hxxps://is[.]gd/emkanu

Analysis

max time kernel
105s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/09/2024, 23:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://is.gd/emkanu

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133703980453841741"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1532	chrome.exe
1532	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1532	chrome.exe
1532	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1532 wrote to memory of 3964	1532	chrome.exe	83
PID 1532 wrote to memory of 3964	1532	chrome.exe	83
PID 1532 wrote to memory of 3164	1532	chrome.exe	84
PID 1532 wrote to memory of 3164	1532	chrome.exe	84
PID 1532 wrote to memory of 3164	1532	chrome.exe	84
PID 1532 wrote to memory of 3164	1532	chrome.exe	84
PID 1532 wrote to memory of 3164	1532	chrome.exe	84
PID 1532 wrote to memory of 3164	1532	chrome.exe	84
PID 1532 wrote to memory of 3164	1532	chrome.exe	84
PID 1532 wrote to memory of 3164	1532	chrome.exe	84
PID 1532 wrote to memory of 3164	1532	chrome.exe	84
PID 1532 wrote to memory of 3164	1532	chrome.exe	84
PID 1532 wrote to memory of 3164	1532	chrome.exe	84
PID 1532 wrote to memory of 3164	1532	chrome.exe	84
PID 1532 wrote to memory of 3164	1532	chrome.exe	84
PID 1532 wrote to memory of 3164	1532	chrome.exe	84
PID 1532 wrote to memory of 3164	1532	chrome.exe	84
PID 1532 wrote to memory of 3164	1532	chrome.exe	84
PID 1532 wrote to memory of 3164	1532	chrome.exe	84
PID 1532 wrote to memory of 3164	1532	chrome.exe	84
PID 1532 wrote to memory of 3164	1532	chrome.exe	84
PID 1532 wrote to memory of 3164	1532	chrome.exe	84
PID 1532 wrote to memory of 3164	1532	chrome.exe	84
PID 1532 wrote to memory of 3164	1532	chrome.exe	84
PID 1532 wrote to memory of 3164	1532	chrome.exe	84
PID 1532 wrote to memory of 3164	1532	chrome.exe	84
PID 1532 wrote to memory of 3164	1532	chrome.exe	84
PID 1532 wrote to memory of 3164	1532	chrome.exe	84
PID 1532 wrote to memory of 3164	1532	chrome.exe	84
PID 1532 wrote to memory of 3164	1532	chrome.exe	84
PID 1532 wrote to memory of 3164	1532	chrome.exe	84
PID 1532 wrote to memory of 3164	1532	chrome.exe	84
PID 1532 wrote to memory of 4992	1532	chrome.exe	85
PID 1532 wrote to memory of 4992	1532	chrome.exe	85
PID 1532 wrote to memory of 928	1532	chrome.exe	86
PID 1532 wrote to memory of 928	1532	chrome.exe	86
PID 1532 wrote to memory of 928	1532	chrome.exe	86
PID 1532 wrote to memory of 928	1532	chrome.exe	86
PID 1532 wrote to memory of 928	1532	chrome.exe	86
PID 1532 wrote to memory of 928	1532	chrome.exe	86
PID 1532 wrote to memory of 928	1532	chrome.exe	86
PID 1532 wrote to memory of 928	1532	chrome.exe	86
PID 1532 wrote to memory of 928	1532	chrome.exe	86
PID 1532 wrote to memory of 928	1532	chrome.exe	86
PID 1532 wrote to memory of 928	1532	chrome.exe	86
PID 1532 wrote to memory of 928	1532	chrome.exe	86
PID 1532 wrote to memory of 928	1532	chrome.exe	86
PID 1532 wrote to memory of 928	1532	chrome.exe	86
PID 1532 wrote to memory of 928	1532	chrome.exe	86
PID 1532 wrote to memory of 928	1532	chrome.exe	86
PID 1532 wrote to memory of 928	1532	chrome.exe	86
PID 1532 wrote to memory of 928	1532	chrome.exe	86
PID 1532 wrote to memory of 928	1532	chrome.exe	86
PID 1532 wrote to memory of 928	1532	chrome.exe	86
PID 1532 wrote to memory of 928	1532	chrome.exe	86
PID 1532 wrote to memory of 928	1532	chrome.exe	86
PID 1532 wrote to memory of 928	1532	chrome.exe	86
PID 1532 wrote to memory of 928	1532	chrome.exe	86
PID 1532 wrote to memory of 928	1532	chrome.exe	86
PID 1532 wrote to memory of 928	1532	chrome.exe	86
PID 1532 wrote to memory of 928	1532	chrome.exe	86
PID 1532 wrote to memory of 928	1532	chrome.exe	86
PID 1532 wrote to memory of 928	1532	chrome.exe	86
PID 1532 wrote to memory of 928	1532	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://is.gd/emkanu
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc28edcc40,0x7ffc28edcc4c,0x7ffc28edcc58
  2⤵
  PID:3964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1872,i,8938504389710656597,9983576909412092200,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1876 /prefetch:2
  2⤵
  PID:3164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2156,i,8938504389710656597,9983576909412092200,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2152 /prefetch:3
  2⤵
  PID:4992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2220,i,8938504389710656597,9983576909412092200,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2408 /prefetch:8
  2⤵
  PID:928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,8938504389710656597,9983576909412092200,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:2000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3108,i,8938504389710656597,9983576909412092200,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:5004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4352,i,8938504389710656597,9983576909412092200,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4608 /prefetch:8
  2⤵
  PID:1004

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
735a111c2551a94e4d974e3e8fbd7ec7

SHA1
3a03d7631595f82b72807ef5ede824c8e6ef756a

SHA256
5d34c9211f9896301cc6c7eca1ca41cafdead188efef991037352be4ff012cbf

SHA512
4d5c610cff3f81d270f987b240368ccd7285695fcacff49e843c2a159f47f22dd6263963bdccbb81e2a5808dfefe55ce2267df5bf7c333df6b9bc7a4637930da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
018331bfcdad843a449931717eb65834

SHA1
348d79091242a76e718c32c78cc9010b24472469

SHA256
0536cd89d3fc79a733e99e782726cf2f7fe5bb1b745e0396ccb590d8e9a80ec3

SHA512
a2e1f92eb714f10534377f7193b785a3d21759b74274766ee4434e379dcc2b3224698c9a611661ac95853e12e6b497923067f5a6dfe0e4cd2060f8033053e9d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
12f99b786433ca27beaea7cc9ad2662b

SHA1
e5702dee2fb3c069d7b3f07b2d31a7bb8352febe

SHA256
befeac524c93f910e74365e213ab09e6066db6435b3d4c28115860544e31f5ca

SHA512
8337bf1d50980f8d037a22f616fba9b5eb266828f313bff61c04225dd861d8d47dfc8ec29fa4c32a4ed3736662a80c78de0e36d67b038a55f13caeeb51c07d9e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
dd8fb8f8f43352d8b9e884f5b89583f7

SHA1
05aaa7e25706944ba62ab0c289dbda601fb82cb9

SHA256
2fc20b61ac333d61a4e9ebdad1f86db680bb3e77ea6b2b6b90d9b177760b8618

SHA512
13015b00ffe4a3a0ac9fd9152ed57d664f43864a96eaa645768c081a3ed33b2dd63ae3f7a21ff26f1a4041b8c12f73165ac607466e5b59a3fc59f48acbb4c1d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3be8537b253d973cc27abc80575ba580

SHA1
dd1fb7b6a223e78e9fd972a74a6f91392a149ced

SHA256
8dcdad8cb88f62053f2bbeaddd23e00f373374494e605fe3a88b171e9270f066

SHA512
bc6095c6c4b664e6598e4dc6eb1da15412fff5e3c2f73eba4075198593210356a8f10270877f288cc01505f05558e0dfbe7c2f8b6165732e7b875bdedbb2eee4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
17d65d7b1fde51965a71a70f5835334c

SHA1
2d0e33dc83df7b076aa5a03b6d1384f2baa17931

SHA256
d1468bc5ca12df8cf9ffa420374a1650a160224166ff2ea8649c1e69f15ee37b

SHA512
4e29e7466471248454255e6a5ecbc9d4f331e8bd9a4f6605a9e6bc132fe1689bdb307aedbb5edabb891931e10ca59278f5f453ea574820f6c9ae78740c74db2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
64f3cf72724adfbc58570c3b14835103

SHA1
e0b9ef899245e49b134ac74290e8bed98003144d

SHA256
ae836ba02681a8f59621607806740b105d5b788ea6b402e3f86fb0dea035729b

SHA512
ca57228b0b0bb26b792344571a6a05c494bbfeb13967cad2d622178126583ab1f5df28e6e7296e5ac0eec265a0cea32486db0c60beab02f915e1b10fe5aff6ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
982d54cf33a601cac7e4e574b720862b

SHA1
49df68c72f0e8490ee6611c5f02ce6e486da3ee9

SHA256
dde0eaf07b54807c5fd0b980d8584e7a7ab7227eaf8855fec4c7d49ceefcbdd3

SHA512
d48674f5476beff664bb85d659aa5e3b295779d1d5b81dbf2551f871e6377d1510023ec52c74ce516753128500871ea5af2eb60c864bfd63de483f1fabc85d71

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
6efc6965b30e203e4aca571b726a92eb

SHA1
75e25059f5a22fd859e25fdfb5033982541ceabe

SHA256
59376b1181d9614eacb4ef19a7df42e38637e05434ff98f6bd249e6286ab8d8e

SHA512
10f6698e1bf52556199bcdb599a967fe23e7407f0798ca37d608b9c6604c291c51ed360fb6a907de79b6f0795b5866a8e48444063c090a672d8aa39986615d37

Download Submit