hxxp://playfuldslrest[.]world

Analysis

max time kernel
59s
max time network
50s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
12/09/2024, 14:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://playfuldslrest.world

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133706241746283302"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3380	chrome.exe
3380	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3380 wrote to memory of 3824	3380	chrome.exe	78
PID 3380 wrote to memory of 3824	3380	chrome.exe	78
PID 3380 wrote to memory of 1384	3380	chrome.exe	79
PID 3380 wrote to memory of 1384	3380	chrome.exe	79
PID 3380 wrote to memory of 1384	3380	chrome.exe	79
PID 3380 wrote to memory of 1384	3380	chrome.exe	79
PID 3380 wrote to memory of 1384	3380	chrome.exe	79
PID 3380 wrote to memory of 1384	3380	chrome.exe	79
PID 3380 wrote to memory of 1384	3380	chrome.exe	79
PID 3380 wrote to memory of 1384	3380	chrome.exe	79
PID 3380 wrote to memory of 1384	3380	chrome.exe	79
PID 3380 wrote to memory of 1384	3380	chrome.exe	79
PID 3380 wrote to memory of 1384	3380	chrome.exe	79
PID 3380 wrote to memory of 1384	3380	chrome.exe	79
PID 3380 wrote to memory of 1384	3380	chrome.exe	79
PID 3380 wrote to memory of 1384	3380	chrome.exe	79
PID 3380 wrote to memory of 1384	3380	chrome.exe	79
PID 3380 wrote to memory of 1384	3380	chrome.exe	79
PID 3380 wrote to memory of 1384	3380	chrome.exe	79
PID 3380 wrote to memory of 1384	3380	chrome.exe	79
PID 3380 wrote to memory of 1384	3380	chrome.exe	79
PID 3380 wrote to memory of 1384	3380	chrome.exe	79
PID 3380 wrote to memory of 1384	3380	chrome.exe	79
PID 3380 wrote to memory of 1384	3380	chrome.exe	79
PID 3380 wrote to memory of 1384	3380	chrome.exe	79
PID 3380 wrote to memory of 1384	3380	chrome.exe	79
PID 3380 wrote to memory of 1384	3380	chrome.exe	79
PID 3380 wrote to memory of 1384	3380	chrome.exe	79
PID 3380 wrote to memory of 1384	3380	chrome.exe	79
PID 3380 wrote to memory of 1384	3380	chrome.exe	79
PID 3380 wrote to memory of 1384	3380	chrome.exe	79
PID 3380 wrote to memory of 1384	3380	chrome.exe	79
PID 3380 wrote to memory of 4052	3380	chrome.exe	80
PID 3380 wrote to memory of 4052	3380	chrome.exe	80
PID 3380 wrote to memory of 3496	3380	chrome.exe	81
PID 3380 wrote to memory of 3496	3380	chrome.exe	81
PID 3380 wrote to memory of 3496	3380	chrome.exe	81
PID 3380 wrote to memory of 3496	3380	chrome.exe	81
PID 3380 wrote to memory of 3496	3380	chrome.exe	81
PID 3380 wrote to memory of 3496	3380	chrome.exe	81
PID 3380 wrote to memory of 3496	3380	chrome.exe	81
PID 3380 wrote to memory of 3496	3380	chrome.exe	81
PID 3380 wrote to memory of 3496	3380	chrome.exe	81
PID 3380 wrote to memory of 3496	3380	chrome.exe	81
PID 3380 wrote to memory of 3496	3380	chrome.exe	81
PID 3380 wrote to memory of 3496	3380	chrome.exe	81
PID 3380 wrote to memory of 3496	3380	chrome.exe	81
PID 3380 wrote to memory of 3496	3380	chrome.exe	81
PID 3380 wrote to memory of 3496	3380	chrome.exe	81
PID 3380 wrote to memory of 3496	3380	chrome.exe	81
PID 3380 wrote to memory of 3496	3380	chrome.exe	81
PID 3380 wrote to memory of 3496	3380	chrome.exe	81
PID 3380 wrote to memory of 3496	3380	chrome.exe	81
PID 3380 wrote to memory of 3496	3380	chrome.exe	81
PID 3380 wrote to memory of 3496	3380	chrome.exe	81
PID 3380 wrote to memory of 3496	3380	chrome.exe	81
PID 3380 wrote to memory of 3496	3380	chrome.exe	81
PID 3380 wrote to memory of 3496	3380	chrome.exe	81
PID 3380 wrote to memory of 3496	3380	chrome.exe	81
PID 3380 wrote to memory of 3496	3380	chrome.exe	81
PID 3380 wrote to memory of 3496	3380	chrome.exe	81
PID 3380 wrote to memory of 3496	3380	chrome.exe	81
PID 3380 wrote to memory of 3496	3380	chrome.exe	81
PID 3380 wrote to memory of 3496	3380	chrome.exe	81

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://playfuldslrest.world
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd02b8cc40,0x7ffd02b8cc4c,0x7ffd02b8cc58
  2⤵
  PID:3824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1872,i,4593550811780028574,5120417052785027458,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1900 /prefetch:2
  2⤵
  PID:1384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1796,i,4593550811780028574,5120417052785027458,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1932 /prefetch:3
  2⤵
  PID:4052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2164,i,4593550811780028574,5120417052785027458,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2180 /prefetch:8
  2⤵
  PID:3496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2996,i,4593550811780028574,5120417052785027458,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3012 /prefetch:1
  2⤵
  PID:3444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3008,i,4593550811780028574,5120417052785027458,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3040 /prefetch:1
  2⤵
  PID:240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4120,i,4593550811780028574,5120417052785027458,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4428 /prefetch:1
  2⤵
  PID:3436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3256,i,4593550811780028574,5120417052785027458,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3272 /prefetch:8
  2⤵
  PID:4196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4920,i,4593550811780028574,5120417052785027458,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4872 /prefetch:1
  2⤵
  PID:4988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=3744,i,4593550811780028574,5120417052785027458,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4408 /prefetch:1
  2⤵
  PID:1028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4488,i,4593550811780028574,5120417052785027458,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4808 /prefetch:1
  2⤵
  PID:1172

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
b09492c7cf1093b12c1e6aff65d9e329

SHA1
95fa52f9efe8099e35db48488a172eb9cfd34553

SHA256
89043ba5bccc2be6e87fa3c35d4b92259f6128d508177d45efea8b9f7a66f160

SHA512
5815c765df107e082a50577b375f9d1109770e6baa9b9b33ec24bec87e493166b644434a8a48363d87660df52ed15a90af91c42df9d2a9477e822d5e391dc1b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
748ccf06c089fadd82970106dc778f03

SHA1
8e389cb7f6efe1c75056d2641d9e946b23e7fbdf

SHA256
8ef59ca7482874ac87b52e5c466ec5b91eabfc305f26f56a5a51a448bfce6dbb

SHA512
d722cf7ebc9379adac698a0b418eb5ff2802b36bef1dd5d07a1997f0776c247e7a6bd0335b060d78159bf3376d962c45be1c7709af8684d82e0c3a83b2428ef3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
cc0e35de9c980bbafad1726a814d2c9b

SHA1
60b2d320a64fd8cbe74ade96d7596a7ef8c25877

SHA256
d09581b55617a5e8c6f140c9528e31d82aedfd858ae925861719206b4adf0194

SHA512
77c8bfbfbe6209215d917e292604448b3d4131816eb8d1c90cb1e338ff40dae70ee6a254c0736e6858c75852a7f55e4de4f322df54d113d4b9d95d2b46ff54ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
90c5c0d0b9a2627e35003d774a57a07e

SHA1
f907fe0d2ddd99c53d74a39ee2eb671245c06e08

SHA256
150b8c8fab60afef010f8e207680673703b98d53140e6b0fafb2633d91d03408

SHA512
0f3da851a22a3c177545b4b2c7528152254fac089b1c0d9531bdab5a4330431e89496ea1f7336d14280170255bf625eb42e54af350a17fe9db499cb8758bdc6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
17aad9553c4b5853835175c16a2e44cc

SHA1
d8c87b7230a57767096691f99a74f650915fe8f2

SHA256
51b192f0b7c45b902015e908b9089ee12af7245510059f1171a9e5ba5a3ac419

SHA512
ee8af78de2424790b9595791274102cd96c07c5f532463a785a7558b6383bb4a896af6b2f38fb11081d7de2d859789babfc8830ae42d09e455f4eb69f072ae00

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
c16dd10a56bbba7cd7958f9d7a6707f0

SHA1
13c734590e3d4cf027de4c8566633d67c0c49257

SHA256
890239cd634f7813bd6c63260b351f50503e99de322b87ab9d04654580e160f7

SHA512
f82de8b0f3816b14c7f5c19fd5d99cd09a1532181e99fb4f742e0085ab461e09462fbd18dd92370b70c4d634ea51a29851333c52e0c04b74cc9483aa989d3683

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
fcfe9bcc384139ebf55d1ba40d22bc0e

SHA1
124fc081200e38c4cfb3215b8fbb1d4374841fcc

SHA256
f091f785c515be212889e4d3d8fe98d5f4853d46fb3f80b7359933d6d0116b18

SHA512
72d785d1c5c1da3b5c26028c43bc1a6ab169ecf2d570b2f18025635ca0a989037f1e73c42e7d6ec8ac6a7553dbaa2633f1a3fec38beda14c315a693d737f659b

Download Submit