hxxp://yap[.]wrq[.]mybluehost[.]me/web

Analysis

max time kernel
149s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10/10/2024, 06:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://yap.wrq.mybluehost.me/web

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133730163352568620"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1792	chrome.exe
1792	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 3336	1792	chrome.exe	83
PID 1792 wrote to memory of 3336	1792	chrome.exe	83
PID 1792 wrote to memory of 2912	1792	chrome.exe	85
PID 1792 wrote to memory of 2912	1792	chrome.exe	85
PID 1792 wrote to memory of 2912	1792	chrome.exe	85
PID 1792 wrote to memory of 2912	1792	chrome.exe	85
PID 1792 wrote to memory of 2912	1792	chrome.exe	85
PID 1792 wrote to memory of 2912	1792	chrome.exe	85
PID 1792 wrote to memory of 2912	1792	chrome.exe	85
PID 1792 wrote to memory of 2912	1792	chrome.exe	85
PID 1792 wrote to memory of 2912	1792	chrome.exe	85
PID 1792 wrote to memory of 2912	1792	chrome.exe	85
PID 1792 wrote to memory of 2912	1792	chrome.exe	85
PID 1792 wrote to memory of 2912	1792	chrome.exe	85
PID 1792 wrote to memory of 2912	1792	chrome.exe	85
PID 1792 wrote to memory of 2912	1792	chrome.exe	85
PID 1792 wrote to memory of 2912	1792	chrome.exe	85
PID 1792 wrote to memory of 2912	1792	chrome.exe	85
PID 1792 wrote to memory of 2912	1792	chrome.exe	85
PID 1792 wrote to memory of 2912	1792	chrome.exe	85
PID 1792 wrote to memory of 2912	1792	chrome.exe	85
PID 1792 wrote to memory of 2912	1792	chrome.exe	85
PID 1792 wrote to memory of 2912	1792	chrome.exe	85
PID 1792 wrote to memory of 2912	1792	chrome.exe	85
PID 1792 wrote to memory of 2912	1792	chrome.exe	85
PID 1792 wrote to memory of 2912	1792	chrome.exe	85
PID 1792 wrote to memory of 2912	1792	chrome.exe	85
PID 1792 wrote to memory of 2912	1792	chrome.exe	85
PID 1792 wrote to memory of 2912	1792	chrome.exe	85
PID 1792 wrote to memory of 2912	1792	chrome.exe	85
PID 1792 wrote to memory of 2912	1792	chrome.exe	85
PID 1792 wrote to memory of 2912	1792	chrome.exe	85
PID 1792 wrote to memory of 4368	1792	chrome.exe	86
PID 1792 wrote to memory of 4368	1792	chrome.exe	86
PID 1792 wrote to memory of 2916	1792	chrome.exe	87
PID 1792 wrote to memory of 2916	1792	chrome.exe	87
PID 1792 wrote to memory of 2916	1792	chrome.exe	87
PID 1792 wrote to memory of 2916	1792	chrome.exe	87
PID 1792 wrote to memory of 2916	1792	chrome.exe	87
PID 1792 wrote to memory of 2916	1792	chrome.exe	87
PID 1792 wrote to memory of 2916	1792	chrome.exe	87
PID 1792 wrote to memory of 2916	1792	chrome.exe	87
PID 1792 wrote to memory of 2916	1792	chrome.exe	87
PID 1792 wrote to memory of 2916	1792	chrome.exe	87
PID 1792 wrote to memory of 2916	1792	chrome.exe	87
PID 1792 wrote to memory of 2916	1792	chrome.exe	87
PID 1792 wrote to memory of 2916	1792	chrome.exe	87
PID 1792 wrote to memory of 2916	1792	chrome.exe	87
PID 1792 wrote to memory of 2916	1792	chrome.exe	87
PID 1792 wrote to memory of 2916	1792	chrome.exe	87
PID 1792 wrote to memory of 2916	1792	chrome.exe	87
PID 1792 wrote to memory of 2916	1792	chrome.exe	87
PID 1792 wrote to memory of 2916	1792	chrome.exe	87
PID 1792 wrote to memory of 2916	1792	chrome.exe	87
PID 1792 wrote to memory of 2916	1792	chrome.exe	87
PID 1792 wrote to memory of 2916	1792	chrome.exe	87
PID 1792 wrote to memory of 2916	1792	chrome.exe	87
PID 1792 wrote to memory of 2916	1792	chrome.exe	87
PID 1792 wrote to memory of 2916	1792	chrome.exe	87
PID 1792 wrote to memory of 2916	1792	chrome.exe	87
PID 1792 wrote to memory of 2916	1792	chrome.exe	87
PID 1792 wrote to memory of 2916	1792	chrome.exe	87
PID 1792 wrote to memory of 2916	1792	chrome.exe	87
PID 1792 wrote to memory of 2916	1792	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://yap.wrq.mybluehost.me/web
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xd4,0xfc,0x100,0xe0,0x104,0x7fffbc81cc40,0x7fffbc81cc4c,0x7fffbc81cc58
  2⤵
  PID:3336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2008,i,1071869915469295427,15967897577253468170,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2012 /prefetch:2
  2⤵
  PID:2912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1884,i,1071869915469295427,15967897577253468170,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2080 /prefetch:3
  2⤵
  PID:4368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2060,i,1071869915469295427,15967897577253468170,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2428 /prefetch:8
  2⤵
  PID:2916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3052,i,1071869915469295427,15967897577253468170,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3088 /prefetch:1
  2⤵
  PID:2196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3056,i,1071869915469295427,15967897577253468170,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:4468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3888,i,1071869915469295427,15967897577253468170,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3676 /prefetch:1
  2⤵
  PID:3296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3320,i,1071869915469295427,15967897577253468170,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3372 /prefetch:8
  2⤵
  PID:4696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4868,i,1071869915469295427,15967897577253468170,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4788 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:892

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2212

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
389c47940a776c99f842f01a301bc36b

SHA1
73c1e27d7e6b6bf61c7d9b13dc990106be5e3dee

SHA256
dee25f99c61f654c3f4b967127691ec61ede94687d49047cd6761091a055ae39

SHA512
7490d5bb00a3224b66737b5a5b126e77bd5de1eda6a67c1a6195d544655b201843158384aee972b279702f6a63409e8785841069dc05665b4a2aee4cbdd314a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
5ffc1559437ba867434960cdc3ddf2ab

SHA1
5b5687745571926f8823e74f9d2ce1600bad8345

SHA256
cef3e6f9e2feea737436fa13ba0f1951548d0ec7a0daf9ddfd7bb852317a87cc

SHA512
42d65e8ae1d714cfd59d938bef2981f97c5c13478841f5e0309479f5721d9cb47a4656697b3f8bf9b17fdbe4355f311347620178c4ca210c6327040af917c3e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
543ce4bbaa2d6ca01d4a6126a5b150f1

SHA1
c0ac6a93dde167c65766e7e4a6384cd8601fd683

SHA256
69e3f6ba81ec6ebac3c9c63c1003df07ea2c521d59cd876a9700c912c75e2abc

SHA512
91118c16aa758d4c58ec0beb2949dbecc7bfafd97356a3b22706bd78a6e89d5e2a33203380024ab61b5e750a9621057393a0c2d92a10b00efe63d3de69d6e232

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1c80ec22eca848534768b499d4392021

SHA1
4cd4d7c6d2351e79cd0c537330fbf4a41de34593

SHA256
8a7ef80735aab610a0707021ca4ba276e27cdf7c2165ecf20a1a19fb1238f76a

SHA512
2476a6822bc0aa0e6a2926cbd284eac2f0cc4a6300195eda247ab4bb0a8ca7444d746416f7b27bb022599a45428f5046bb6b34438a2df45e0071dc08d883e4e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
5437c8310852b6bf0a58b49629b54a65

SHA1
ce606a9335009d8a1bd95cdeececca3e5b0c607f

SHA256
96a9771e66810eba821b21fe11ed13efffc06d5b4c102999308e06ba2e6a27bc

SHA512
ba2ac36195fbb1eba90be10c9c19ef076f059a7c3902278d658f1a1279370333102e216339b80a051fa2aba7d13ac5561ae1e0d837aa0f3fd67fad39accdceb0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
f8251cdcce7e7bbf304bb97f105adf23

SHA1
1dfb52b5770cc2f345c6a3cc5b425ba87d10a8d2

SHA256
6898b1bc3e833c92023f2945ac9ada4a14f039d7b5f1091007c795098c1e9f64

SHA512
6908e42fe31dfeec4ae1bd778eb2272164923d38b206e6b64f47c5cb973b933c346913e09e4313baba072272574c214aabd37ec58eff0d625a1ea1a4e0978a7f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
896fe866f2d5280b6fbda15382e4468a

SHA1
cc7f2d16f008559ce2d6b7b220b0e2eb07093b76

SHA256
6166f2ad74ed464dcc9896de4ff7d60a1910f966880da47f7ec0857df74bc91c

SHA512
483c0b130561a0531edad9a0336e4ac0f23c1206fbda1a4909621c34632c688a313a7f004f3d6cc57ed95f1b8b230b7ddcc1d488d817ba1b3a1f8b2a864717d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
0a5477aecfaad61d243f539089d5caa1

SHA1
d65b32935b3bf8a66a52f37b61cc4c6646e25557

SHA256
37d3ba3e3a8937186b749ab7adc772491a63a6a639a6c1fa5de3688920a081cd

SHA512
d320179620203b375a5fd574485d799e29351976b40873c1b77d038966cdabb2847c81e9916ed02c7a8ea3f74ffb7fda907f7ab73d8437100f0dcd95ec78717d

Download Submit