hxxp://rationalqatar[.]com[.]qa

Analysis

max time kernel
149s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
21/07/2024, 09:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

http://rationalqatar.com.qa

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133660280557012530"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4972	chrome.exe
4972	chrome.exe
4572	chrome.exe
4572	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4972 wrote to memory of 1104	4972	chrome.exe	83
PID 4972 wrote to memory of 1104	4972	chrome.exe	83
PID 4972 wrote to memory of 2764	4972	chrome.exe	84
PID 4972 wrote to memory of 2764	4972	chrome.exe	84
PID 4972 wrote to memory of 2764	4972	chrome.exe	84
PID 4972 wrote to memory of 2764	4972	chrome.exe	84
PID 4972 wrote to memory of 2764	4972	chrome.exe	84
PID 4972 wrote to memory of 2764	4972	chrome.exe	84
PID 4972 wrote to memory of 2764	4972	chrome.exe	84
PID 4972 wrote to memory of 2764	4972	chrome.exe	84
PID 4972 wrote to memory of 2764	4972	chrome.exe	84
PID 4972 wrote to memory of 2764	4972	chrome.exe	84
PID 4972 wrote to memory of 2764	4972	chrome.exe	84
PID 4972 wrote to memory of 2764	4972	chrome.exe	84
PID 4972 wrote to memory of 2764	4972	chrome.exe	84
PID 4972 wrote to memory of 2764	4972	chrome.exe	84
PID 4972 wrote to memory of 2764	4972	chrome.exe	84
PID 4972 wrote to memory of 2764	4972	chrome.exe	84
PID 4972 wrote to memory of 2764	4972	chrome.exe	84
PID 4972 wrote to memory of 2764	4972	chrome.exe	84
PID 4972 wrote to memory of 2764	4972	chrome.exe	84
PID 4972 wrote to memory of 2764	4972	chrome.exe	84
PID 4972 wrote to memory of 2764	4972	chrome.exe	84
PID 4972 wrote to memory of 2764	4972	chrome.exe	84
PID 4972 wrote to memory of 2764	4972	chrome.exe	84
PID 4972 wrote to memory of 2764	4972	chrome.exe	84
PID 4972 wrote to memory of 2764	4972	chrome.exe	84
PID 4972 wrote to memory of 2764	4972	chrome.exe	84
PID 4972 wrote to memory of 2764	4972	chrome.exe	84
PID 4972 wrote to memory of 2764	4972	chrome.exe	84
PID 4972 wrote to memory of 2764	4972	chrome.exe	84
PID 4972 wrote to memory of 2764	4972	chrome.exe	84
PID 4972 wrote to memory of 2764	4972	chrome.exe	84
PID 4972 wrote to memory of 968	4972	chrome.exe	85
PID 4972 wrote to memory of 968	4972	chrome.exe	85
PID 4972 wrote to memory of 2836	4972	chrome.exe	86
PID 4972 wrote to memory of 2836	4972	chrome.exe	86
PID 4972 wrote to memory of 2836	4972	chrome.exe	86
PID 4972 wrote to memory of 2836	4972	chrome.exe	86
PID 4972 wrote to memory of 2836	4972	chrome.exe	86
PID 4972 wrote to memory of 2836	4972	chrome.exe	86
PID 4972 wrote to memory of 2836	4972	chrome.exe	86
PID 4972 wrote to memory of 2836	4972	chrome.exe	86
PID 4972 wrote to memory of 2836	4972	chrome.exe	86
PID 4972 wrote to memory of 2836	4972	chrome.exe	86
PID 4972 wrote to memory of 2836	4972	chrome.exe	86
PID 4972 wrote to memory of 2836	4972	chrome.exe	86
PID 4972 wrote to memory of 2836	4972	chrome.exe	86
PID 4972 wrote to memory of 2836	4972	chrome.exe	86
PID 4972 wrote to memory of 2836	4972	chrome.exe	86
PID 4972 wrote to memory of 2836	4972	chrome.exe	86
PID 4972 wrote to memory of 2836	4972	chrome.exe	86
PID 4972 wrote to memory of 2836	4972	chrome.exe	86
PID 4972 wrote to memory of 2836	4972	chrome.exe	86
PID 4972 wrote to memory of 2836	4972	chrome.exe	86
PID 4972 wrote to memory of 2836	4972	chrome.exe	86
PID 4972 wrote to memory of 2836	4972	chrome.exe	86
PID 4972 wrote to memory of 2836	4972	chrome.exe	86
PID 4972 wrote to memory of 2836	4972	chrome.exe	86
PID 4972 wrote to memory of 2836	4972	chrome.exe	86
PID 4972 wrote to memory of 2836	4972	chrome.exe	86
PID 4972 wrote to memory of 2836	4972	chrome.exe	86
PID 4972 wrote to memory of 2836	4972	chrome.exe	86
PID 4972 wrote to memory of 2836	4972	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://rationalqatar.com.qa
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb51b4ab58,0x7ffb51b4ab68,0x7ffb51b4ab78
  2⤵
  PID:1104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1592 --field-trial-handle=1828,i,3336355728283959451,3513256541487916397,131072 /prefetch:2
  2⤵
  PID:2764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=1828,i,3336355728283959451,3513256541487916397,131072 /prefetch:8
  2⤵
  PID:968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2208 --field-trial-handle=1828,i,3336355728283959451,3513256541487916397,131072 /prefetch:8
  2⤵
  PID:2836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2972 --field-trial-handle=1828,i,3336355728283959451,3513256541487916397,131072 /prefetch:1
  2⤵
  PID:1376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3000 --field-trial-handle=1828,i,3336355728283959451,3513256541487916397,131072 /prefetch:1
  2⤵
  PID:2228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4448 --field-trial-handle=1828,i,3336355728283959451,3513256541487916397,131072 /prefetch:1
  2⤵
  PID:2916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4824 --field-trial-handle=1828,i,3336355728283959451,3513256541487916397,131072 /prefetch:8
  2⤵
  PID:2376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4904 --field-trial-handle=1828,i,3336355728283959451,3513256541487916397,131072 /prefetch:8
  2⤵
  PID:4480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=968 --field-trial-handle=1828,i,3336355728283959451,3513256541487916397,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4572

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
817ffb57662cb5de50111d4da328b242

SHA1
79c2e3e44042ec6699a781596ca19775856c85a8

SHA256
2790495ac57286c884b2642f1faec9dae8ff02a86923a9ceae17049082596d83

SHA512
68c7cde10e6f96a31d952f3ea4d2aadec107d2d02bf33036871ae1250ddc6ef3fe33f54e0123d6ace7dd1cea9da8f1ba03a9683ae9ed7d85eaeee56550d6b8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
4e25610a8bba0563b2b86a7bc3aa9c80

SHA1
8e0e199890d8315327139ab2c7e41d05cf4a5a80

SHA256
e477c2f8d266947d03053661744b4e2b4232ecca020c44e61a01d5d2b9d1ec9a

SHA512
d6b9a1507b2a799707fa81fb4b77f7437f237e6b29cffd824e2d323dc2d0422d496997d6989b11a03293d69e9dffed172254ab82fc16f419be9e97f4107eee51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
858ae37f265d524c659d1881d0f87e77

SHA1
8aacad25886f6a6f136f9c425f29c98428237050

SHA256
1da340def86eeca8d2f03269c8e5d84786c170dc28c23608c0d437b10d0f497b

SHA512
f51ab15599042f267715f1bfeb2a97984d6916cc94dacd4ff2b931c9d16577dc18d1bce5b4efddbbb2cb0e5f590ac7a6d07854b0f4f1b5d659b5a276ee497391

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
0d1dfab3dd7872f46e0252dac3f0dd60

SHA1
7ffea72dfbb9f71472559f8e2b5bbe2949231232

SHA256
d3b845a11e1b5ef16253eef20d207b9520c60ef4a1b35f35f80960c74b62ad27

SHA512
4ec9c068933414d656e8632e30b77d2d1f974be33331a9582211a0473ebf55d317e5a1108b739bb3d0892852a49fac3eee4594ff89769c418bed3d6b7994a28d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
608f62b0c6facf823790d2b34965569b

SHA1
27b9fe7168d9cfbf7784a3257aeea3232bc1b8ca

SHA256
e1dd94c3859235426e62d0ce4c331dd143d0203c07f613b6a27316e6c9f6722b

SHA512
fda7252b74037c2251a07d5f8f7a22207ebc5de743373fb56d4893b066f45bf46ca63c8a08db4af6bf96a0d71016a16170b5c9d80bb52f0d82d056a843d5dc82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
144KB

MD5
c5ba3ee93194b0cf6921a595deafe1e7

SHA1
e9abb3b829a518e4f598146a8b97c6fc092921d7

SHA256
43f7c6be3659247e7116f5bb2ee3b30ac6cd65f600f28c7190820ef10f0a59af

SHA512
9b83c968ce3c21d93074178ba9bf0c7e8c755e03cc74c468570a966f79473f608cc200f09c5b5b45b65cd1a07cdd93c7ddbf0855e4ce87c322d768a229229fc1

Download Submit