hxxps://iol[.]srw[.]mybluehost[.]me/En/

Analysis

max time kernel
33s
max time network
34s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10/10/2024, 06:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://iol.srw.mybluehost.me/En/

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133730157292013457"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2884	chrome.exe
2884	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2884	chrome.exe
2884	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 4528	2884	chrome.exe	85
PID 2884 wrote to memory of 4528	2884	chrome.exe	85
PID 2884 wrote to memory of 4832	2884	chrome.exe	86
PID 2884 wrote to memory of 4832	2884	chrome.exe	86
PID 2884 wrote to memory of 4832	2884	chrome.exe	86
PID 2884 wrote to memory of 4832	2884	chrome.exe	86
PID 2884 wrote to memory of 4832	2884	chrome.exe	86
PID 2884 wrote to memory of 4832	2884	chrome.exe	86
PID 2884 wrote to memory of 4832	2884	chrome.exe	86
PID 2884 wrote to memory of 4832	2884	chrome.exe	86
PID 2884 wrote to memory of 4832	2884	chrome.exe	86
PID 2884 wrote to memory of 4832	2884	chrome.exe	86
PID 2884 wrote to memory of 4832	2884	chrome.exe	86
PID 2884 wrote to memory of 4832	2884	chrome.exe	86
PID 2884 wrote to memory of 4832	2884	chrome.exe	86
PID 2884 wrote to memory of 4832	2884	chrome.exe	86
PID 2884 wrote to memory of 4832	2884	chrome.exe	86
PID 2884 wrote to memory of 4832	2884	chrome.exe	86
PID 2884 wrote to memory of 4832	2884	chrome.exe	86
PID 2884 wrote to memory of 4832	2884	chrome.exe	86
PID 2884 wrote to memory of 4832	2884	chrome.exe	86
PID 2884 wrote to memory of 4832	2884	chrome.exe	86
PID 2884 wrote to memory of 4832	2884	chrome.exe	86
PID 2884 wrote to memory of 4832	2884	chrome.exe	86
PID 2884 wrote to memory of 4832	2884	chrome.exe	86
PID 2884 wrote to memory of 4832	2884	chrome.exe	86
PID 2884 wrote to memory of 4832	2884	chrome.exe	86
PID 2884 wrote to memory of 4832	2884	chrome.exe	86
PID 2884 wrote to memory of 4832	2884	chrome.exe	86
PID 2884 wrote to memory of 4832	2884	chrome.exe	86
PID 2884 wrote to memory of 4832	2884	chrome.exe	86
PID 2884 wrote to memory of 4832	2884	chrome.exe	86
PID 2884 wrote to memory of 1180	2884	chrome.exe	87
PID 2884 wrote to memory of 1180	2884	chrome.exe	87
PID 2884 wrote to memory of 2512	2884	chrome.exe	88
PID 2884 wrote to memory of 2512	2884	chrome.exe	88
PID 2884 wrote to memory of 2512	2884	chrome.exe	88
PID 2884 wrote to memory of 2512	2884	chrome.exe	88
PID 2884 wrote to memory of 2512	2884	chrome.exe	88
PID 2884 wrote to memory of 2512	2884	chrome.exe	88
PID 2884 wrote to memory of 2512	2884	chrome.exe	88
PID 2884 wrote to memory of 2512	2884	chrome.exe	88
PID 2884 wrote to memory of 2512	2884	chrome.exe	88
PID 2884 wrote to memory of 2512	2884	chrome.exe	88
PID 2884 wrote to memory of 2512	2884	chrome.exe	88
PID 2884 wrote to memory of 2512	2884	chrome.exe	88
PID 2884 wrote to memory of 2512	2884	chrome.exe	88
PID 2884 wrote to memory of 2512	2884	chrome.exe	88
PID 2884 wrote to memory of 2512	2884	chrome.exe	88
PID 2884 wrote to memory of 2512	2884	chrome.exe	88
PID 2884 wrote to memory of 2512	2884	chrome.exe	88
PID 2884 wrote to memory of 2512	2884	chrome.exe	88
PID 2884 wrote to memory of 2512	2884	chrome.exe	88
PID 2884 wrote to memory of 2512	2884	chrome.exe	88
PID 2884 wrote to memory of 2512	2884	chrome.exe	88
PID 2884 wrote to memory of 2512	2884	chrome.exe	88
PID 2884 wrote to memory of 2512	2884	chrome.exe	88
PID 2884 wrote to memory of 2512	2884	chrome.exe	88
PID 2884 wrote to memory of 2512	2884	chrome.exe	88
PID 2884 wrote to memory of 2512	2884	chrome.exe	88
PID 2884 wrote to memory of 2512	2884	chrome.exe	88
PID 2884 wrote to memory of 2512	2884	chrome.exe	88
PID 2884 wrote to memory of 2512	2884	chrome.exe	88
PID 2884 wrote to memory of 2512	2884	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://iol.srw.mybluehost.me/En/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8f3dfcc40,0x7ff8f3dfcc4c,0x7ff8f3dfcc58
  2⤵
  PID:4528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1868,i,2069677024915319966,4897435084842069459,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1804 /prefetch:2
  2⤵
  PID:4832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1880,i,2069677024915319966,4897435084842069459,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2168 /prefetch:3
  2⤵
  PID:1180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2256,i,2069677024915319966,4897435084842069459,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2444 /prefetch:8
  2⤵
  PID:2512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,2069677024915319966,4897435084842069459,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:3316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3116,i,2069677024915319966,4897435084842069459,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:2280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4692,i,2069677024915319966,4897435084842069459,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4884 /prefetch:8
  2⤵
  PID:3208

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
240B

MD5
3cc03440089f5d840905386c91dd1043

SHA1
590f4564fe3a32530735710959e224388158af1a

SHA256
aac70631c60a2df17dd91e10735c1a3d8dd9ec88f8c65a42f50738f124db5a10

SHA512
9ac959b659923d63a777219e8bdf2c82c05ac00674280bf96a1342560353b56e549973a2dae81a150c9de5cbedc60ebb5951cb492a870eb4d4e7f71143b13cbc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
551a0eb992a78d9cd9b91c3a14b3cc18

SHA1
49e9d136761d97ef82b02990e53bf3bedebcae22

SHA256
59dbcbc7ea4e6634a2f385de8e5c6392dfbdc8df58085774729341faf67cbaaf

SHA512
4f6b2295972708bb8eef8911aceb746ad67767761c7d1b9443f13b2b80fd8086926cf791cfd1f705ce97f39510e8f6be81c3945c34fa2dfadeaebf7b4cdd9a6b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
adcf2ce4abd6ad7a69a59cf40bf9e5c0

SHA1
7cc0d90761324ef50b256492c361543311141952

SHA256
28bd6bc914d758a10a1c8b0d544391fc7c1fd30a40cc1a9574e4834cdf0c29f7

SHA512
98fa5646569f787e0c1879e13a8bd0bc736cf1778871ae8f52bec2b64ddeb6cb445ba140bb7737bd3be53f6369a0b7b7958be48693282208d9559baef6f42ca3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
7b78fd32805933b0a6ccd8e02e62453c

SHA1
88acb94681592f66a12809b963dec1427cc2caf9

SHA256
9c30789fe69f8fc1f10b2161904d04ccfd53bc17cd2d756a319653e64b01be08

SHA512
b0eea4c2870c09ec1315d1ec46e31c4a2f6bab40457667422630c170ea669b41d98f1ab01d92b672c077a9c0bd2aa5f36e0c8c6ddbe6f9f6ba743568f6e42fbd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
1f72cb5b8e58e633d6b393606660cf97

SHA1
feebbaa74e857158ab419b40eb0be25eb5c62e29

SHA256
a6bda566ff5384217ac2f6bb75c257dcf3a9b56746148c7696b9e26c8bf4b989

SHA512
04e237ed7bd1396b07dbab6b8dfd9c018774e78b886244419ebdd280ec170c8ba089400552b19c0d585be75940762bb6ca0973dfd883286c40c0a209c78406a3

Download Submit