hxxp://ads[.]travelaudience[.]com

Analysis

max time kernel
59s
max time network
47s
platform
windows11-21h2_x64
resource
win11-20240730-en
resource tags

arch:x64arch:x86image:win11-20240730-enlocale:en-usos:windows11-21h2-x64system
submitted
01-08-2024 20:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://ads.travelaudience.com

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133670191231860354"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5020	chrome.exe
5020	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5020 wrote to memory of 3224	5020	chrome.exe	79
PID 5020 wrote to memory of 3224	5020	chrome.exe	79
PID 5020 wrote to memory of 3272	5020	chrome.exe	80
PID 5020 wrote to memory of 3272	5020	chrome.exe	80
PID 5020 wrote to memory of 3272	5020	chrome.exe	80
PID 5020 wrote to memory of 3272	5020	chrome.exe	80
PID 5020 wrote to memory of 3272	5020	chrome.exe	80
PID 5020 wrote to memory of 3272	5020	chrome.exe	80
PID 5020 wrote to memory of 3272	5020	chrome.exe	80
PID 5020 wrote to memory of 3272	5020	chrome.exe	80
PID 5020 wrote to memory of 3272	5020	chrome.exe	80
PID 5020 wrote to memory of 3272	5020	chrome.exe	80
PID 5020 wrote to memory of 3272	5020	chrome.exe	80
PID 5020 wrote to memory of 3272	5020	chrome.exe	80
PID 5020 wrote to memory of 3272	5020	chrome.exe	80
PID 5020 wrote to memory of 3272	5020	chrome.exe	80
PID 5020 wrote to memory of 3272	5020	chrome.exe	80
PID 5020 wrote to memory of 3272	5020	chrome.exe	80
PID 5020 wrote to memory of 3272	5020	chrome.exe	80
PID 5020 wrote to memory of 3272	5020	chrome.exe	80
PID 5020 wrote to memory of 3272	5020	chrome.exe	80
PID 5020 wrote to memory of 3272	5020	chrome.exe	80
PID 5020 wrote to memory of 3272	5020	chrome.exe	80
PID 5020 wrote to memory of 3272	5020	chrome.exe	80
PID 5020 wrote to memory of 3272	5020	chrome.exe	80
PID 5020 wrote to memory of 3272	5020	chrome.exe	80
PID 5020 wrote to memory of 3272	5020	chrome.exe	80
PID 5020 wrote to memory of 3272	5020	chrome.exe	80
PID 5020 wrote to memory of 3272	5020	chrome.exe	80
PID 5020 wrote to memory of 3272	5020	chrome.exe	80
PID 5020 wrote to memory of 3272	5020	chrome.exe	80
PID 5020 wrote to memory of 3272	5020	chrome.exe	80
PID 5020 wrote to memory of 2796	5020	chrome.exe	81
PID 5020 wrote to memory of 2796	5020	chrome.exe	81
PID 5020 wrote to memory of 4556	5020	chrome.exe	82
PID 5020 wrote to memory of 4556	5020	chrome.exe	82
PID 5020 wrote to memory of 4556	5020	chrome.exe	82
PID 5020 wrote to memory of 4556	5020	chrome.exe	82
PID 5020 wrote to memory of 4556	5020	chrome.exe	82
PID 5020 wrote to memory of 4556	5020	chrome.exe	82
PID 5020 wrote to memory of 4556	5020	chrome.exe	82
PID 5020 wrote to memory of 4556	5020	chrome.exe	82
PID 5020 wrote to memory of 4556	5020	chrome.exe	82
PID 5020 wrote to memory of 4556	5020	chrome.exe	82
PID 5020 wrote to memory of 4556	5020	chrome.exe	82
PID 5020 wrote to memory of 4556	5020	chrome.exe	82
PID 5020 wrote to memory of 4556	5020	chrome.exe	82
PID 5020 wrote to memory of 4556	5020	chrome.exe	82
PID 5020 wrote to memory of 4556	5020	chrome.exe	82
PID 5020 wrote to memory of 4556	5020	chrome.exe	82
PID 5020 wrote to memory of 4556	5020	chrome.exe	82
PID 5020 wrote to memory of 4556	5020	chrome.exe	82
PID 5020 wrote to memory of 4556	5020	chrome.exe	82
PID 5020 wrote to memory of 4556	5020	chrome.exe	82
PID 5020 wrote to memory of 4556	5020	chrome.exe	82
PID 5020 wrote to memory of 4556	5020	chrome.exe	82
PID 5020 wrote to memory of 4556	5020	chrome.exe	82
PID 5020 wrote to memory of 4556	5020	chrome.exe	82
PID 5020 wrote to memory of 4556	5020	chrome.exe	82
PID 5020 wrote to memory of 4556	5020	chrome.exe	82
PID 5020 wrote to memory of 4556	5020	chrome.exe	82
PID 5020 wrote to memory of 4556	5020	chrome.exe	82
PID 5020 wrote to memory of 4556	5020	chrome.exe	82
PID 5020 wrote to memory of 4556	5020	chrome.exe	82

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://ads.travelaudience.com
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdb569cc40,0x7ffdb569cc4c,0x7ffdb569cc58
  2⤵
  PID:3224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1760,i,13112421825257987841,17855130057883334969,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=1756 /prefetch:2
  2⤵
  PID:3272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2032,i,13112421825257987841,17855130057883334969,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=2096 /prefetch:3
  2⤵
  PID:2796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2164,i,13112421825257987841,17855130057883334969,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=2352 /prefetch:8
  2⤵
  PID:4556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3012,i,13112421825257987841,17855130057883334969,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=3040 /prefetch:1
  2⤵
  PID:2448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3032,i,13112421825257987841,17855130057883334969,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=3076 /prefetch:1
  2⤵
  PID:940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4124,i,13112421825257987841,17855130057883334969,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=4400 /prefetch:1
  2⤵
  PID:1772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3352,i,13112421825257987841,17855130057883334969,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=3328 /prefetch:8
  2⤵
  PID:3368

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:4972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\2636ed87-9aac-4cd3-9f79-89efa93c4ef7.tmp

Filesize
100KB

MD5
e647b59aae19aaf1881e748df91e13ad

SHA1
b7f7ac3d58f8be2208f522f40f8c5ed57e4ab9b9

SHA256
8afe9b35990c745920dfab312abb5849383f9c19c641e9fbaa293c9d0a16528a

SHA512
43aa3be9d9c4900f36f1ee47e0412fbf3b4e4e5634e0de26e64e7e355d421dda387d078e57384d064a0baeea1d5f580ee0f9a14895b6ba79d1804ad2ec583ad7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
afabf938a9b1f80c4d2957e5fe8b1490

SHA1
502b4fe5350ced1ef73dc17d87569e4dd8069ff6

SHA256
7ff6ead2aae0040a412b900628e46e2df4d2f7a51e8e94f22d3b08ebb4715d61

SHA512
b7c655703befdce294abea6672830aea5ec1a22ce48d351b87e3158411f7a3020974f3b2008afbd4e11af8b9a0203cc84e37d176c0c06da8cebb6458002bb892

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
255a8940dd8434603441b7f3b526ee6d

SHA1
1f012b316c223984990710d4ac7e06117c951fa1

SHA256
87dff31ad2a3d9806f602f687b79745ca58ec9ff4b21bf8f1f89a8f4ff7fa909

SHA512
efcece4f83966388de9cec0ac6348fea4dbe42281858ea2762c124d4432bbfe47342147f988beb2c229c18ffd313050c1628156fcfea4486040c6b431aaea231

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
3ed5fbdfd8b327560bbae40e6a31a2b2

SHA1
f72fc7baece219470ff38febd273444988800db5

SHA256
a47fabee552a75c2adf506bafa809024d0f49241272db464094bd5533c73fb3f

SHA512
9e502ad418fc716ac2b3f84d955f605d19a42065f4f907bfc1c32d6d132e8d0f75ac27f4b4058b89c7706a9d2b8641c455c0c163d1fa4871609fc587f9f1cd0b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
f684ca9cbc815c4f0008c6cf923d1c6c

SHA1
790003b6567664b5a772ee09273d861bd05e26e4

SHA256
6d5209c6e459be8f01c490589115afc005abeb4b848081f9db42e6cd59be6846

SHA512
438e7c25eb1cb24a12eeaf5a4997a7e25a46e401fbbb2b92c4ea16936491936d8fe6e10a4dc3c6c356eea391f5f0b2a193c7d1a4d7fe547840aab17b94570710

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
100KB

MD5
aebc219c60ff05bd4af12ac3a38fc882

SHA1
379716dc18875fcf5e36c6ff143298bf7f9eb4b7

SHA256
7c32a3b568e77f92f0284ac936aba5a613ab82590b5016fe2efd99cc9e3fe7a0

SHA512
d3fb7c3a27fa628466311cdfd89932a7b8119d397ca577c1262833c331f923ca2140a38424f738b9eaa872323f6651aa9f2984ae050e938e83cf6f616be534f5

Download Submit