hxxps://batholitic-thielavia-21a7e8b1f2e2[.]herokuapp[.]com/b?y=49ii4eh26or3ce9k74ojedhgcor3gp1g6osjeoj1cdgjaph25gh748hq49k78t3gect2ubr2d5q2sr3p5spkkj37e96le8g=

Resubmissions

12/07/2024, 11:31

240712-nm473stenf 1

12/07/2024, 11:10

240712-m9xk3stajg 5

Analysis

max time kernel
11s
max time network
13s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
12/07/2024, 11:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://batholitic-thielavia-21a7e8b1f2e2.herokuapp.com/b?y=49ii4eh26or3ce9k74ojedhgcor3gp1g6osjeoj1cdgjaph25gh748hq49k78t3gect2ubr2d5q2sr3p5spkkj37e96le8g=

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133652627400468095"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3556	chrome.exe
3556	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3556	chrome.exe
Token: SeCreatePagefilePrivilege	3556	chrome.exe
Token: SeShutdownPrivilege	3556	chrome.exe
Token: SeCreatePagefilePrivilege	3556	chrome.exe
Token: SeShutdownPrivilege	3556	chrome.exe
Token: SeCreatePagefilePrivilege	3556	chrome.exe
Token: SeShutdownPrivilege	3556	chrome.exe
Token: SeCreatePagefilePrivilege	3556	chrome.exe
Token: SeShutdownPrivilege	3556	chrome.exe
Token: SeCreatePagefilePrivilege	3556	chrome.exe
Token: SeShutdownPrivilege	3556	chrome.exe
Token: SeCreatePagefilePrivilege	3556	chrome.exe
Token: SeShutdownPrivilege	3556	chrome.exe
Token: SeCreatePagefilePrivilege	3556	chrome.exe
Token: SeShutdownPrivilege	3556	chrome.exe
Token: SeCreatePagefilePrivilege	3556	chrome.exe
Token: SeShutdownPrivilege	3556	chrome.exe
Token: SeCreatePagefilePrivilege	3556	chrome.exe
Token: SeShutdownPrivilege	3556	chrome.exe
Token: SeCreatePagefilePrivilege	3556	chrome.exe
Token: SeShutdownPrivilege	3556	chrome.exe
Token: SeCreatePagefilePrivilege	3556	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3556 wrote to memory of 384	3556	chrome.exe	83
PID 3556 wrote to memory of 384	3556	chrome.exe	83
PID 3556 wrote to memory of 3160	3556	chrome.exe	84
PID 3556 wrote to memory of 3160	3556	chrome.exe	84
PID 3556 wrote to memory of 3160	3556	chrome.exe	84
PID 3556 wrote to memory of 3160	3556	chrome.exe	84
PID 3556 wrote to memory of 3160	3556	chrome.exe	84
PID 3556 wrote to memory of 3160	3556	chrome.exe	84
PID 3556 wrote to memory of 3160	3556	chrome.exe	84
PID 3556 wrote to memory of 3160	3556	chrome.exe	84
PID 3556 wrote to memory of 3160	3556	chrome.exe	84
PID 3556 wrote to memory of 3160	3556	chrome.exe	84
PID 3556 wrote to memory of 3160	3556	chrome.exe	84
PID 3556 wrote to memory of 3160	3556	chrome.exe	84
PID 3556 wrote to memory of 3160	3556	chrome.exe	84
PID 3556 wrote to memory of 3160	3556	chrome.exe	84
PID 3556 wrote to memory of 3160	3556	chrome.exe	84
PID 3556 wrote to memory of 3160	3556	chrome.exe	84
PID 3556 wrote to memory of 3160	3556	chrome.exe	84
PID 3556 wrote to memory of 3160	3556	chrome.exe	84
PID 3556 wrote to memory of 3160	3556	chrome.exe	84
PID 3556 wrote to memory of 3160	3556	chrome.exe	84
PID 3556 wrote to memory of 3160	3556	chrome.exe	84
PID 3556 wrote to memory of 3160	3556	chrome.exe	84
PID 3556 wrote to memory of 3160	3556	chrome.exe	84
PID 3556 wrote to memory of 3160	3556	chrome.exe	84
PID 3556 wrote to memory of 3160	3556	chrome.exe	84
PID 3556 wrote to memory of 3160	3556	chrome.exe	84
PID 3556 wrote to memory of 3160	3556	chrome.exe	84
PID 3556 wrote to memory of 3160	3556	chrome.exe	84
PID 3556 wrote to memory of 3160	3556	chrome.exe	84
PID 3556 wrote to memory of 3160	3556	chrome.exe	84
PID 3556 wrote to memory of 2220	3556	chrome.exe	85
PID 3556 wrote to memory of 2220	3556	chrome.exe	85
PID 3556 wrote to memory of 3032	3556	chrome.exe	86
PID 3556 wrote to memory of 3032	3556	chrome.exe	86
PID 3556 wrote to memory of 3032	3556	chrome.exe	86
PID 3556 wrote to memory of 3032	3556	chrome.exe	86
PID 3556 wrote to memory of 3032	3556	chrome.exe	86
PID 3556 wrote to memory of 3032	3556	chrome.exe	86
PID 3556 wrote to memory of 3032	3556	chrome.exe	86
PID 3556 wrote to memory of 3032	3556	chrome.exe	86
PID 3556 wrote to memory of 3032	3556	chrome.exe	86
PID 3556 wrote to memory of 3032	3556	chrome.exe	86
PID 3556 wrote to memory of 3032	3556	chrome.exe	86
PID 3556 wrote to memory of 3032	3556	chrome.exe	86
PID 3556 wrote to memory of 3032	3556	chrome.exe	86
PID 3556 wrote to memory of 3032	3556	chrome.exe	86
PID 3556 wrote to memory of 3032	3556	chrome.exe	86
PID 3556 wrote to memory of 3032	3556	chrome.exe	86
PID 3556 wrote to memory of 3032	3556	chrome.exe	86
PID 3556 wrote to memory of 3032	3556	chrome.exe	86
PID 3556 wrote to memory of 3032	3556	chrome.exe	86
PID 3556 wrote to memory of 3032	3556	chrome.exe	86
PID 3556 wrote to memory of 3032	3556	chrome.exe	86
PID 3556 wrote to memory of 3032	3556	chrome.exe	86
PID 3556 wrote to memory of 3032	3556	chrome.exe	86
PID 3556 wrote to memory of 3032	3556	chrome.exe	86
PID 3556 wrote to memory of 3032	3556	chrome.exe	86
PID 3556 wrote to memory of 3032	3556	chrome.exe	86
PID 3556 wrote to memory of 3032	3556	chrome.exe	86
PID 3556 wrote to memory of 3032	3556	chrome.exe	86
PID 3556 wrote to memory of 3032	3556	chrome.exe	86
PID 3556 wrote to memory of 3032	3556	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://batholitic-thielavia-21a7e8b1f2e2.herokuapp.com/b?y=49ii4eh26or3ce9k74ojedhgcor3gp1g6osjeoj1cdgjaph25gh748hq49k78t3gect2ubr2d5q2sr3p5spkkj37e96le8g=
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff93aa2cc40,0x7ff93aa2cc4c,0x7ff93aa2cc58
  2⤵
  PID:384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1912,i,4540583185283971835,16855223193608568884,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=1916 /prefetch:2
  2⤵
  PID:3160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2040,i,4540583185283971835,16855223193608568884,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2108 /prefetch:3
  2⤵
  PID:2220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2272,i,4540583185283971835,16855223193608568884,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2252 /prefetch:8
  2⤵
  PID:3032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,4540583185283971835,16855223193608568884,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3136 /prefetch:1
  2⤵
  PID:3692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3132,i,4540583185283971835,16855223193608568884,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:5028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4328,i,4540583185283971835,16855223193608568884,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4460 /prefetch:1
  2⤵
  PID:3488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4592,i,4540583185283971835,16855223193608568884,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3500 /prefetch:1
  2⤵
  PID:3324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4864,i,4540583185283971835,16855223193608568884,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4876 /prefetch:8
  2⤵
  PID:1248

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:4852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\8c092d59-667e-4cf5-8586-efe30923580f.tmp

Filesize
92KB

MD5
48c07bb8307f510333fadf4df2ac6b20

SHA1
8e7b2cc4c75c34da220682405a3cf63f43422f73

SHA256
779fb6fd790b6dd84a386a11e6f73e6dfbe0ba61647dcd96342439ddfbe2bc00

SHA512
be5acf9592472d2b3f2c74078e570ca9fd6c08cf493bcf2bd4b3b2358e89402791743ab763518732c1d06bf33e6a69bc56e3eb74bc964d1b31ec248aab0b4ca0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000016

Filesize
211KB

MD5
151fb811968eaf8efb840908b89dc9d4

SHA1
7ec811009fd9b0e6d92d12d78b002275f2f1bee1

SHA256
043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed

SHA512
83aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
aeb642d0b0c207d81dbfa27016a9c191

SHA1
c84f1c18d44dc926832b3ae2b010e0d798a7c4e4

SHA256
86ed7f16d8b31bab3aa1173c50f051eb266c52af6e0e389002d8427205892031

SHA512
c9e7754462b11d2f7136be2cfd3e00bd790c4026cdfaae8f87aa2f2a08fb368484bd3ea106479051fb7eee3356aaa3f34ed3ffcfd724f9e68fd18334f04c611a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
0a361a9f8d0e2451c5b2211d4b440e06

SHA1
6979061fb7cd3a9940cebf7aff35d6d8e451da75

SHA256
d9e73bf9fe4fd19ddfa30a1778a7e2536916aa10c4346231acf0eb2b54ba001c

SHA512
e8c598568af535fd47926db5274b3c923b86a2203ced823a4593ffa39226c8dbbb45090a861bc0d022fe50e98ba46cc380c970e1c9892f8a755c315ec0945f98

Download Submit