hxxp://yotsubasociety[.]org/staff/

Analysis

max time kernel
57s
max time network
47s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
19-08-2024 04:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://yotsubasociety.org/staff/

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133685149183447229"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3848	chrome.exe
3848	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3848	chrome.exe
3848	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3848	chrome.exe
Token: SeCreatePagefilePrivilege	3848	chrome.exe
Token: SeShutdownPrivilege	3848	chrome.exe
Token: SeCreatePagefilePrivilege	3848	chrome.exe
Token: SeShutdownPrivilege	3848	chrome.exe
Token: SeCreatePagefilePrivilege	3848	chrome.exe
Token: SeShutdownPrivilege	3848	chrome.exe
Token: SeCreatePagefilePrivilege	3848	chrome.exe
Token: SeShutdownPrivilege	3848	chrome.exe
Token: SeCreatePagefilePrivilege	3848	chrome.exe
Token: SeShutdownPrivilege	3848	chrome.exe
Token: SeCreatePagefilePrivilege	3848	chrome.exe
Token: SeShutdownPrivilege	3848	chrome.exe
Token: SeCreatePagefilePrivilege	3848	chrome.exe
Token: SeShutdownPrivilege	3848	chrome.exe
Token: SeCreatePagefilePrivilege	3848	chrome.exe
Token: SeShutdownPrivilege	3848	chrome.exe
Token: SeCreatePagefilePrivilege	3848	chrome.exe
Token: SeShutdownPrivilege	3848	chrome.exe
Token: SeCreatePagefilePrivilege	3848	chrome.exe
Token: SeShutdownPrivilege	3848	chrome.exe
Token: SeCreatePagefilePrivilege	3848	chrome.exe
Token: SeShutdownPrivilege	3848	chrome.exe
Token: SeCreatePagefilePrivilege	3848	chrome.exe
Token: SeShutdownPrivilege	3848	chrome.exe
Token: SeCreatePagefilePrivilege	3848	chrome.exe
Token: SeShutdownPrivilege	3848	chrome.exe
Token: SeCreatePagefilePrivilege	3848	chrome.exe
Token: SeShutdownPrivilege	3848	chrome.exe
Token: SeCreatePagefilePrivilege	3848	chrome.exe
Token: SeShutdownPrivilege	3848	chrome.exe
Token: SeCreatePagefilePrivilege	3848	chrome.exe
Token: SeShutdownPrivilege	3848	chrome.exe
Token: SeCreatePagefilePrivilege	3848	chrome.exe
Token: SeShutdownPrivilege	3848	chrome.exe
Token: SeCreatePagefilePrivilege	3848	chrome.exe
Token: SeShutdownPrivilege	3848	chrome.exe
Token: SeCreatePagefilePrivilege	3848	chrome.exe
Token: SeShutdownPrivilege	3848	chrome.exe
Token: SeCreatePagefilePrivilege	3848	chrome.exe
Token: SeShutdownPrivilege	3848	chrome.exe
Token: SeCreatePagefilePrivilege	3848	chrome.exe
Token: SeShutdownPrivilege	3848	chrome.exe
Token: SeCreatePagefilePrivilege	3848	chrome.exe
Token: SeShutdownPrivilege	3848	chrome.exe
Token: SeCreatePagefilePrivilege	3848	chrome.exe
Token: SeShutdownPrivilege	3848	chrome.exe
Token: SeCreatePagefilePrivilege	3848	chrome.exe
Token: SeShutdownPrivilege	3848	chrome.exe
Token: SeCreatePagefilePrivilege	3848	chrome.exe
Token: SeShutdownPrivilege	3848	chrome.exe
Token: SeCreatePagefilePrivilege	3848	chrome.exe
Token: SeShutdownPrivilege	3848	chrome.exe
Token: SeCreatePagefilePrivilege	3848	chrome.exe
Token: SeShutdownPrivilege	3848	chrome.exe
Token: SeCreatePagefilePrivilege	3848	chrome.exe
Token: SeShutdownPrivilege	3848	chrome.exe
Token: SeCreatePagefilePrivilege	3848	chrome.exe
Token: SeShutdownPrivilege	3848	chrome.exe
Token: SeCreatePagefilePrivilege	3848	chrome.exe
Token: SeShutdownPrivilege	3848	chrome.exe
Token: SeCreatePagefilePrivilege	3848	chrome.exe
Token: SeShutdownPrivilege	3848	chrome.exe
Token: SeCreatePagefilePrivilege	3848	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3848 wrote to memory of 4160	3848	chrome.exe	81
PID 3848 wrote to memory of 4160	3848	chrome.exe	81
PID 3848 wrote to memory of 4568	3848	chrome.exe	82
PID 3848 wrote to memory of 4568	3848	chrome.exe	82
PID 3848 wrote to memory of 4568	3848	chrome.exe	82
PID 3848 wrote to memory of 4568	3848	chrome.exe	82
PID 3848 wrote to memory of 4568	3848	chrome.exe	82
PID 3848 wrote to memory of 4568	3848	chrome.exe	82
PID 3848 wrote to memory of 4568	3848	chrome.exe	82
PID 3848 wrote to memory of 4568	3848	chrome.exe	82
PID 3848 wrote to memory of 4568	3848	chrome.exe	82
PID 3848 wrote to memory of 4568	3848	chrome.exe	82
PID 3848 wrote to memory of 4568	3848	chrome.exe	82
PID 3848 wrote to memory of 4568	3848	chrome.exe	82
PID 3848 wrote to memory of 4568	3848	chrome.exe	82
PID 3848 wrote to memory of 4568	3848	chrome.exe	82
PID 3848 wrote to memory of 4568	3848	chrome.exe	82
PID 3848 wrote to memory of 4568	3848	chrome.exe	82
PID 3848 wrote to memory of 4568	3848	chrome.exe	82
PID 3848 wrote to memory of 4568	3848	chrome.exe	82
PID 3848 wrote to memory of 4568	3848	chrome.exe	82
PID 3848 wrote to memory of 4568	3848	chrome.exe	82
PID 3848 wrote to memory of 4568	3848	chrome.exe	82
PID 3848 wrote to memory of 4568	3848	chrome.exe	82
PID 3848 wrote to memory of 4568	3848	chrome.exe	82
PID 3848 wrote to memory of 4568	3848	chrome.exe	82
PID 3848 wrote to memory of 4568	3848	chrome.exe	82
PID 3848 wrote to memory of 4568	3848	chrome.exe	82
PID 3848 wrote to memory of 4568	3848	chrome.exe	82
PID 3848 wrote to memory of 4568	3848	chrome.exe	82
PID 3848 wrote to memory of 4568	3848	chrome.exe	82
PID 3848 wrote to memory of 4568	3848	chrome.exe	82
PID 3848 wrote to memory of 892	3848	chrome.exe	83
PID 3848 wrote to memory of 892	3848	chrome.exe	83
PID 3848 wrote to memory of 4900	3848	chrome.exe	84
PID 3848 wrote to memory of 4900	3848	chrome.exe	84
PID 3848 wrote to memory of 4900	3848	chrome.exe	84
PID 3848 wrote to memory of 4900	3848	chrome.exe	84
PID 3848 wrote to memory of 4900	3848	chrome.exe	84
PID 3848 wrote to memory of 4900	3848	chrome.exe	84
PID 3848 wrote to memory of 4900	3848	chrome.exe	84
PID 3848 wrote to memory of 4900	3848	chrome.exe	84
PID 3848 wrote to memory of 4900	3848	chrome.exe	84
PID 3848 wrote to memory of 4900	3848	chrome.exe	84
PID 3848 wrote to memory of 4900	3848	chrome.exe	84
PID 3848 wrote to memory of 4900	3848	chrome.exe	84
PID 3848 wrote to memory of 4900	3848	chrome.exe	84
PID 3848 wrote to memory of 4900	3848	chrome.exe	84
PID 3848 wrote to memory of 4900	3848	chrome.exe	84
PID 3848 wrote to memory of 4900	3848	chrome.exe	84
PID 3848 wrote to memory of 4900	3848	chrome.exe	84
PID 3848 wrote to memory of 4900	3848	chrome.exe	84
PID 3848 wrote to memory of 4900	3848	chrome.exe	84
PID 3848 wrote to memory of 4900	3848	chrome.exe	84
PID 3848 wrote to memory of 4900	3848	chrome.exe	84
PID 3848 wrote to memory of 4900	3848	chrome.exe	84
PID 3848 wrote to memory of 4900	3848	chrome.exe	84
PID 3848 wrote to memory of 4900	3848	chrome.exe	84
PID 3848 wrote to memory of 4900	3848	chrome.exe	84
PID 3848 wrote to memory of 4900	3848	chrome.exe	84
PID 3848 wrote to memory of 4900	3848	chrome.exe	84
PID 3848 wrote to memory of 4900	3848	chrome.exe	84
PID 3848 wrote to memory of 4900	3848	chrome.exe	84
PID 3848 wrote to memory of 4900	3848	chrome.exe	84

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://yotsubasociety.org/staff/
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd6338cc40,0x7ffd6338cc4c,0x7ffd6338cc58
  2⤵
  PID:4160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1800,i,17156354142433990049,10727152637537313707,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1796 /prefetch:2
  2⤵
  PID:4568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2092,i,17156354142433990049,10727152637537313707,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2136 /prefetch:3
  2⤵
  PID:892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2156,i,17156354142433990049,10727152637537313707,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2192 /prefetch:8
  2⤵
  PID:4900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3016,i,17156354142433990049,10727152637537313707,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3040 /prefetch:1
  2⤵
  PID:8
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3028,i,17156354142433990049,10727152637537313707,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:3752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4568,i,17156354142433990049,10727152637537313707,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4580 /prefetch:8
  2⤵
  PID:4512

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2228

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
466cb07d3d7fa042a7cb3f9f92ec4308

SHA1
f7227ff0200f6fb895b01fe3bd0fcd7618f6bcc9

SHA256
53f77a52a8e798a8425ce4c100a374e6d19136e9a3b7e8c466f06eb339b1e5bd

SHA512
eabc5809fbec13047214283e660ae7849e35c6973b02437d1a613a8931e5fa835c035e5797ad5df21700e1c32f0f1269441d5f310affa834b767307d3ba75980

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
1c76e664926df37adb7bac351051a596

SHA1
dc799f5dae6c49f3b80845136a01c5d69b349456

SHA256
e8272ce97037fc5be063529b3243e0e7aa1d3228c0a97f8469729243d3d6a37c

SHA512
f68c75aa05ddf46dcc469bd6e840f9b1bd5ff701546e5e805019a4a5631db639045865707bdac386fe833e6edc7022d4025167267170b28964777698ab652fd2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\10ad91fa-946d-465e-a8fd-c03cb0094c8b.tmp

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4fe2f79ea91b218d93c105ecffad69b6

SHA1
25da71609a24310de87dd53be759b7cff0644476

SHA256
c51ba28b18474bcb5315aa4a17f3825c79f45491ce1930e6bcc8f6e6c85c2fcf

SHA512
831bd95fc01b544fbe9f893535b67b339f4e533bf4490bd65e57bdb5999d8fa746e0e7f015722094458e754601574d4cf1bf9b5304c7976fff044aa8e210dc85

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e6ab929b77deda95bd9ad83701a15c95

SHA1
8a7c654d0a6ee42ca67e443aca34299a881e94bd

SHA256
6331fa11e761035ec5c0b6a6c22c9e5fef07b40180f477cec8e1477326cbea7a

SHA512
d4d2c090ffebece8ea37ae471d690133be0a0d7566339f323da934ed0734100805f85139c0711110c3294aceeea11618292d390e889d723fe6580dbb3ed33ed1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3e743f15183ad5f52a0ccb48c5a160d3

SHA1
36b6f7df82085e35d36f33028ad5fdca82f41526

SHA256
72609bf6c20c602ae153d388fbaaeda0847ff6e6d0cd987cee703805f652b5f1

SHA512
1c10939a2c34ae93ebea73ba44365399e20b2805ce76c5d2c363105f9a2de2cc99b0b10edc3acd285a29c691a00be673912eeefdf247e08bf0be870296c25ee8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
30061152ec0d2d5b867bb67005c4678f

SHA1
bf277edeb4a9a3e9de8ecfecac110815fc752eb1

SHA256
7e1f20bfcc2369b6487d06ba813b45884de5eedcad41c965867b88da870f1713

SHA512
f113ded9b208421ac1f2929b30515f656fdbcfafbba34dbc6739f876c6297114df5c3539620af3dec77ff578ad200c7d02856fa7f952dbd482c2b47379053709

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
6cf4795a067868b4fb304af698a05c2b

SHA1
a30bdb459a03ed200487338cfe206c5bcfab554b

SHA256
4817e39e6bf741a7376da80636efba11fbcbf8deb9d3c3e69ba7cbab4fbc0c54

SHA512
ee5f3cc17c6887b03874a7a8b851605687745df945838704a5d76169e266e596a3dd15b78bf81772beb3f16ec6eb175007bc60b6c5b9e8329d5c7c05bfd67fcd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
f7757fb2d8a3d8980d0e3d413e7ea23a

SHA1
3e895336728b94e11720221fb4889d04bf929e7b

SHA256
35de0b4f000fc3dd9a7b14e6cbc2ace2263f21189f0f6abde7d231148148e23e

SHA512
108897c1e010727f00dc4712883ca011405255621f2e15a9d83bf9907d5b18c904d79fadf5135d14e987f2bcd11243c58fefb397206e5e28b2a9a3b3f4a65ea2

Download Submit