acd848951bd13695e46e238a3c2d6382

SHA512
e360e695b45097baca1d1994370a053171ab886ff7b456067241bf444e47d82d04912f796921140d3397782309d177b384f1105ab7a762ad9ae0147de2dca194

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
92KB

MD5
45d2bb36a59bd38876a14abeb512c664

SHA1
a673fcb0b0423b07bd314913278d2678be4c2f14

SHA256
67a7970bb5ef867b27a9659ddf92147365c081e1237b7a8a7e4a65c8ceb887dd

SHA512
55aa482ac9f130056557084de1f9f89e57258c23638ef32f476092bdc2337836b589a721db2036892aa2ef94b765b7b3ee26efba7438476b03fe59717444204d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
92KB

MD5
b914ad8225853b846bdfe6e676b33daa

SHA1
09f29eb47ff8967636d5786b1b74360591785302

SHA256
f04d2788a3b7f9f080c2090e24c07ac2593c936581bfb9dc4754588ba47e3969

SHA512
7aee9b62b6d2e6e318138e464a186d04c4b81b994f62e37c3c381622ac29cb40b64ad144f734357bbe6ce8d04398fb2c242e5ad07a9a40ebcf6c8865d2a885fd

Download Submit