hxxps://insight[.]gwi[.]com/make-your-ads-unmissable-with-our-ultimate-guide

Analysis

max time kernel
11s
max time network
17s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28-08-2024 20:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://insight.gwi.com/make-your-ads-unmissable-with-our-ultimate-guide

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133693496256925700"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
636	chrome.exe
636	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeShutdownPrivilege	636	chrome.exe
Token: SeCreatePagefilePrivilege	636	chrome.exe
Token: SeShutdownPrivilege	636	chrome.exe
Token: SeCreatePagefilePrivilege	636	chrome.exe
Token: SeShutdownPrivilege	636	chrome.exe
Token: SeCreatePagefilePrivilege	636	chrome.exe
Token: SeShutdownPrivilege	636	chrome.exe
Token: SeCreatePagefilePrivilege	636	chrome.exe
Token: SeShutdownPrivilege	636	chrome.exe
Token: SeCreatePagefilePrivilege	636	chrome.exe
Token: SeShutdownPrivilege	636	chrome.exe
Token: SeCreatePagefilePrivilege	636	chrome.exe
Token: SeShutdownPrivilege	636	chrome.exe
Token: SeCreatePagefilePrivilege	636	chrome.exe
Token: SeShutdownPrivilege	636	chrome.exe
Token: SeCreatePagefilePrivilege	636	chrome.exe
Token: SeShutdownPrivilege	636	chrome.exe
Token: SeCreatePagefilePrivilege	636	chrome.exe
Token: SeShutdownPrivilege	636	chrome.exe
Token: SeCreatePagefilePrivilege	636	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 636 wrote to memory of 4976	636	chrome.exe	86
PID 636 wrote to memory of 4976	636	chrome.exe	86
PID 636 wrote to memory of 3320	636	chrome.exe	88
PID 636 wrote to memory of 3320	636	chrome.exe	88
PID 636 wrote to memory of 3320	636	chrome.exe	88
PID 636 wrote to memory of 3320	636	chrome.exe	88
PID 636 wrote to memory of 3320	636	chrome.exe	88
PID 636 wrote to memory of 3320	636	chrome.exe	88
PID 636 wrote to memory of 3320	636	chrome.exe	88
PID 636 wrote to memory of 3320	636	chrome.exe	88
PID 636 wrote to memory of 3320	636	chrome.exe	88
PID 636 wrote to memory of 3320	636	chrome.exe	88
PID 636 wrote to memory of 3320	636	chrome.exe	88
PID 636 wrote to memory of 3320	636	chrome.exe	88
PID 636 wrote to memory of 3320	636	chrome.exe	88
PID 636 wrote to memory of 3320	636	chrome.exe	88
PID 636 wrote to memory of 3320	636	chrome.exe	88
PID 636 wrote to memory of 3320	636	chrome.exe	88
PID 636 wrote to memory of 3320	636	chrome.exe	88
PID 636 wrote to memory of 3320	636	chrome.exe	88
PID 636 wrote to memory of 3320	636	chrome.exe	88
PID 636 wrote to memory of 3320	636	chrome.exe	88
PID 636 wrote to memory of 3320	636	chrome.exe	88
PID 636 wrote to memory of 3320	636	chrome.exe	88
PID 636 wrote to memory of 3320	636	chrome.exe	88
PID 636 wrote to memory of 3320	636	chrome.exe	88
PID 636 wrote to memory of 3320	636	chrome.exe	88
PID 636 wrote to memory of 3320	636	chrome.exe	88
PID 636 wrote to memory of 3320	636	chrome.exe	88
PID 636 wrote to memory of 3320	636	chrome.exe	88
PID 636 wrote to memory of 3320	636	chrome.exe	88
PID 636 wrote to memory of 3320	636	chrome.exe	88
PID 636 wrote to memory of 4496	636	chrome.exe	89
PID 636 wrote to memory of 4496	636	chrome.exe	89
PID 636 wrote to memory of 444	636	chrome.exe	90
PID 636 wrote to memory of 444	636	chrome.exe	90
PID 636 wrote to memory of 444	636	chrome.exe	90
PID 636 wrote to memory of 444	636	chrome.exe	90
PID 636 wrote to memory of 444	636	chrome.exe	90
PID 636 wrote to memory of 444	636	chrome.exe	90
PID 636 wrote to memory of 444	636	chrome.exe	90
PID 636 wrote to memory of 444	636	chrome.exe	90
PID 636 wrote to memory of 444	636	chrome.exe	90
PID 636 wrote to memory of 444	636	chrome.exe	90
PID 636 wrote to memory of 444	636	chrome.exe	90
PID 636 wrote to memory of 444	636	chrome.exe	90
PID 636 wrote to memory of 444	636	chrome.exe	90
PID 636 wrote to memory of 444	636	chrome.exe	90
PID 636 wrote to memory of 444	636	chrome.exe	90
PID 636 wrote to memory of 444	636	chrome.exe	90
PID 636 wrote to memory of 444	636	chrome.exe	90
PID 636 wrote to memory of 444	636	chrome.exe	90
PID 636 wrote to memory of 444	636	chrome.exe	90
PID 636 wrote to memory of 444	636	chrome.exe	90
PID 636 wrote to memory of 444	636	chrome.exe	90
PID 636 wrote to memory of 444	636	chrome.exe	90
PID 636 wrote to memory of 444	636	chrome.exe	90
PID 636 wrote to memory of 444	636	chrome.exe	90
PID 636 wrote to memory of 444	636	chrome.exe	90
PID 636 wrote to memory of 444	636	chrome.exe	90
PID 636 wrote to memory of 444	636	chrome.exe	90
PID 636 wrote to memory of 444	636	chrome.exe	90
PID 636 wrote to memory of 444	636	chrome.exe	90
PID 636 wrote to memory of 444	636	chrome.exe	90

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://insight.gwi.com/make-your-ads-unmissable-with-our-ultimate-guide
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa7b64cc40,0x7ffa7b64cc4c,0x7ffa7b64cc58
  2⤵
  PID:4976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1832,i,13297824943519590866,3027596443218775134,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1828 /prefetch:2
  2⤵
  PID:3320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2152,i,13297824943519590866,3027596443218775134,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2196 /prefetch:3
  2⤵
  PID:4496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2240,i,13297824943519590866,3027596443218775134,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2440 /prefetch:8
  2⤵
  PID:444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3136,i,13297824943519590866,3027596443218775134,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:4776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3140,i,13297824943519590866,3027596443218775134,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:3316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4616,i,13297824943519590866,3027596443218775134,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4628 /prefetch:8
  2⤵
  PID:3156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4840,i,13297824943519590866,3027596443218775134,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4356 /prefetch:1
  2⤵
  PID:2292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=5036,i,13297824943519590866,3027596443218775134,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5048 /prefetch:1
  2⤵
  PID:1952

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4716

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
2fd9c6d10621d4dcae5b4408fc772175

SHA1
793600899e8367d025de37603e3e38d718944032

SHA256
a56d1ab1ee3850ab56c13b82a444073af339052c1400e10ce682b3f8d812bef0

SHA512
b4d97be63e8eb077216952e19e36f52747c70612f4026c330f75487f0474842ab64437916b6a3e4d2c12cde59bdca4fbf0a5acb1f2ddbd9d29e114127bf05607

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
bca607944ffd89159196b1c490e9969b

SHA1
6b4e17b184f63aeb2b970fe59555b124d8500682

SHA256
d3a1f69fc4bf6b9a470be595d0f336a50f87354c3998cf2eb876c5a45327862f

SHA512
d26a19aead1f93890ea7ea286b1e7cfabb03c67813d889d8ada7c67aaaef89ef700b32e77b119cb3a22b68be0daa8d778a551c98dc78637efd200dc8b04828cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c43cc8b5cd950af0d42433e12ece1f32

SHA1
01c9970a74c879fefdac5cfe15cf8dc7bd0a0ae5

SHA256
915baad43af3681e7582373494f677e3552130be0fc30dcd62d642e8c69a29fe

SHA512
a050a8e0e0bfb788d6af2292766510638c55262e10f60af2c61874c1da1aa72ee84dc4c4138bcd530c4c2a356bf7579324399c1639714bfd0378efb594d6d17b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
5e61c088c5abcb981344ce3120e1c3d8

SHA1
947e100530d11f9db8c3822bfebc3da24f7487cb

SHA256
b854c26d42470ee6b100d37ff5273cab6bed824fd5f44bc6cd9f09ba806597bd

SHA512
d4c7c86efca4ebb28be398cb317f36ed16ab91708693d3491bef4588843f1dcb42d1fb27103ecadc481edbc712a8c94dd4434dc559529b52cf6c982c5c487d11

Download Submit