hxxps://oneclub-dot-yamm-track[.]appspot[.]com/2Z5mqvhINRzsKoo4DWz8Bvv5iHnDPq05idMi9kwkld516_TTCkAFKuuKlO9nt1f3-Y2Zp0xEyjzKhjUlO5s5ARXtGu83cYjf35QJUvPPl8tyCwHm5bDohIvLwjXJ62Bh-EIDmM5clgRehahpZQmNlK6oZPfP_1UJKo3RViHYXvNAfeA

Analysis

max time kernel
23s
max time network
23s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23/07/2024, 14:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://oneclub-dot-yamm-track.appspot.com/2Z5mqvhINRzsKoo4DWz8Bvv5iHnDPq05idMi9kwkld516_TTCkAFKuuKlO9nt1f3-Y2Zp0xEyjzKhjUlO5s5ARXtGu83cYjf35QJUvPPl8tyCwHm5bDohIvLwjXJ62Bh-EIDmM5clgRehahpZQmNlK6oZPfP_1UJKo3RViHYXvNAfeA

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133662180384441462"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
232	chrome.exe
232	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 232 wrote to memory of 4420	232	chrome.exe	84
PID 232 wrote to memory of 4420	232	chrome.exe	84
PID 232 wrote to memory of 2944	232	chrome.exe	85
PID 232 wrote to memory of 2944	232	chrome.exe	85
PID 232 wrote to memory of 2944	232	chrome.exe	85
PID 232 wrote to memory of 2944	232	chrome.exe	85
PID 232 wrote to memory of 2944	232	chrome.exe	85
PID 232 wrote to memory of 2944	232	chrome.exe	85
PID 232 wrote to memory of 2944	232	chrome.exe	85
PID 232 wrote to memory of 2944	232	chrome.exe	85
PID 232 wrote to memory of 2944	232	chrome.exe	85
PID 232 wrote to memory of 2944	232	chrome.exe	85
PID 232 wrote to memory of 2944	232	chrome.exe	85
PID 232 wrote to memory of 2944	232	chrome.exe	85
PID 232 wrote to memory of 2944	232	chrome.exe	85
PID 232 wrote to memory of 2944	232	chrome.exe	85
PID 232 wrote to memory of 2944	232	chrome.exe	85
PID 232 wrote to memory of 2944	232	chrome.exe	85
PID 232 wrote to memory of 2944	232	chrome.exe	85
PID 232 wrote to memory of 2944	232	chrome.exe	85
PID 232 wrote to memory of 2944	232	chrome.exe	85
PID 232 wrote to memory of 2944	232	chrome.exe	85
PID 232 wrote to memory of 2944	232	chrome.exe	85
PID 232 wrote to memory of 2944	232	chrome.exe	85
PID 232 wrote to memory of 2944	232	chrome.exe	85
PID 232 wrote to memory of 2944	232	chrome.exe	85
PID 232 wrote to memory of 2944	232	chrome.exe	85
PID 232 wrote to memory of 2944	232	chrome.exe	85
PID 232 wrote to memory of 2944	232	chrome.exe	85
PID 232 wrote to memory of 2944	232	chrome.exe	85
PID 232 wrote to memory of 2944	232	chrome.exe	85
PID 232 wrote to memory of 2944	232	chrome.exe	85
PID 232 wrote to memory of 332	232	chrome.exe	86
PID 232 wrote to memory of 332	232	chrome.exe	86
PID 232 wrote to memory of 1540	232	chrome.exe	87
PID 232 wrote to memory of 1540	232	chrome.exe	87
PID 232 wrote to memory of 1540	232	chrome.exe	87
PID 232 wrote to memory of 1540	232	chrome.exe	87
PID 232 wrote to memory of 1540	232	chrome.exe	87
PID 232 wrote to memory of 1540	232	chrome.exe	87
PID 232 wrote to memory of 1540	232	chrome.exe	87
PID 232 wrote to memory of 1540	232	chrome.exe	87
PID 232 wrote to memory of 1540	232	chrome.exe	87
PID 232 wrote to memory of 1540	232	chrome.exe	87
PID 232 wrote to memory of 1540	232	chrome.exe	87
PID 232 wrote to memory of 1540	232	chrome.exe	87
PID 232 wrote to memory of 1540	232	chrome.exe	87
PID 232 wrote to memory of 1540	232	chrome.exe	87
PID 232 wrote to memory of 1540	232	chrome.exe	87
PID 232 wrote to memory of 1540	232	chrome.exe	87
PID 232 wrote to memory of 1540	232	chrome.exe	87
PID 232 wrote to memory of 1540	232	chrome.exe	87
PID 232 wrote to memory of 1540	232	chrome.exe	87
PID 232 wrote to memory of 1540	232	chrome.exe	87
PID 232 wrote to memory of 1540	232	chrome.exe	87
PID 232 wrote to memory of 1540	232	chrome.exe	87
PID 232 wrote to memory of 1540	232	chrome.exe	87
PID 232 wrote to memory of 1540	232	chrome.exe	87
PID 232 wrote to memory of 1540	232	chrome.exe	87
PID 232 wrote to memory of 1540	232	chrome.exe	87
PID 232 wrote to memory of 1540	232	chrome.exe	87
PID 232 wrote to memory of 1540	232	chrome.exe	87
PID 232 wrote to memory of 1540	232	chrome.exe	87
PID 232 wrote to memory of 1540	232	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://oneclub-dot-yamm-track.appspot.com/2Z5mqvhINRzsKoo4DWz8Bvv5iHnDPq05idMi9kwkld516_TTCkAFKuuKlO9nt1f3-Y2Zp0xEyjzKhjUlO5s5ARXtGu83cYjf35QJUvPPl8tyCwHm5bDohIvLwjXJ62Bh-EIDmM5clgRehahpZQmNlK6oZPfP_1UJKo3RViHYXvNAfeA
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffdfd2ccc40,0x7ffdfd2ccc4c,0x7ffdfd2ccc58
  2⤵
  PID:4420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2016,i,10292469804046622640,3642970509977338906,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2008 /prefetch:2
  2⤵
  PID:2944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1772,i,10292469804046622640,3642970509977338906,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2068 /prefetch:3
  2⤵
  PID:332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2168,i,10292469804046622640,3642970509977338906,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2236 /prefetch:8
  2⤵
  PID:1540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3132,i,10292469804046622640,3642970509977338906,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3148 /prefetch:1
  2⤵
  PID:2188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3152,i,10292469804046622640,3642970509977338906,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:3612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4396,i,10292469804046622640,3642970509977338906,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3700 /prefetch:1
  2⤵
  PID:1440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4452,i,10292469804046622640,3642970509977338906,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:3488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4992,i,10292469804046622640,3642970509977338906,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5012 /prefetch:8
  2⤵
  PID:3240

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:4092

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
bbb934fc8d60e27fef6813624c666e26

SHA1
339de9f1a08ac84e624da7e21c1785f297e00288

SHA256
2281a64b1efe393742e8e5c73b56f83b57134addc9c61ba82d5ada6eb951bbbb

SHA512
39018f0a6bf185b20ffb09b15c6480c477e9f105c53f16fa02d2192548317053062218f53780b8b948eed1a51fc6ce3e95ec757a183734a241dc786ac8fd4150

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
e2214c7a061a2c3cbcaa3fc83978a7ea

SHA1
b86f91ef86bb8febaf9623acbca629a038a2a6a9

SHA256
9160f8309f5a75e9227d0d64bb5f6d0e1d4ab92c40c7ed72f85ef989f6ad9faf

SHA512
638a97aa957eb4f615f29a85509f498fc548bb1cf9e1e44f0d7ba1f28e330716e7be70e76c9c01b359a5ab00d249c38b270868b165900df210c2f443a2fbfcfa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
e4bbf2146d086622c8b6c853289c2615

SHA1
8d2250e35f38367e2e4de5b1c9c7605b6580eb88

SHA256
c1383dab5a1d682c578ae09857f659c7c71dd8f3a34ba3b7188765a83e2d9284

SHA512
5e37a9975366e4394f354657c2aabbba78f59c0fb107743d9eb80b66415477be0efcb351d84712669f7447f80349d314cc60969e0e5409f400f0a465941659e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e031ceaf2876a758336b677d54d8ed18

SHA1
327cfb078236f76f8f4cce70307db8bc73ba24a6

SHA256
6166f864cdcd7f5f522a509ca82ea054662f0273a49a149db66edb79b8155067

SHA512
3d8940209d7f2803703b270c1fc9fd59fec11c2ba46c00cf836ee1bb3b4298ca47f70c861c6ae3c73f294dcb65d798dc71fa30087155315e0318866234bedca0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
92KB

MD5
b19b3d5a6198efe06050d4a6b8673c12

SHA1
85557e85cf20754fd66f191f19daf2b03c61c3ae

SHA256
37ac4a80df16fed0e9c92a1f39b60678bf49cb93b18a5be47bd9eeddd44c5032

SHA512
c7d024b428addd386d8665b19f12bea74dae05d64179dd8455b867a6518176c6eec5c1f5ec4c3014c930b20bd3000b9d577cf376462ad99c6f5fba556464d4fa

Download Submit