hxxps://ap[.]greenbiz[.]com/b?y=49ii4eh26or62ohp6tim6ob56hijadpg65h34dhi6cs38ph25gh748hq49k78t3gect2ubrnetrispriclimsoj9f8n66rrd5tincpbeehpiutj5e9jmabpi60p38br7e9nnas1de1gm6qr1ctii4===

Analysis

max time kernel
11s
max time network
9s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
01-08-2024 20:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://ap.greenbiz.com/b?y=49ii4eh26or62ohp6tim6ob56hijadpg65h34dhi6cs38ph25gh748hq49k78t3gect2ubrnetrispriclimsoj9f8n66rrd5tincpbeehpiutj5e9jmabpi60p38br7e9nnas1de1gm6qr1ctii4===

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133670187670125006"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
468	chrome.exe
468	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeShutdownPrivilege	468	chrome.exe
Token: SeCreatePagefilePrivilege	468	chrome.exe
Token: SeShutdownPrivilege	468	chrome.exe
Token: SeCreatePagefilePrivilege	468	chrome.exe
Token: SeShutdownPrivilege	468	chrome.exe
Token: SeCreatePagefilePrivilege	468	chrome.exe
Token: SeShutdownPrivilege	468	chrome.exe
Token: SeCreatePagefilePrivilege	468	chrome.exe
Token: SeShutdownPrivilege	468	chrome.exe
Token: SeCreatePagefilePrivilege	468	chrome.exe
Token: SeShutdownPrivilege	468	chrome.exe
Token: SeCreatePagefilePrivilege	468	chrome.exe
Token: SeShutdownPrivilege	468	chrome.exe
Token: SeCreatePagefilePrivilege	468	chrome.exe
Token: SeShutdownPrivilege	468	chrome.exe
Token: SeCreatePagefilePrivilege	468	chrome.exe
Token: SeShutdownPrivilege	468	chrome.exe
Token: SeCreatePagefilePrivilege	468	chrome.exe
Token: SeShutdownPrivilege	468	chrome.exe
Token: SeCreatePagefilePrivilege	468	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 468 wrote to memory of 1992	468	chrome.exe	85
PID 468 wrote to memory of 1992	468	chrome.exe	85
PID 468 wrote to memory of 2788	468	chrome.exe	86
PID 468 wrote to memory of 2788	468	chrome.exe	86
PID 468 wrote to memory of 2788	468	chrome.exe	86
PID 468 wrote to memory of 2788	468	chrome.exe	86
PID 468 wrote to memory of 2788	468	chrome.exe	86
PID 468 wrote to memory of 2788	468	chrome.exe	86
PID 468 wrote to memory of 2788	468	chrome.exe	86
PID 468 wrote to memory of 2788	468	chrome.exe	86
PID 468 wrote to memory of 2788	468	chrome.exe	86
PID 468 wrote to memory of 2788	468	chrome.exe	86
PID 468 wrote to memory of 2788	468	chrome.exe	86
PID 468 wrote to memory of 2788	468	chrome.exe	86
PID 468 wrote to memory of 2788	468	chrome.exe	86
PID 468 wrote to memory of 2788	468	chrome.exe	86
PID 468 wrote to memory of 2788	468	chrome.exe	86
PID 468 wrote to memory of 2788	468	chrome.exe	86
PID 468 wrote to memory of 2788	468	chrome.exe	86
PID 468 wrote to memory of 2788	468	chrome.exe	86
PID 468 wrote to memory of 2788	468	chrome.exe	86
PID 468 wrote to memory of 2788	468	chrome.exe	86
PID 468 wrote to memory of 2788	468	chrome.exe	86
PID 468 wrote to memory of 2788	468	chrome.exe	86
PID 468 wrote to memory of 2788	468	chrome.exe	86
PID 468 wrote to memory of 2788	468	chrome.exe	86
PID 468 wrote to memory of 2788	468	chrome.exe	86
PID 468 wrote to memory of 2788	468	chrome.exe	86
PID 468 wrote to memory of 2788	468	chrome.exe	86
PID 468 wrote to memory of 2788	468	chrome.exe	86
PID 468 wrote to memory of 2788	468	chrome.exe	86
PID 468 wrote to memory of 2788	468	chrome.exe	86
PID 468 wrote to memory of 3712	468	chrome.exe	87
PID 468 wrote to memory of 3712	468	chrome.exe	87
PID 468 wrote to memory of 3732	468	chrome.exe	88
PID 468 wrote to memory of 3732	468	chrome.exe	88
PID 468 wrote to memory of 3732	468	chrome.exe	88
PID 468 wrote to memory of 3732	468	chrome.exe	88
PID 468 wrote to memory of 3732	468	chrome.exe	88
PID 468 wrote to memory of 3732	468	chrome.exe	88
PID 468 wrote to memory of 3732	468	chrome.exe	88
PID 468 wrote to memory of 3732	468	chrome.exe	88
PID 468 wrote to memory of 3732	468	chrome.exe	88
PID 468 wrote to memory of 3732	468	chrome.exe	88
PID 468 wrote to memory of 3732	468	chrome.exe	88
PID 468 wrote to memory of 3732	468	chrome.exe	88
PID 468 wrote to memory of 3732	468	chrome.exe	88
PID 468 wrote to memory of 3732	468	chrome.exe	88
PID 468 wrote to memory of 3732	468	chrome.exe	88
PID 468 wrote to memory of 3732	468	chrome.exe	88
PID 468 wrote to memory of 3732	468	chrome.exe	88
PID 468 wrote to memory of 3732	468	chrome.exe	88
PID 468 wrote to memory of 3732	468	chrome.exe	88
PID 468 wrote to memory of 3732	468	chrome.exe	88
PID 468 wrote to memory of 3732	468	chrome.exe	88
PID 468 wrote to memory of 3732	468	chrome.exe	88
PID 468 wrote to memory of 3732	468	chrome.exe	88
PID 468 wrote to memory of 3732	468	chrome.exe	88
PID 468 wrote to memory of 3732	468	chrome.exe	88
PID 468 wrote to memory of 3732	468	chrome.exe	88
PID 468 wrote to memory of 3732	468	chrome.exe	88
PID 468 wrote to memory of 3732	468	chrome.exe	88
PID 468 wrote to memory of 3732	468	chrome.exe	88
PID 468 wrote to memory of 3732	468	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://ap.greenbiz.com/b?y=49ii4eh26or62ohp6tim6ob56hijadpg65h34dhi6cs38ph25gh748hq49k78t3gect2ubrnetrispriclimsoj9f8n66rrd5tincpbeehpiutj5e9jmabpi60p38br7e9nnas1de1gm6qr1ctii4===
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb80d9cc40,0x7ffb80d9cc4c,0x7ffb80d9cc58
  2⤵
  PID:1992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1972,i,14885831124090774125,1534097727693905562,262144 --variations-seed-version=20240729-180130.470000 --mojo-platform-channel-handle=1960 /prefetch:2
  2⤵
  PID:2788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1884,i,14885831124090774125,1534097727693905562,262144 --variations-seed-version=20240729-180130.470000 --mojo-platform-channel-handle=2084 /prefetch:3
  2⤵
  PID:3712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2260,i,14885831124090774125,1534097727693905562,262144 --variations-seed-version=20240729-180130.470000 --mojo-platform-channel-handle=2568 /prefetch:8
  2⤵
  PID:3732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3100,i,14885831124090774125,1534097727693905562,262144 --variations-seed-version=20240729-180130.470000 --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:3184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3108,i,14885831124090774125,1534097727693905562,262144 --variations-seed-version=20240729-180130.470000 --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:2288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3688,i,14885831124090774125,1534097727693905562,262144 --variations-seed-version=20240729-180130.470000 --mojo-platform-channel-handle=4504 /prefetch:1
  2⤵
  PID:2664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4000,i,14885831124090774125,1534097727693905562,262144 --variations-seed-version=20240729-180130.470000 --mojo-platform-channel-handle=3096 /prefetch:1
  2⤵
  PID:1452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4492,i,14885831124090774125,1534097727693905562,262144 --variations-seed-version=20240729-180130.470000 --mojo-platform-channel-handle=4628 /prefetch:1
  2⤵
  PID:3160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=3156,i,14885831124090774125,1534097727693905562,262144 --variations-seed-version=20240729-180130.470000 --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:4804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5216,i,14885831124090774125,1534097727693905562,262144 --variations-seed-version=20240729-180130.470000 --mojo-platform-channel-handle=5224 /prefetch:8
  2⤵
  PID:884

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:4112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000017

Filesize
209KB

MD5
3e552d017d45f8fd93b94cfc86f842f2

SHA1
dbeebe83854328e2575ff67259e3fb6704b17a47

SHA256
27d9c4613df7a3c04da0b79c13217aa69992b441acb7e44bf2a7578ca87d97d6

SHA512
e616436f2f15615429c7c5c37de3990c3e86c5e1da7d75a0f524fc458b75d44a5be1a3648a628d63e1cf8aa062e08b538f2f2bc9c6a0b42157beb24f82c571d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
83c42f27fce3434e2d2c7935168971f3

SHA1
7ae303067197b1823c300575ef930173f460fae5

SHA256
9050d7bdfac700e2ff1b144d93042652bb477013fd17c2141de759f38d5dab6a

SHA512
1dd1b08ef90d93d1e20bc1a53dab45652e89145e981bc1f7776e0de019842f92223c3853ae862a85806df43ab7b2e00965fc87f86b3a04549cefd36ec5daf30e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
ade4b5990d30d2df568170d1096e93f0

SHA1
153959bf3ad621a6ac73745ed841c2ddc2e5e6a5

SHA256
07f356a74150a22e4dcc8a9941f9f6465b402d0c507f2d520847674dceabf918

SHA512
02c26bc2f1b498b9919ccc57e4a6218c242ba4d8d96483f5ed332f33001ddd90fd7c680337a6d57f388fb0e8e059066077cdef77ef7e64d115cec36871ee0548

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
100KB

MD5
a0bcf983b31c9942f0eccca7aad60a85

SHA1
951e23bf4ecf1a599885435bee2461ffb47cdd78

SHA256
abcbd8b7817918b2f3a0065031690d678cf32f75e1f9f105a0b80d9f3486e75c

SHA512
31bc2c5026c1834d4605fc8c8cf232a6a2de24fc0a3b80e387efeec0211276dc0a29d631188aed0dee49670b8bfec88ccc7ad99542d7e5222a15d52351116fb1

Download Submit