hxxps://trk[.]cp20[.]com/click/gq9x-a048i-5pexy1-p9ws0w9/

Analysis

max time kernel
25s
max time network
20s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/08/2024, 12:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://trk.cp20.com/click/gq9x-a048i-5pexy1-p9ws0w9/

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133676786853466793"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4960	chrome.exe
4960	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4960	chrome.exe
Token: SeCreatePagefilePrivilege	4960	chrome.exe
Token: SeShutdownPrivilege	4960	chrome.exe
Token: SeCreatePagefilePrivilege	4960	chrome.exe
Token: SeShutdownPrivilege	4960	chrome.exe
Token: SeCreatePagefilePrivilege	4960	chrome.exe
Token: SeShutdownPrivilege	4960	chrome.exe
Token: SeCreatePagefilePrivilege	4960	chrome.exe
Token: SeShutdownPrivilege	4960	chrome.exe
Token: SeCreatePagefilePrivilege	4960	chrome.exe
Token: SeShutdownPrivilege	4960	chrome.exe
Token: SeCreatePagefilePrivilege	4960	chrome.exe
Token: SeShutdownPrivilege	4960	chrome.exe
Token: SeCreatePagefilePrivilege	4960	chrome.exe
Token: SeShutdownPrivilege	4960	chrome.exe
Token: SeCreatePagefilePrivilege	4960	chrome.exe
Token: SeShutdownPrivilege	4960	chrome.exe
Token: SeCreatePagefilePrivilege	4960	chrome.exe
Token: SeShutdownPrivilege	4960	chrome.exe
Token: SeCreatePagefilePrivilege	4960	chrome.exe
Token: SeShutdownPrivilege	4960	chrome.exe
Token: SeCreatePagefilePrivilege	4960	chrome.exe
Token: SeShutdownPrivilege	4960	chrome.exe
Token: SeCreatePagefilePrivilege	4960	chrome.exe
Token: SeShutdownPrivilege	4960	chrome.exe
Token: SeCreatePagefilePrivilege	4960	chrome.exe
Token: SeShutdownPrivilege	4960	chrome.exe
Token: SeCreatePagefilePrivilege	4960	chrome.exe
Token: SeShutdownPrivilege	4960	chrome.exe
Token: SeCreatePagefilePrivilege	4960	chrome.exe
Token: SeShutdownPrivilege	4960	chrome.exe
Token: SeCreatePagefilePrivilege	4960	chrome.exe
Token: SeShutdownPrivilege	4960	chrome.exe
Token: SeCreatePagefilePrivilege	4960	chrome.exe
Token: SeShutdownPrivilege	4960	chrome.exe
Token: SeCreatePagefilePrivilege	4960	chrome.exe
Token: SeShutdownPrivilege	4960	chrome.exe
Token: SeCreatePagefilePrivilege	4960	chrome.exe
Token: SeShutdownPrivilege	4960	chrome.exe
Token: SeCreatePagefilePrivilege	4960	chrome.exe
Token: SeShutdownPrivilege	4960	chrome.exe
Token: SeCreatePagefilePrivilege	4960	chrome.exe
Token: SeShutdownPrivilege	4960	chrome.exe
Token: SeCreatePagefilePrivilege	4960	chrome.exe
Token: SeShutdownPrivilege	4960	chrome.exe
Token: SeCreatePagefilePrivilege	4960	chrome.exe
Token: SeShutdownPrivilege	4960	chrome.exe
Token: SeCreatePagefilePrivilege	4960	chrome.exe
Token: SeShutdownPrivilege	4960	chrome.exe
Token: SeCreatePagefilePrivilege	4960	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4960 wrote to memory of 784	4960	chrome.exe	83
PID 4960 wrote to memory of 784	4960	chrome.exe	83
PID 4960 wrote to memory of 1500	4960	chrome.exe	84
PID 4960 wrote to memory of 1500	4960	chrome.exe	84
PID 4960 wrote to memory of 1500	4960	chrome.exe	84
PID 4960 wrote to memory of 1500	4960	chrome.exe	84
PID 4960 wrote to memory of 1500	4960	chrome.exe	84
PID 4960 wrote to memory of 1500	4960	chrome.exe	84
PID 4960 wrote to memory of 1500	4960	chrome.exe	84
PID 4960 wrote to memory of 1500	4960	chrome.exe	84
PID 4960 wrote to memory of 1500	4960	chrome.exe	84
PID 4960 wrote to memory of 1500	4960	chrome.exe	84
PID 4960 wrote to memory of 1500	4960	chrome.exe	84
PID 4960 wrote to memory of 1500	4960	chrome.exe	84
PID 4960 wrote to memory of 1500	4960	chrome.exe	84
PID 4960 wrote to memory of 1500	4960	chrome.exe	84
PID 4960 wrote to memory of 1500	4960	chrome.exe	84
PID 4960 wrote to memory of 1500	4960	chrome.exe	84
PID 4960 wrote to memory of 1500	4960	chrome.exe	84
PID 4960 wrote to memory of 1500	4960	chrome.exe	84
PID 4960 wrote to memory of 1500	4960	chrome.exe	84
PID 4960 wrote to memory of 1500	4960	chrome.exe	84
PID 4960 wrote to memory of 1500	4960	chrome.exe	84
PID 4960 wrote to memory of 1500	4960	chrome.exe	84
PID 4960 wrote to memory of 1500	4960	chrome.exe	84
PID 4960 wrote to memory of 1500	4960	chrome.exe	84
PID 4960 wrote to memory of 1500	4960	chrome.exe	84
PID 4960 wrote to memory of 1500	4960	chrome.exe	84
PID 4960 wrote to memory of 1500	4960	chrome.exe	84
PID 4960 wrote to memory of 1500	4960	chrome.exe	84
PID 4960 wrote to memory of 1500	4960	chrome.exe	84
PID 4960 wrote to memory of 1500	4960	chrome.exe	84
PID 4960 wrote to memory of 2264	4960	chrome.exe	85
PID 4960 wrote to memory of 2264	4960	chrome.exe	85
PID 4960 wrote to memory of 1224	4960	chrome.exe	86
PID 4960 wrote to memory of 1224	4960	chrome.exe	86
PID 4960 wrote to memory of 1224	4960	chrome.exe	86
PID 4960 wrote to memory of 1224	4960	chrome.exe	86
PID 4960 wrote to memory of 1224	4960	chrome.exe	86
PID 4960 wrote to memory of 1224	4960	chrome.exe	86
PID 4960 wrote to memory of 1224	4960	chrome.exe	86
PID 4960 wrote to memory of 1224	4960	chrome.exe	86
PID 4960 wrote to memory of 1224	4960	chrome.exe	86
PID 4960 wrote to memory of 1224	4960	chrome.exe	86
PID 4960 wrote to memory of 1224	4960	chrome.exe	86
PID 4960 wrote to memory of 1224	4960	chrome.exe	86
PID 4960 wrote to memory of 1224	4960	chrome.exe	86
PID 4960 wrote to memory of 1224	4960	chrome.exe	86
PID 4960 wrote to memory of 1224	4960	chrome.exe	86
PID 4960 wrote to memory of 1224	4960	chrome.exe	86
PID 4960 wrote to memory of 1224	4960	chrome.exe	86
PID 4960 wrote to memory of 1224	4960	chrome.exe	86
PID 4960 wrote to memory of 1224	4960	chrome.exe	86
PID 4960 wrote to memory of 1224	4960	chrome.exe	86
PID 4960 wrote to memory of 1224	4960	chrome.exe	86
PID 4960 wrote to memory of 1224	4960	chrome.exe	86
PID 4960 wrote to memory of 1224	4960	chrome.exe	86
PID 4960 wrote to memory of 1224	4960	chrome.exe	86
PID 4960 wrote to memory of 1224	4960	chrome.exe	86
PID 4960 wrote to memory of 1224	4960	chrome.exe	86
PID 4960 wrote to memory of 1224	4960	chrome.exe	86
PID 4960 wrote to memory of 1224	4960	chrome.exe	86
PID 4960 wrote to memory of 1224	4960	chrome.exe	86
PID 4960 wrote to memory of 1224	4960	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://trk.cp20.com/click/gq9x-a048i-5pexy1-p9ws0w9/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa8fa3cc40,0x7ffa8fa3cc4c,0x7ffa8fa3cc58
  2⤵
  PID:784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1580,i,9676486410754324200,9838668149984438462,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1732 /prefetch:2
  2⤵
  PID:1500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2128,i,9676486410754324200,9838668149984438462,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2160 /prefetch:3
  2⤵
  PID:2264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2216,i,9676486410754324200,9838668149984438462,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2432 /prefetch:8
  2⤵
  PID:1224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,9676486410754324200,9838668149984438462,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:4884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,9676486410754324200,9838668149984438462,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:2668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4460,i,9676486410754324200,9838668149984438462,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4468 /prefetch:1
  2⤵
  PID:4812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3428,i,9676486410754324200,9838668149984438462,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:5016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4332,i,9676486410754324200,9838668149984438462,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4828 /prefetch:8
  2⤵
  PID:4224

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1984

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000002

Filesize
24KB

MD5
c594a826934b9505d591d0f7a7df80b7

SHA1
c04b8637e686f71f3fc46a29a86346ba9b04ae18

SHA256
e664eef3d68ac6336a28be033165d4780e8a5ab28f0d90df1b148ef86babb610

SHA512
04a1dfdb8ee2f5fefa101d5e3ff36e87659fd774e96aa8c5941d3353ccc268a125822cf01533c74839e5f1c54725da9cc437d3d69b88e5bf3f99caccd4d75961

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000003

Filesize
210KB

MD5
48d2860dd3168b6f06a4f27c6791bcaa

SHA1
f5f803efed91cd45a36c3d6acdffaaf0e863bf8c

SHA256
04d7bf7a6586ef00516bdb3f7b96c65e0b9c6b940f4b145121ed00f6116bbb77

SHA512
172da615b5b97a0c17f80ddd8d7406e278cd26afd1eb45a052cde0cb55b92febe49773b1e02cf9e9adca2f34abbaa6d7b83eaad4e08c828ef4bf26f23b95584e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
cdd72cc98a8fb07ce419c0ab747c9b61

SHA1
0c5427a014742196de323e16db905a8178d1ff60

SHA256
9520df03e8e70b1ab7943c598ea6fbaa0d387886f28aa17d57c85bb82870efc5

SHA512
d7f8f29d9c7411263308a51e88aace460ae8a42e211c1958226ed44602b56ae99e6058da0345c6af4bd98a16ca49719e627f7c8af62dd765db9a878d73e31424

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
be92168a9e143b01013dc36ca39360a9

SHA1
7547da82c282c780da10ea34a969eae51e4acccc

SHA256
2b1acf6eb544ff861ef7048944516e4927ec9d3552cec819b4971f1c66c392b5

SHA512
cafd2ac03af535cfdaa58c5010079a08a64a942a241b59fbfbfb3c2c986c9f3de509f5af4a7c8af3b2bef885760c4070253b187d1aba9f0c7ae3fb86235379d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
18813ee8771710659ba484aab82e8a04

SHA1
8a46a0d83734576cc18bb2f12eb0b89856a493d3

SHA256
8e8cf57004c633164e7c3c087bf76204f3199db799fe4afbfa3e4ceedec5cf5c

SHA512
239651dbc2c11cef763eb947673f5b0a9b9db7ffd7889867f7e5d3e9b5603d82dd54ec7bcbd71271b22a4e73a92d18d729621018bec0fc517560126893714d5d

Download Submit