Analysis
-
max time kernel
65s -
max time network
65s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-es -
resource tags
arch:x64arch:x86image:win10v2004-20240802-eslocale:es-esos:windows10-2004-x64systemwindows -
submitted
17-09-2024 17:12
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://fperez.archive.us-east-1.oortech.com/yorez/altd?signatu
Resource
win10v2004-20240802-es
General
-
Target
https://fperez.archive.us-east-1.oortech.com/yorez/altd?signatu
Malware Config
Signatures
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 67 api.ipify.org 68 api.ipify.org -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133710667940826512" chrome.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
chrome.exepid process 856 chrome.exe 856 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
Processes:
chrome.exepid process 856 chrome.exe 856 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exedescription pid process Token: SeShutdownPrivilege 856 chrome.exe Token: SeCreatePagefilePrivilege 856 chrome.exe Token: SeShutdownPrivilege 856 chrome.exe Token: SeCreatePagefilePrivilege 856 chrome.exe Token: SeShutdownPrivilege 856 chrome.exe Token: SeCreatePagefilePrivilege 856 chrome.exe Token: SeShutdownPrivilege 856 chrome.exe Token: SeCreatePagefilePrivilege 856 chrome.exe Token: SeShutdownPrivilege 856 chrome.exe Token: SeCreatePagefilePrivilege 856 chrome.exe Token: SeShutdownPrivilege 856 chrome.exe Token: SeCreatePagefilePrivilege 856 chrome.exe Token: SeShutdownPrivilege 856 chrome.exe Token: SeCreatePagefilePrivilege 856 chrome.exe Token: SeShutdownPrivilege 856 chrome.exe Token: SeCreatePagefilePrivilege 856 chrome.exe Token: SeShutdownPrivilege 856 chrome.exe Token: SeCreatePagefilePrivilege 856 chrome.exe Token: SeShutdownPrivilege 856 chrome.exe Token: SeCreatePagefilePrivilege 856 chrome.exe Token: SeShutdownPrivilege 856 chrome.exe Token: SeCreatePagefilePrivilege 856 chrome.exe Token: SeShutdownPrivilege 856 chrome.exe Token: SeCreatePagefilePrivilege 856 chrome.exe Token: SeShutdownPrivilege 856 chrome.exe Token: SeCreatePagefilePrivilege 856 chrome.exe Token: SeShutdownPrivilege 856 chrome.exe Token: SeCreatePagefilePrivilege 856 chrome.exe Token: SeShutdownPrivilege 856 chrome.exe Token: SeCreatePagefilePrivilege 856 chrome.exe Token: SeShutdownPrivilege 856 chrome.exe Token: SeCreatePagefilePrivilege 856 chrome.exe Token: SeShutdownPrivilege 856 chrome.exe Token: SeCreatePagefilePrivilege 856 chrome.exe Token: SeShutdownPrivilege 856 chrome.exe Token: SeCreatePagefilePrivilege 856 chrome.exe Token: SeShutdownPrivilege 856 chrome.exe Token: SeCreatePagefilePrivilege 856 chrome.exe Token: SeShutdownPrivilege 856 chrome.exe Token: SeCreatePagefilePrivilege 856 chrome.exe Token: SeShutdownPrivilege 856 chrome.exe Token: SeCreatePagefilePrivilege 856 chrome.exe Token: SeShutdownPrivilege 856 chrome.exe Token: SeCreatePagefilePrivilege 856 chrome.exe Token: SeShutdownPrivilege 856 chrome.exe Token: SeCreatePagefilePrivilege 856 chrome.exe Token: SeShutdownPrivilege 856 chrome.exe Token: SeCreatePagefilePrivilege 856 chrome.exe Token: SeShutdownPrivilege 856 chrome.exe Token: SeCreatePagefilePrivilege 856 chrome.exe Token: SeShutdownPrivilege 856 chrome.exe Token: SeCreatePagefilePrivilege 856 chrome.exe Token: SeShutdownPrivilege 856 chrome.exe Token: SeCreatePagefilePrivilege 856 chrome.exe Token: SeShutdownPrivilege 856 chrome.exe Token: SeCreatePagefilePrivilege 856 chrome.exe Token: SeShutdownPrivilege 856 chrome.exe Token: SeCreatePagefilePrivilege 856 chrome.exe Token: SeShutdownPrivilege 856 chrome.exe Token: SeCreatePagefilePrivilege 856 chrome.exe Token: SeShutdownPrivilege 856 chrome.exe Token: SeCreatePagefilePrivilege 856 chrome.exe Token: SeShutdownPrivilege 856 chrome.exe Token: SeCreatePagefilePrivilege 856 chrome.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
Processes:
chrome.exepid process 856 chrome.exe 856 chrome.exe 856 chrome.exe 856 chrome.exe 856 chrome.exe 856 chrome.exe 856 chrome.exe 856 chrome.exe 856 chrome.exe 856 chrome.exe 856 chrome.exe 856 chrome.exe 856 chrome.exe 856 chrome.exe 856 chrome.exe 856 chrome.exe 856 chrome.exe 856 chrome.exe 856 chrome.exe 856 chrome.exe 856 chrome.exe 856 chrome.exe 856 chrome.exe 856 chrome.exe 856 chrome.exe 856 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
chrome.exepid process 856 chrome.exe 856 chrome.exe 856 chrome.exe 856 chrome.exe 856 chrome.exe 856 chrome.exe 856 chrome.exe 856 chrome.exe 856 chrome.exe 856 chrome.exe 856 chrome.exe 856 chrome.exe 856 chrome.exe 856 chrome.exe 856 chrome.exe 856 chrome.exe 856 chrome.exe 856 chrome.exe 856 chrome.exe 856 chrome.exe 856 chrome.exe 856 chrome.exe 856 chrome.exe 856 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
chrome.exedescription pid process target process PID 856 wrote to memory of 4124 856 chrome.exe chrome.exe PID 856 wrote to memory of 4124 856 chrome.exe chrome.exe PID 856 wrote to memory of 3756 856 chrome.exe chrome.exe PID 856 wrote to memory of 3756 856 chrome.exe chrome.exe PID 856 wrote to memory of 3756 856 chrome.exe chrome.exe PID 856 wrote to memory of 3756 856 chrome.exe chrome.exe PID 856 wrote to memory of 3756 856 chrome.exe chrome.exe PID 856 wrote to memory of 3756 856 chrome.exe chrome.exe PID 856 wrote to memory of 3756 856 chrome.exe chrome.exe PID 856 wrote to memory of 3756 856 chrome.exe chrome.exe PID 856 wrote to memory of 3756 856 chrome.exe chrome.exe PID 856 wrote to memory of 3756 856 chrome.exe chrome.exe PID 856 wrote to memory of 3756 856 chrome.exe chrome.exe PID 856 wrote to memory of 3756 856 chrome.exe chrome.exe PID 856 wrote to memory of 3756 856 chrome.exe chrome.exe PID 856 wrote to memory of 3756 856 chrome.exe chrome.exe PID 856 wrote to memory of 3756 856 chrome.exe chrome.exe PID 856 wrote to memory of 3756 856 chrome.exe chrome.exe PID 856 wrote to memory of 3756 856 chrome.exe chrome.exe PID 856 wrote to memory of 3756 856 chrome.exe chrome.exe PID 856 wrote to memory of 3756 856 chrome.exe chrome.exe PID 856 wrote to memory of 3756 856 chrome.exe chrome.exe PID 856 wrote to memory of 3756 856 chrome.exe chrome.exe PID 856 wrote to memory of 3756 856 chrome.exe chrome.exe PID 856 wrote to memory of 3756 856 chrome.exe chrome.exe PID 856 wrote to memory of 3756 856 chrome.exe chrome.exe PID 856 wrote to memory of 3756 856 chrome.exe chrome.exe PID 856 wrote to memory of 3756 856 chrome.exe chrome.exe PID 856 wrote to memory of 3756 856 chrome.exe chrome.exe PID 856 wrote to memory of 3756 856 chrome.exe chrome.exe PID 856 wrote to memory of 3756 856 chrome.exe chrome.exe PID 856 wrote to memory of 3756 856 chrome.exe chrome.exe PID 856 wrote to memory of 4232 856 chrome.exe chrome.exe PID 856 wrote to memory of 4232 856 chrome.exe chrome.exe PID 856 wrote to memory of 1788 856 chrome.exe chrome.exe PID 856 wrote to memory of 1788 856 chrome.exe chrome.exe PID 856 wrote to memory of 1788 856 chrome.exe chrome.exe PID 856 wrote to memory of 1788 856 chrome.exe chrome.exe PID 856 wrote to memory of 1788 856 chrome.exe chrome.exe PID 856 wrote to memory of 1788 856 chrome.exe chrome.exe PID 856 wrote to memory of 1788 856 chrome.exe chrome.exe PID 856 wrote to memory of 1788 856 chrome.exe chrome.exe PID 856 wrote to memory of 1788 856 chrome.exe chrome.exe PID 856 wrote to memory of 1788 856 chrome.exe chrome.exe PID 856 wrote to memory of 1788 856 chrome.exe chrome.exe PID 856 wrote to memory of 1788 856 chrome.exe chrome.exe PID 856 wrote to memory of 1788 856 chrome.exe chrome.exe PID 856 wrote to memory of 1788 856 chrome.exe chrome.exe PID 856 wrote to memory of 1788 856 chrome.exe chrome.exe PID 856 wrote to memory of 1788 856 chrome.exe chrome.exe PID 856 wrote to memory of 1788 856 chrome.exe chrome.exe PID 856 wrote to memory of 1788 856 chrome.exe chrome.exe PID 856 wrote to memory of 1788 856 chrome.exe chrome.exe PID 856 wrote to memory of 1788 856 chrome.exe chrome.exe PID 856 wrote to memory of 1788 856 chrome.exe chrome.exe PID 856 wrote to memory of 1788 856 chrome.exe chrome.exe PID 856 wrote to memory of 1788 856 chrome.exe chrome.exe PID 856 wrote to memory of 1788 856 chrome.exe chrome.exe PID 856 wrote to memory of 1788 856 chrome.exe chrome.exe PID 856 wrote to memory of 1788 856 chrome.exe chrome.exe PID 856 wrote to memory of 1788 856 chrome.exe chrome.exe PID 856 wrote to memory of 1788 856 chrome.exe chrome.exe PID 856 wrote to memory of 1788 856 chrome.exe chrome.exe PID 856 wrote to memory of 1788 856 chrome.exe chrome.exe
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://fperez.archive.us-east-1.oortech.com/yorez/altd?signatu1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb163dcc40,0x7ffb163dcc4c,0x7ffb163dcc582⤵PID:4124
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1804,i,10392718619711231391,5908222612418398446,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1780 /prefetch:22⤵PID:3756
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2156,i,10392718619711231391,5908222612418398446,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2184 /prefetch:32⤵PID:4232
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2232,i,10392718619711231391,5908222612418398446,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2256 /prefetch:82⤵PID:1788
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,10392718619711231391,5908222612418398446,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3152 /prefetch:12⤵PID:2372
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,10392718619711231391,5908222612418398446,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3184 /prefetch:12⤵PID:1600
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4604,i,10392718619711231391,5908222612418398446,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4608 /prefetch:82⤵PID:3520
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:2612
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:3936
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=es --service-sandbox-type=asset_store_service --field-trial-handle=2616,i,15554696853514343836,10056627555468107043,262144 --variations-seed-version --mojo-platform-channel-handle=4312 /prefetch:81⤵PID:2912
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
649B
MD53e1aee6bb6e03a35b0c228e978e5002f
SHA1197eda629001a05de36a9b175cdd7a599f9bbfbd
SHA256d73e06311d5c5258e0f0fd4cda6cd2ddc9cdc0964a521a307761ce93ef09dca8
SHA512a229f60a3bc1d55f3c4970d4f2576426035596de33ad8e6960eb4d20bba8b076a668bb80c39b9be592151ce6e692f9460b1c8a80f01f149f7333c00790265fa9
-
Filesize
240B
MD556386a8ecd4942837e2bd9bed742f96e
SHA18a818979eb65a733d463517d890ebee6a42a0f56
SHA256febd231e5f0def84e60a6d4adb02b0fa07a9d4cbb70e77235ac2a8e098690450
SHA5125f8b483c5acf8b3727405cb34c7a08dafb7889afce417efd59a6eab8fab3260f12f77cceca3cae422c54dfe0c18dab836e11473e977a84b42668e5f961d28d0f
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
1KB
MD535954ce062695548fac8296e76024b8e
SHA1be7f3eb82836b0e099ff2fc249c87d68287cc122
SHA2564b8c4d4b185de6320cca280727c3709da923c025f548687bc6691389dab03ae9
SHA512ea84912fe61ac32276fa96eb4927f82380b5d538debbd9810c2dc46c8e2022345d600701cb2329cb40f7c38bb4714975b01d3820d9ba8c19de1f4553b13811d0
-
Filesize
1KB
MD5c9b853ab9175f6a4680433f63ca5dd64
SHA1ab1193e92f691555623d8fc9dd108350b37bbf50
SHA2561365511d4d0269421f7ae70b0f1163e3f4758c9b2311dc5a972adf71bc3dde9c
SHA512a05183d170fc29b93f6f8f1f728e5d759f6e680a5e5e10f319059934093cd4d57570354556d811cd1a2596a5b9bb59d45347edfe290a841c575c7a79d740d987
-
Filesize
1KB
MD50d6fbe2f02dcc0cf4f7c4eaac2ea58a4
SHA17ae538b29294f5b73d78f6b2d392ca8866c09101
SHA25619fd62495502d4609ff6587b8419ec68e644f1ef2d07a9246840c64378fffd2c
SHA512afc934047f063013b11b347eb25f29f739ae41690e4350e1b3d4fe8994eb03d01a0305a7d6f13c5154b886315536d49658afb7e27e30c39b4b7454f859a9a405
-
Filesize
9KB
MD582ed3c22eeddecb06cf66874fc842c46
SHA126c42843318c306f3b5bfbafaeb2c2662b6b9c1b
SHA2569603248073672e4d198eb28ac49e43580975eac2fb9285fcca882e742e99c53b
SHA51284c3c00bfa74a7a1d98b8081eb26c67b9318d8cfd9145b107c7991d240099bbb70bdf43d2bb0153ef75326e54cd381aaa03cc5861a53acd0fa0ad45fb3cc8271
-
Filesize
9KB
MD5f50d8d705645b18a5a4de273820dd68d
SHA17767f42238dc1305a41e3f9fb6b576a83fa062a9
SHA256a711e8eb3a5168f1ec702a0c97136f28d87a7e2269a82c89b4ae261f672cd1c5
SHA51261b0e41a53962411e36b49566b97bbecf61ebad02bf655e06841362ef94d673a6be742dbee0b0fb8e9f0dd45e3320ed35bce90e9d55932dd69fd1f518a128066
-
Filesize
9KB
MD5b3981d2a324fe6c565a316e15a868217
SHA165dc7148e3d78613fcb704aefadc5eded1a36def
SHA2562b08c355a9e54d580fbb47a40a062b8cc8bb9204cb0c2d427bff5dac599e5998
SHA5125a2d2b3cdb6047f5bbba8ccdf07320b5c685cf8c771182d0b5cd23f8112119891035bab799298b49f34756ef5c69723c851f8ead75cfd1f44877a6e900165c14
-
Filesize
9KB
MD5e2eadc6475621bd3d45cba1c70bef0be
SHA19efabe1efe61ae0d50ddb6a71e81d47df913b01b
SHA25632cbe21015313e8c1666dca52846a0f92b0f3b20e788b5783e23282a21b8f0eb
SHA51200fa4b12ba8bda68ce43f1ffc5caea8cc4e4c23532c0b3b39b5acd29b5b560faa60df3f99fe999fb66c8ee8dbace8e7ad561c1f09504471bd6155ff0d90af99a
-
Filesize
195KB
MD5f3ea4b81e447f068fecbfcf6d5d507c6
SHA102f8f9a91ea88547a0ed7a40e5b3e9254aa92ebc
SHA2568835f8de65bb03541cf38e3957743176e08a906ccc69eb57ede2b2be55627e95
SHA5125b78e3ed6d0752da572f1aae67b6d9ff50e510f37032e7dc2caf281e7d256a82ded2c6c950e3916e57fe2a069402e1f13b0166be8ab425dcd9108130ecfeb0c9
-
Filesize
195KB
MD5a5691ca5aa6cf901cb1706ce6fc8ec86
SHA123cf755fe5973e7fa6a01ac9f8edae7aba739bfe
SHA25645899f6fcc63dd8b5d7338f80afbd28959e9dbb161671cb2a85064f22b69fd80
SHA5123a9171f638bd3fbd816ff344eb617bcfb1f54f9f4f9f28a17d374d8a5712bdfd2be45b5b1454e035399b5c677acc472d73fc77634965f786fa355032d6a35204
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e