2dfe28cbdb83f01c940de6a88ab86200154fd772d568035ac568664e52068363

Analysis

max time kernel
149s
max time network
136s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
17-09-2024 16:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hit;uto_404.gif
Size

43B
MD5

fc94fb0c3ed8a8f909dbc7630a0987ff
SHA1

56d45f8a17f5078a20af9962c992ca4678450765
SHA256

2dfe28cbdb83f01c940de6a88ab86200154fd772d568035ac568664e52068363
SHA512

c87bf81fd70cf6434ca3a6c05ad6e9bd3f1d96f77dddad8d45ee043b126b2cb07a5cf23b4137b9d8462cd8a9adf2b463ab6de2b38c93db72d2d511ca60e3b57e

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133710641375802826"	chrome.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
3580	chrome.exe
3580	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4964	chrome.exe
4964	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4964 wrote to memory of 1508	4964	chrome.exe	75
PID 4964 wrote to memory of 1508	4964	chrome.exe	75
PID 4964 wrote to memory of 4364	4964	chrome.exe	77
PID 4964 wrote to memory of 4364	4964	chrome.exe	77
PID 4964 wrote to memory of 4364	4964	chrome.exe	77
PID 4964 wrote to memory of 4364	4964	chrome.exe	77
PID 4964 wrote to memory of 4364	4964	chrome.exe	77
PID 4964 wrote to memory of 4364	4964	chrome.exe	77
PID 4964 wrote to memory of 4364	4964	chrome.exe	77
PID 4964 wrote to memory of 4364	4964	chrome.exe	77
PID 4964 wrote to memory of 4364	4964	chrome.exe	77
PID 4964 wrote to memory of 4364	4964	chrome.exe	77
PID 4964 wrote to memory of 4364	4964	chrome.exe	77
PID 4964 wrote to memory of 4364	4964	chrome.exe	77
PID 4964 wrote to memory of 4364	4964	chrome.exe	77
PID 4964 wrote to memory of 4364	4964	chrome.exe	77
PID 4964 wrote to memory of 4364	4964	chrome.exe	77
PID 4964 wrote to memory of 4364	4964	chrome.exe	77
PID 4964 wrote to memory of 4364	4964	chrome.exe	77
PID 4964 wrote to memory of 4364	4964	chrome.exe	77
PID 4964 wrote to memory of 4364	4964	chrome.exe	77
PID 4964 wrote to memory of 4364	4964	chrome.exe	77
PID 4964 wrote to memory of 4364	4964	chrome.exe	77
PID 4964 wrote to memory of 4364	4964	chrome.exe	77
PID 4964 wrote to memory of 4364	4964	chrome.exe	77
PID 4964 wrote to memory of 4364	4964	chrome.exe	77
PID 4964 wrote to memory of 4364	4964	chrome.exe	77
PID 4964 wrote to memory of 4364	4964	chrome.exe	77
PID 4964 wrote to memory of 4364	4964	chrome.exe	77
PID 4964 wrote to memory of 4364	4964	chrome.exe	77
PID 4964 wrote to memory of 4364	4964	chrome.exe	77
PID 4964 wrote to memory of 4364	4964	chrome.exe	77
PID 4964 wrote to memory of 4364	4964	chrome.exe	77
PID 4964 wrote to memory of 4364	4964	chrome.exe	77
PID 4964 wrote to memory of 4364	4964	chrome.exe	77
PID 4964 wrote to memory of 4364	4964	chrome.exe	77
PID 4964 wrote to memory of 4364	4964	chrome.exe	77
PID 4964 wrote to memory of 4364	4964	chrome.exe	77
PID 4964 wrote to memory of 4364	4964	chrome.exe	77
PID 4964 wrote to memory of 4364	4964	chrome.exe	77
PID 4964 wrote to memory of 3632	4964	chrome.exe	78
PID 4964 wrote to memory of 3632	4964	chrome.exe	78
PID 4964 wrote to memory of 2140	4964	chrome.exe	79
PID 4964 wrote to memory of 2140	4964	chrome.exe	79
PID 4964 wrote to memory of 2140	4964	chrome.exe	79
PID 4964 wrote to memory of 2140	4964	chrome.exe	79
PID 4964 wrote to memory of 2140	4964	chrome.exe	79
PID 4964 wrote to memory of 2140	4964	chrome.exe	79
PID 4964 wrote to memory of 2140	4964	chrome.exe	79
PID 4964 wrote to memory of 2140	4964	chrome.exe	79
PID 4964 wrote to memory of 2140	4964	chrome.exe	79
PID 4964 wrote to memory of 2140	4964	chrome.exe	79
PID 4964 wrote to memory of 2140	4964	chrome.exe	79
PID 4964 wrote to memory of 2140	4964	chrome.exe	79
PID 4964 wrote to memory of 2140	4964	chrome.exe	79
PID 4964 wrote to memory of 2140	4964	chrome.exe	79
PID 4964 wrote to memory of 2140	4964	chrome.exe	79
PID 4964 wrote to memory of 2140	4964	chrome.exe	79
PID 4964 wrote to memory of 2140	4964	chrome.exe	79
PID 4964 wrote to memory of 2140	4964	chrome.exe	79
PID 4964 wrote to memory of 2140	4964	chrome.exe	79
PID 4964 wrote to memory of 2140	4964	chrome.exe	79
PID 4964 wrote to memory of 2140	4964	chrome.exe	79
PID 4964 wrote to memory of 2140	4964	chrome.exe	79

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\hit;uto_404.gif
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fffcad99758,0x7fffcad99768,0x7fffcad99778
  2⤵
  PID:1508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1520 --field-trial-handle=1836,i,1714806428387152862,983204886771111732,131072 /prefetch:2
  2⤵
  PID:4364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1772 --field-trial-handle=1836,i,1714806428387152862,983204886771111732,131072 /prefetch:8
  2⤵
  PID:3632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2064 --field-trial-handle=1836,i,1714806428387152862,983204886771111732,131072 /prefetch:8
  2⤵
  PID:2140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2824 --field-trial-handle=1836,i,1714806428387152862,983204886771111732,131072 /prefetch:1
  2⤵
  PID:4136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2832 --field-trial-handle=1836,i,1714806428387152862,983204886771111732,131072 /prefetch:1
  2⤵
  PID:4752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4068 --field-trial-handle=1836,i,1714806428387152862,983204886771111732,131072 /prefetch:8
  2⤵
  PID:2552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3656 --field-trial-handle=1836,i,1714806428387152862,983204886771111732,131072 /prefetch:8
  2⤵
  PID:3340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1836,i,1714806428387152862,983204886771111732,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3580

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4908

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New Text Document.txt
1⤵
PID:3940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\6f31d8fd-9bb8-4001-a119-f776f64040c4.tmp

Filesize
5KB

MD5
cf6cbe04001cc8172dc3415edb3ef748

SHA1
1ba399b753b3c16fceadfaa0f97a401ef03576fd

SHA256
25b2c62bf1a98351fe23c33a084b9b6e281dff5c2fd318ef1f01dc45ee965214

SHA512
f860809d44550bbc5733d6a2fd257b4fe4713304fd44b7ee7f27c77c7bd051086d70ba4543ee53787a7f7a376bda39fa6c35e4d67d414ee836165e4a0de52666

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
95e230690c604950eb6ac8bd9fb2bb08

SHA1
6299ba20ed4ce6f6d3b65f6a31cb0e14e3e47d79

SHA256
b7a434b891b66aa2a7af7dcc775fd8b07d001c63a7a5113861b5e68c2fa90264

SHA512
472834c1be27e88ae3e2c2ddd3afd6a008fef3f0372d0fcedabcd537071020925ace85c97e1d7e473f60a794438a904257c4bee5419eaf15428c9213190d39e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
270f57ff0c227d14e3a63e75aff8ab3b

SHA1
2a74db267dc9afd43bd46413d00fca129be1cc3f

SHA256
f2f38e0b45571ba633d644e53031ebae64dea7394a14dceef5e0fe472abd4e30

SHA512
9e1dc77e1c59cdb4d055c78a87a7fa2eb7264852fe41c847e531c10015c211aa59733cc8f57fa9606f12dc3130869ae8110fc446c2ee26975483471308200fcf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\ba214d3f-dff4-4064-a5b5-604e467a665d.tmp

Filesize
5KB

MD5
434972188a8528b578dbcafc9126dfec

SHA1
d51816e8226335f01765628ce1780a7bd85044d0

SHA256
415e06fdc0e2f29e4f91439c0d0cb981e996f4cdaa664ec85774b41c57e96448

SHA512
3a20deb6c5132a112d90a52470c3cc0566e139ec17b963144e33072b84757b0cebaf893b1bbcd2f6c62156b17a325dad6a83be1b01edc7cf011faccad371dce5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
b799fd750e391b05832aa239943a0a88

SHA1
abd674c0c7551859aae066406e12b89fe5a813cb

SHA256
0f436dfba37a2ba6a55a9d754e3943689487ae1f0faefa624571868b51439236

SHA512
aa6d2b56d74ce94fe50a856650942cd25ce9f3b99b22ec07e092e32c969c42cc8ed29ea112ea276b035b05e678a64e497e7dd7e9a9244f6c39e5f8d9c92ec5fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit