hxxp://101[.]37[.]166[.]228/

Analysis

max time kernel
599s
max time network
529s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
04-10-2024 22:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://101.37.166.228/

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133725542564759809"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
612	chrome.exe
612	chrome.exe
4732	chrome.exe
4732	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	612	chrome.exe
Token: SeCreatePagefilePrivilege	612	chrome.exe
Token: SeShutdownPrivilege	612	chrome.exe
Token: SeCreatePagefilePrivilege	612	chrome.exe
Token: SeShutdownPrivilege	612	chrome.exe
Token: SeCreatePagefilePrivilege	612	chrome.exe
Token: SeShutdownPrivilege	612	chrome.exe
Token: SeCreatePagefilePrivilege	612	chrome.exe
Token: SeShutdownPrivilege	612	chrome.exe
Token: SeCreatePagefilePrivilege	612	chrome.exe
Token: SeShutdownPrivilege	612	chrome.exe
Token: SeCreatePagefilePrivilege	612	chrome.exe
Token: SeShutdownPrivilege	612	chrome.exe
Token: SeCreatePagefilePrivilege	612	chrome.exe
Token: SeShutdownPrivilege	612	chrome.exe
Token: SeCreatePagefilePrivilege	612	chrome.exe
Token: SeShutdownPrivilege	612	chrome.exe
Token: SeCreatePagefilePrivilege	612	chrome.exe
Token: SeShutdownPrivilege	612	chrome.exe
Token: SeCreatePagefilePrivilege	612	chrome.exe
Token: SeShutdownPrivilege	612	chrome.exe
Token: SeCreatePagefilePrivilege	612	chrome.exe
Token: SeShutdownPrivilege	612	chrome.exe
Token: SeCreatePagefilePrivilege	612	chrome.exe
Token: SeShutdownPrivilege	612	chrome.exe
Token: SeCreatePagefilePrivilege	612	chrome.exe
Token: SeShutdownPrivilege	612	chrome.exe
Token: SeCreatePagefilePrivilege	612	chrome.exe
Token: SeShutdownPrivilege	612	chrome.exe
Token: SeCreatePagefilePrivilege	612	chrome.exe
Token: SeShutdownPrivilege	612	chrome.exe
Token: SeCreatePagefilePrivilege	612	chrome.exe
Token: SeShutdownPrivilege	612	chrome.exe
Token: SeCreatePagefilePrivilege	612	chrome.exe
Token: SeShutdownPrivilege	612	chrome.exe
Token: SeCreatePagefilePrivilege	612	chrome.exe
Token: SeShutdownPrivilege	612	chrome.exe
Token: SeCreatePagefilePrivilege	612	chrome.exe
Token: SeShutdownPrivilege	612	chrome.exe
Token: SeCreatePagefilePrivilege	612	chrome.exe
Token: SeShutdownPrivilege	612	chrome.exe
Token: SeCreatePagefilePrivilege	612	chrome.exe
Token: SeShutdownPrivilege	612	chrome.exe
Token: SeCreatePagefilePrivilege	612	chrome.exe
Token: SeShutdownPrivilege	612	chrome.exe
Token: SeCreatePagefilePrivilege	612	chrome.exe
Token: SeShutdownPrivilege	612	chrome.exe
Token: SeCreatePagefilePrivilege	612	chrome.exe
Token: SeShutdownPrivilege	612	chrome.exe
Token: SeCreatePagefilePrivilege	612	chrome.exe
Token: SeShutdownPrivilege	612	chrome.exe
Token: SeCreatePagefilePrivilege	612	chrome.exe
Token: SeShutdownPrivilege	612	chrome.exe
Token: SeCreatePagefilePrivilege	612	chrome.exe
Token: SeShutdownPrivilege	612	chrome.exe
Token: SeCreatePagefilePrivilege	612	chrome.exe
Token: SeShutdownPrivilege	612	chrome.exe
Token: SeCreatePagefilePrivilege	612	chrome.exe
Token: SeShutdownPrivilege	612	chrome.exe
Token: SeCreatePagefilePrivilege	612	chrome.exe
Token: SeShutdownPrivilege	612	chrome.exe
Token: SeCreatePagefilePrivilege	612	chrome.exe
Token: SeShutdownPrivilege	612	chrome.exe
Token: SeCreatePagefilePrivilege	612	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 612 wrote to memory of 4700	612	chrome.exe	74
PID 612 wrote to memory of 4700	612	chrome.exe	74
PID 612 wrote to memory of 4580	612	chrome.exe	76
PID 612 wrote to memory of 4580	612	chrome.exe	76
PID 612 wrote to memory of 4580	612	chrome.exe	76
PID 612 wrote to memory of 4580	612	chrome.exe	76
PID 612 wrote to memory of 4580	612	chrome.exe	76
PID 612 wrote to memory of 4580	612	chrome.exe	76
PID 612 wrote to memory of 4580	612	chrome.exe	76
PID 612 wrote to memory of 4580	612	chrome.exe	76
PID 612 wrote to memory of 4580	612	chrome.exe	76
PID 612 wrote to memory of 4580	612	chrome.exe	76
PID 612 wrote to memory of 4580	612	chrome.exe	76
PID 612 wrote to memory of 4580	612	chrome.exe	76
PID 612 wrote to memory of 4580	612	chrome.exe	76
PID 612 wrote to memory of 4580	612	chrome.exe	76
PID 612 wrote to memory of 4580	612	chrome.exe	76
PID 612 wrote to memory of 4580	612	chrome.exe	76
PID 612 wrote to memory of 4580	612	chrome.exe	76
PID 612 wrote to memory of 4580	612	chrome.exe	76
PID 612 wrote to memory of 4580	612	chrome.exe	76
PID 612 wrote to memory of 4580	612	chrome.exe	76
PID 612 wrote to memory of 4580	612	chrome.exe	76
PID 612 wrote to memory of 4580	612	chrome.exe	76
PID 612 wrote to memory of 4580	612	chrome.exe	76
PID 612 wrote to memory of 4580	612	chrome.exe	76
PID 612 wrote to memory of 4580	612	chrome.exe	76
PID 612 wrote to memory of 4580	612	chrome.exe	76
PID 612 wrote to memory of 4580	612	chrome.exe	76
PID 612 wrote to memory of 4580	612	chrome.exe	76
PID 612 wrote to memory of 4580	612	chrome.exe	76
PID 612 wrote to memory of 4580	612	chrome.exe	76
PID 612 wrote to memory of 4580	612	chrome.exe	76
PID 612 wrote to memory of 4580	612	chrome.exe	76
PID 612 wrote to memory of 4580	612	chrome.exe	76
PID 612 wrote to memory of 4580	612	chrome.exe	76
PID 612 wrote to memory of 4580	612	chrome.exe	76
PID 612 wrote to memory of 4580	612	chrome.exe	76
PID 612 wrote to memory of 4580	612	chrome.exe	76
PID 612 wrote to memory of 4580	612	chrome.exe	76
PID 612 wrote to memory of 664	612	chrome.exe	77
PID 612 wrote to memory of 664	612	chrome.exe	77
PID 612 wrote to memory of 1612	612	chrome.exe	78
PID 612 wrote to memory of 1612	612	chrome.exe	78
PID 612 wrote to memory of 1612	612	chrome.exe	78
PID 612 wrote to memory of 1612	612	chrome.exe	78
PID 612 wrote to memory of 1612	612	chrome.exe	78
PID 612 wrote to memory of 1612	612	chrome.exe	78
PID 612 wrote to memory of 1612	612	chrome.exe	78
PID 612 wrote to memory of 1612	612	chrome.exe	78
PID 612 wrote to memory of 1612	612	chrome.exe	78
PID 612 wrote to memory of 1612	612	chrome.exe	78
PID 612 wrote to memory of 1612	612	chrome.exe	78
PID 612 wrote to memory of 1612	612	chrome.exe	78
PID 612 wrote to memory of 1612	612	chrome.exe	78
PID 612 wrote to memory of 1612	612	chrome.exe	78
PID 612 wrote to memory of 1612	612	chrome.exe	78
PID 612 wrote to memory of 1612	612	chrome.exe	78
PID 612 wrote to memory of 1612	612	chrome.exe	78
PID 612 wrote to memory of 1612	612	chrome.exe	78
PID 612 wrote to memory of 1612	612	chrome.exe	78
PID 612 wrote to memory of 1612	612	chrome.exe	78
PID 612 wrote to memory of 1612	612	chrome.exe	78
PID 612 wrote to memory of 1612	612	chrome.exe	78

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://101.37.166.228/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffa864c9758,0x7ffa864c9768,0x7ffa864c9778
  2⤵
  PID:4700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1536 --field-trial-handle=1852,i,9865863127796371856,2112449166475144945,131072 /prefetch:2
  2⤵
  PID:4580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1812 --field-trial-handle=1852,i,9865863127796371856,2112449166475144945,131072 /prefetch:8
  2⤵
  PID:664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1640 --field-trial-handle=1852,i,9865863127796371856,2112449166475144945,131072 /prefetch:8
  2⤵
  PID:1612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2636 --field-trial-handle=1852,i,9865863127796371856,2112449166475144945,131072 /prefetch:1
  2⤵
  PID:1876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2644 --field-trial-handle=1852,i,9865863127796371856,2112449166475144945,131072 /prefetch:1
  2⤵
  PID:1996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4088 --field-trial-handle=1852,i,9865863127796371856,2112449166475144945,131072 /prefetch:8
  2⤵
  PID:2948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4212 --field-trial-handle=1852,i,9865863127796371856,2112449166475144945,131072 /prefetch:8
  2⤵
  PID:4552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4148 --field-trial-handle=1852,i,9865863127796371856,2112449166475144945,131072 /prefetch:1
  2⤵
  PID:660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4228 --field-trial-handle=1852,i,9865863127796371856,2112449166475144945,131072 /prefetch:1
  2⤵
  PID:4020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4100 --field-trial-handle=1852,i,9865863127796371856,2112449166475144945,131072 /prefetch:1
  2⤵
  PID:4688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3556 --field-trial-handle=1852,i,9865863127796371856,2112449166475144945,131072 /prefetch:1
  2⤵
  PID:2600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4304 --field-trial-handle=1852,i,9865863127796371856,2112449166475144945,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4028 --field-trial-handle=1852,i,9865863127796371856,2112449166475144945,131072 /prefetch:1
  2⤵
  PID:1356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=692 --field-trial-handle=1852,i,9865863127796371856,2112449166475144945,131072 /prefetch:1
  2⤵
  PID:2564

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
831f487df965fe80eb1d41ac79c8aa0e

SHA1
de1cd20605bd0b7fecea58b2b8e1a5741e490693

SHA256
b15583dd791048ba801f19454cc4e55ab39b0c6151df15115ed09551d34e3d72

SHA512
035f17278bcb0e6c153b18585e8d9161bb3cc1f81de9b2c9a8700f0a6c5c08f086cbbccb3f30451f44d6be0cd00285d3ef391bd3b0b74b1e5fd248944357b090

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
63f924c69a46d146ef12404baae7d178

SHA1
8110b0a1796d9ab2b26bd559c3ce1ff149b919d7

SHA256
502b8b7f4b82d4b952139085daa0c32386aa91d0172ce900df87d56d866c240e

SHA512
f04cb9c325b53af35455bd028c7367a79a6d7e7558bc34adc89591cc456d2eca6ffaff1eb4589cc04a87967a5953c83e342071d5ba3d997d7d7d23baa852ca2e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
0e3806eb728313762687dd8efda57f36

SHA1
c255ba8ae441daf17bd52f2e04f7a6e524015292

SHA256
e119056a933805cee3145badd654c0971c0293e9cbe1eca004231a0ad0442136

SHA512
68a6e92c5a12282f0859478b686c9c33c202416e6ebe3c8d11c57bcfcf11f605ab0e8574efb5a84aab2743f83afb3ee1cf4b36fb07d0aea56f4d6c414a29f14b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
4adc7b6cdd6d153348bb8c7c467efe5e

SHA1
30e2ac926d7b83325bdfe34279b5aaadbf5301bc

SHA256
16c507710093df450a0bee7e8e110947f1c91e3d412bedfb8ec659f1a430d200

SHA512
f71e805ba94b981213a9328f2736d3f4282f85f468aec9cbab397a1da7099d3754e7335ed63e1438b056a2b63ce54324fb34dc5e71c2a3a5d818122c62758592

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit