hxxp://clairsolinc[.]com

Analysis

max time kernel
75s
max time network
68s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10-07-2024 13:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://clairsolinc.com

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4556	chrome.exe
4556	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4556 wrote to memory of 4400	4556	chrome.exe	82
PID 4556 wrote to memory of 4400	4556	chrome.exe	82
PID 4556 wrote to memory of 4592	4556	chrome.exe	83
PID 4556 wrote to memory of 4592	4556	chrome.exe	83
PID 4556 wrote to memory of 4592	4556	chrome.exe	83
PID 4556 wrote to memory of 4592	4556	chrome.exe	83
PID 4556 wrote to memory of 4592	4556	chrome.exe	83
PID 4556 wrote to memory of 4592	4556	chrome.exe	83
PID 4556 wrote to memory of 4592	4556	chrome.exe	83
PID 4556 wrote to memory of 4592	4556	chrome.exe	83
PID 4556 wrote to memory of 4592	4556	chrome.exe	83
PID 4556 wrote to memory of 4592	4556	chrome.exe	83
PID 4556 wrote to memory of 4592	4556	chrome.exe	83
PID 4556 wrote to memory of 4592	4556	chrome.exe	83
PID 4556 wrote to memory of 4592	4556	chrome.exe	83
PID 4556 wrote to memory of 4592	4556	chrome.exe	83
PID 4556 wrote to memory of 4592	4556	chrome.exe	83
PID 4556 wrote to memory of 4592	4556	chrome.exe	83
PID 4556 wrote to memory of 4592	4556	chrome.exe	83
PID 4556 wrote to memory of 4592	4556	chrome.exe	83
PID 4556 wrote to memory of 4592	4556	chrome.exe	83
PID 4556 wrote to memory of 4592	4556	chrome.exe	83
PID 4556 wrote to memory of 4592	4556	chrome.exe	83
PID 4556 wrote to memory of 4592	4556	chrome.exe	83
PID 4556 wrote to memory of 4592	4556	chrome.exe	83
PID 4556 wrote to memory of 4592	4556	chrome.exe	83
PID 4556 wrote to memory of 4592	4556	chrome.exe	83
PID 4556 wrote to memory of 4592	4556	chrome.exe	83
PID 4556 wrote to memory of 4592	4556	chrome.exe	83
PID 4556 wrote to memory of 4592	4556	chrome.exe	83
PID 4556 wrote to memory of 4592	4556	chrome.exe	83
PID 4556 wrote to memory of 4592	4556	chrome.exe	83
PID 4556 wrote to memory of 2116	4556	chrome.exe	84
PID 4556 wrote to memory of 2116	4556	chrome.exe	84
PID 4556 wrote to memory of 4840	4556	chrome.exe	85
PID 4556 wrote to memory of 4840	4556	chrome.exe	85
PID 4556 wrote to memory of 4840	4556	chrome.exe	85
PID 4556 wrote to memory of 4840	4556	chrome.exe	85
PID 4556 wrote to memory of 4840	4556	chrome.exe	85
PID 4556 wrote to memory of 4840	4556	chrome.exe	85
PID 4556 wrote to memory of 4840	4556	chrome.exe	85
PID 4556 wrote to memory of 4840	4556	chrome.exe	85
PID 4556 wrote to memory of 4840	4556	chrome.exe	85
PID 4556 wrote to memory of 4840	4556	chrome.exe	85
PID 4556 wrote to memory of 4840	4556	chrome.exe	85
PID 4556 wrote to memory of 4840	4556	chrome.exe	85
PID 4556 wrote to memory of 4840	4556	chrome.exe	85
PID 4556 wrote to memory of 4840	4556	chrome.exe	85
PID 4556 wrote to memory of 4840	4556	chrome.exe	85
PID 4556 wrote to memory of 4840	4556	chrome.exe	85
PID 4556 wrote to memory of 4840	4556	chrome.exe	85
PID 4556 wrote to memory of 4840	4556	chrome.exe	85
PID 4556 wrote to memory of 4840	4556	chrome.exe	85
PID 4556 wrote to memory of 4840	4556	chrome.exe	85
PID 4556 wrote to memory of 4840	4556	chrome.exe	85
PID 4556 wrote to memory of 4840	4556	chrome.exe	85
PID 4556 wrote to memory of 4840	4556	chrome.exe	85
PID 4556 wrote to memory of 4840	4556	chrome.exe	85
PID 4556 wrote to memory of 4840	4556	chrome.exe	85
PID 4556 wrote to memory of 4840	4556	chrome.exe	85
PID 4556 wrote to memory of 4840	4556	chrome.exe	85
PID 4556 wrote to memory of 4840	4556	chrome.exe	85
PID 4556 wrote to memory of 4840	4556	chrome.exe	85
PID 4556 wrote to memory of 4840	4556	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://clairsolinc.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd314bcc40,0x7ffd314bcc4c,0x7ffd314bcc58
  2⤵
  PID:4400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1788,i,5173784159026939501,11623425380834420787,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=1780 /prefetch:2
  2⤵
  PID:4592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2156,i,5173784159026939501,11623425380834420787,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2192 /prefetch:3
  2⤵
  PID:2116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2240,i,5173784159026939501,11623425380834420787,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2308 /prefetch:8
  2⤵
  PID:4840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3036,i,5173784159026939501,11623425380834420787,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3076 /prefetch:1
  2⤵
  PID:4740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3044,i,5173784159026939501,11623425380834420787,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:4928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4636,i,5173784159026939501,11623425380834420787,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4640 /prefetch:8
  2⤵
  PID:3932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4816,i,5173784159026939501,11623425380834420787,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4344 /prefetch:1
  2⤵
  PID:2768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=3436,i,5173784159026939501,11623425380834420787,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3528 /prefetch:1
  2⤵
  PID:1456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=3308,i,5173784159026939501,11623425380834420787,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3768 /prefetch:1
  2⤵
  PID:4324

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:1472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\93a2554b-d535-4dc8-b868-c86d3e2664b7.tmp

Filesize
8KB

MD5
3dbf9528e67a5f3a677769217eef22ea

SHA1
7892ac7e6c14da58b1a6e9742662d12a51f70052

SHA256
cee23ef6673c23277d962421ac1c5a93de3d083c8a4ec122ac76e70ede4437a4

SHA512
a8c10287efb8aff6eba89c7bfae54b05bf5b4a7b8506dd59af9440e52c36a615ac52c6cf3d68ec4f746edd2561f77c8a07f747a71c6c426cffde15b6959bd253

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\64b7766d-7e89-458f-9084-dde748aeac39.tmp

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
6e7cf16d29ac442ffbea095f36e5a6c0

SHA1
7466902340945a5a31d99f39fe5a95e20bf52d71

SHA256
c6de8ead794df59141185012e376769ad794d54173cf4b3aa3612f43221c800f

SHA512
b0a3e56106be129c71b16436b8496248b3f64d6530e08ea588f94b165bdc4ce87a2cf1450655087695d2025ac1b634a9a54d8dab9d3729b25838d9d40a12420a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
c47a346618b7d7fdff8619d7c54fa26b

SHA1
15a27ec25f075788492f6e2f157aa1cb35e50c62

SHA256
aa87ec432ac37d42916a12496666baf925350d3d61b16fbbd322ff13e194983f

SHA512
e75297aa9fe69e315e2e8c77250924930560824db9cf396cbdc608b90c135630778418ea02e83e10ee4e8b6169f619f33e3cf13b0c217f94c9386f11901dcff9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
2b87dab56c795b770b9612e7a6da06a4

SHA1
adc6ef34474db61a5bbd4d370b16d0d9583d79bb

SHA256
cdc4d95a54ed93a0e47d7c8153329c6f0c4b71537dd42cd98967913804e71a71

SHA512
ac473a72f71e40f2bdb10b86c50e0677bfd73f0495e0b3ac54434d4f85094d23a964f65f04edb5d7619d9e380a2fc82a0f1677730470c3380ada93bca6401783

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
32cfdb109a92c7bddb393aaba0777b86

SHA1
5779747c40d7998ad3c602a5ad48c26e494dce12

SHA256
9577fea172c2fb5cfc090d0b6f6b556efeed8b4e4695062eaf140f840cebf9aa

SHA512
1a466d50dc886ebd3e0c23c07ce0de38cbd52a3c0ac08350ce769e050dde2b805741c4038aef8bdf7d389246bf8b5ee6946e5e0340df9dc63412f6a38b1b59b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
bad58eda344aa1984ef136fc739508cd

SHA1
09597cc4533ee824b77c627f9ec1503ccf0555a2

SHA256
910b71b8a90fa934386cbd507cdeacd11bde394a366a1cde43aed657070d84de

SHA512
1af2d2f7b014ff3108e19a4055dbdd623016d035d25bca020ac629e9d3d6812cbb3dd4385a0179c1643ce59e40d4ac00504a82c93b1e5c5cee7076c587e3edc6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
92KB

MD5
6f525377a824449861b43e45cf4bed28

SHA1
24b083de98cc6cd45f29b382f27f220f58650a3e

SHA256
cef7a83db967245dfefb28bb14412509b9ebcfb78144b9b674aa319aae9f2f24

SHA512
bf631c549e46749236753f07b59a7f66917bcf753f699ebe5e42b657db72b8445aa8c48d2f174a299a630956f8ad308084396f453e60b812470c789b8225eef7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
92KB

MD5
f4d8b6191c3aa0ce64c617a908f78f0e

SHA1
843bf2c0dc469d6e07e60babbc9f9773a3ec09c3

SHA256
b0e4e003306a903a0f2fd1e06d01121dbf74bc7afd7c96aa1a3be2511874feaa

SHA512
f2362ebc3782bcaeb5e84e4d6ac1ca44f93a412e56572cd27aca01956e742df272edc018e795ed388619d2fc11043a094ddef7e350e35de72458da08a7acc3d8

Download Submit