Analysis Overview
Threat Level: Known bad
The file https://fperez.archive.us-east-1.oortech.com/yorez/altd?signatu was found to be: Known bad.
Malicious Activity Summary
Looks up external IP address via web service
Browser Information Discovery
Enumerates system info in registry
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-17 17:12
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-17 17:12
Reported
2024-09-17 17:14
Platform
win10v2004-20240802-es
Max time kernel
65s
Max time network
65s
Command Line
Signatures
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Browser Information Discovery
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133710667940826512" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://fperez.archive.us-east-1.oortech.com/yorez/altd?signatu
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb163dcc40,0x7ffb163dcc4c,0x7ffb163dcc58
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1804,i,10392718619711231391,5908222612418398446,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1780 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2156,i,10392718619711231391,5908222612418398446,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2184 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2232,i,10392718619711231391,5908222612418398446,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2256 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,10392718619711231391,5908222612418398446,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3152 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,10392718619711231391,5908222612418398446,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3184 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4604,i,10392718619711231391,5908222612418398446,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4608 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=es --service-sandbox-type=asset_store_service --field-trial-handle=2616,i,15554696853514343836,10056627555468107043,262144 --variations-seed-version --mojo-platform-channel-handle=4312 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | fperez.archive.us-east-1.oortech.com | udp |
| US | 170.106.201.213:443 | fperez.archive.us-east-1.oortech.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdnjs.cloudflare.com | udp |
| US | 8.8.8.8:53 | www.w3schools.com | udp |
| US | 104.17.24.14:443 | cdnjs.cloudflare.com | tcp |
| FR | 192.229.133.221:443 | www.w3schools.com | tcp |
| US | 8.8.8.8:53 | aadcdn.msauth.net | udp |
| US | 104.17.24.14:443 | cdnjs.cloudflare.com | tcp |
| US | 8.8.8.8:53 | code.jquery.com | udp |
| US | 8.8.8.8:53 | maxcdn.bootstrapcdn.com | udp |
| US | 8.8.8.8:53 | ajax.googleapis.com | udp |
| US | 8.8.8.8:53 | stackpath.bootstrapcdn.com | udp |
| US | 8.8.8.8:53 | unpkg.com | udp |
| US | 104.17.248.203:443 | unpkg.com | tcp |
| US | 151.101.66.137:443 | code.jquery.com | tcp |
| US | 104.18.10.207:443 | stackpath.bootstrapcdn.com | tcp |
| GB | 216.58.204.74:443 | ajax.googleapis.com | tcp |
| US | 104.18.11.207:443 | stackpath.bootstrapcdn.com | tcp |
| US | 13.107.246.64:443 | aadcdn.msauth.net | tcp |
| US | 8.8.8.8:53 | image.thum.io | udp |
| US | 8.8.8.8:53 | logo.clearbit.com | udp |
| US | 8.8.8.8:53 | content-autofill.googleapis.com | udp |
| GB | 18.154.84.103:443 | image.thum.io | tcp |
| GB | 18.172.153.55:443 | logo.clearbit.com | tcp |
| GB | 172.217.16.234:443 | content-autofill.googleapis.com | tcp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.201.106.170.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.24.17.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 221.133.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.248.17.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.66.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 207.10.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 207.11.18.104.in-addr.arpa | udp |
| US | 104.17.24.14:443 | cdnjs.cloudflare.com | udp |
| US | 8.8.8.8:53 | 103.84.154.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.153.172.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.12.205:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 205.12.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.170.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
\??\pipe\crashpad_856_DIEGPZEJMONUFYUE
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
| MD5 | 3e1aee6bb6e03a35b0c228e978e5002f |
| SHA1 | 197eda629001a05de36a9b175cdd7a599f9bbfbd |
| SHA256 | d73e06311d5c5258e0f0fd4cda6cd2ddc9cdc0964a521a307761ce93ef09dca8 |
| SHA512 | a229f60a3bc1d55f3c4970d4f2576426035596de33ad8e6960eb4d20bba8b076a668bb80c39b9be592151ce6e692f9460b1c8a80f01f149f7333c00790265fa9 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | f3ea4b81e447f068fecbfcf6d5d507c6 |
| SHA1 | 02f8f9a91ea88547a0ed7a40e5b3e9254aa92ebc |
| SHA256 | 8835f8de65bb03541cf38e3957743176e08a906ccc69eb57ede2b2be55627e95 |
| SHA512 | 5b78e3ed6d0752da572f1aae67b6d9ff50e510f37032e7dc2caf281e7d256a82ded2c6c950e3916e57fe2a069402e1f13b0166be8ab425dcd9108130ecfeb0c9 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | b3981d2a324fe6c565a316e15a868217 |
| SHA1 | 65dc7148e3d78613fcb704aefadc5eded1a36def |
| SHA256 | 2b08c355a9e54d580fbb47a40a062b8cc8bb9204cb0c2d427bff5dac599e5998 |
| SHA512 | 5a2d2b3cdb6047f5bbba8ccdf07320b5c685cf8c771182d0b5cd23f8112119891035bab799298b49f34756ef5c69723c851f8ead75cfd1f44877a6e900165c14 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | c9b853ab9175f6a4680433f63ca5dd64 |
| SHA1 | ab1193e92f691555623d8fc9dd108350b37bbf50 |
| SHA256 | 1365511d4d0269421f7ae70b0f1163e3f4758c9b2311dc5a972adf71bc3dde9c |
| SHA512 | a05183d170fc29b93f6f8f1f728e5d759f6e680a5e5e10f319059934093cd4d57570354556d811cd1a2596a5b9bb59d45347edfe290a841c575c7a79d740d987 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 56386a8ecd4942837e2bd9bed742f96e |
| SHA1 | 8a818979eb65a733d463517d890ebee6a42a0f56 |
| SHA256 | febd231e5f0def84e60a6d4adb02b0fa07a9d4cbb70e77235ac2a8e098690450 |
| SHA512 | 5f8b483c5acf8b3727405cb34c7a08dafb7889afce417efd59a6eab8fab3260f12f77cceca3cae422c54dfe0c18dab836e11473e977a84b42668e5f961d28d0f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 82ed3c22eeddecb06cf66874fc842c46 |
| SHA1 | 26c42843318c306f3b5bfbafaeb2c2662b6b9c1b |
| SHA256 | 9603248073672e4d198eb28ac49e43580975eac2fb9285fcca882e742e99c53b |
| SHA512 | 84c3c00bfa74a7a1d98b8081eb26c67b9318d8cfd9145b107c7991d240099bbb70bdf43d2bb0153ef75326e54cd381aaa03cc5861a53acd0fa0ad45fb3cc8271 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | a5691ca5aa6cf901cb1706ce6fc8ec86 |
| SHA1 | 23cf755fe5973e7fa6a01ac9f8edae7aba739bfe |
| SHA256 | 45899f6fcc63dd8b5d7338f80afbd28959e9dbb161671cb2a85064f22b69fd80 |
| SHA512 | 3a9171f638bd3fbd816ff344eb617bcfb1f54f9f4f9f28a17d374d8a5712bdfd2be45b5b1454e035399b5c677acc472d73fc77634965f786fa355032d6a35204 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 0d6fbe2f02dcc0cf4f7c4eaac2ea58a4 |
| SHA1 | 7ae538b29294f5b73d78f6b2d392ca8866c09101 |
| SHA256 | 19fd62495502d4609ff6587b8419ec68e644f1ef2d07a9246840c64378fffd2c |
| SHA512 | afc934047f063013b11b347eb25f29f739ae41690e4350e1b3d4fe8994eb03d01a0305a7d6f13c5154b886315536d49658afb7e27e30c39b4b7454f859a9a405 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | f50d8d705645b18a5a4de273820dd68d |
| SHA1 | 7767f42238dc1305a41e3f9fb6b576a83fa062a9 |
| SHA256 | a711e8eb3a5168f1ec702a0c97136f28d87a7e2269a82c89b4ae261f672cd1c5 |
| SHA512 | 61b0e41a53962411e36b49566b97bbecf61ebad02bf655e06841362ef94d673a6be742dbee0b0fb8e9f0dd45e3320ed35bce90e9d55932dd69fd1f518a128066 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 35954ce062695548fac8296e76024b8e |
| SHA1 | be7f3eb82836b0e099ff2fc249c87d68287cc122 |
| SHA256 | 4b8c4d4b185de6320cca280727c3709da923c025f548687bc6691389dab03ae9 |
| SHA512 | ea84912fe61ac32276fa96eb4927f82380b5d538debbd9810c2dc46c8e2022345d600701cb2329cb40f7c38bb4714975b01d3820d9ba8c19de1f4553b13811d0 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | e2eadc6475621bd3d45cba1c70bef0be |
| SHA1 | 9efabe1efe61ae0d50ddb6a71e81d47df913b01b |
| SHA256 | 32cbe21015313e8c1666dca52846a0f92b0f3b20e788b5783e23282a21b8f0eb |
| SHA512 | 00fa4b12ba8bda68ce43f1ffc5caea8cc4e4c23532c0b3b39b5acd29b5b560faa60df3f99fe999fb66c8ee8dbace8e7ad561c1f09504471bd6155ff0d90af99a |