Analysis
-
max time kernel
12s -
max time network
16s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-es -
resource tags
arch:x64arch:x86image:win10v2004-20241007-eslocale:es-esos:windows10-2004-x64systemwindows -
submitted
14/10/2024, 23:52
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://restuapp.com/tjorlzcdqbfyibmjwumi
Resource
win10v2004-20241007-es
General
-
Target
https://restuapp.com/tjorlzcdqbfyibmjwumi
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133734235536291365" chrome.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1620 chrome.exe 1620 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 1620 chrome.exe 1620 chrome.exe 1620 chrome.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeShutdownPrivilege 1620 chrome.exe Token: SeCreatePagefilePrivilege 1620 chrome.exe Token: SeShutdownPrivilege 1620 chrome.exe Token: SeCreatePagefilePrivilege 1620 chrome.exe Token: SeShutdownPrivilege 1620 chrome.exe Token: SeCreatePagefilePrivilege 1620 chrome.exe Token: SeShutdownPrivilege 1620 chrome.exe Token: SeCreatePagefilePrivilege 1620 chrome.exe Token: SeShutdownPrivilege 1620 chrome.exe Token: SeCreatePagefilePrivilege 1620 chrome.exe Token: SeShutdownPrivilege 1620 chrome.exe Token: SeCreatePagefilePrivilege 1620 chrome.exe Token: SeShutdownPrivilege 1620 chrome.exe Token: SeCreatePagefilePrivilege 1620 chrome.exe Token: SeShutdownPrivilege 1620 chrome.exe Token: SeCreatePagefilePrivilege 1620 chrome.exe Token: SeShutdownPrivilege 1620 chrome.exe Token: SeCreatePagefilePrivilege 1620 chrome.exe Token: SeShutdownPrivilege 1620 chrome.exe Token: SeCreatePagefilePrivilege 1620 chrome.exe Token: SeShutdownPrivilege 1620 chrome.exe Token: SeCreatePagefilePrivilege 1620 chrome.exe Token: SeShutdownPrivilege 1620 chrome.exe Token: SeCreatePagefilePrivilege 1620 chrome.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 1620 chrome.exe 1620 chrome.exe 1620 chrome.exe 1620 chrome.exe 1620 chrome.exe 1620 chrome.exe 1620 chrome.exe 1620 chrome.exe 1620 chrome.exe 1620 chrome.exe 1620 chrome.exe 1620 chrome.exe 1620 chrome.exe 1620 chrome.exe 1620 chrome.exe 1620 chrome.exe 1620 chrome.exe 1620 chrome.exe 1620 chrome.exe 1620 chrome.exe 1620 chrome.exe 1620 chrome.exe 1620 chrome.exe 1620 chrome.exe 1620 chrome.exe 1620 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1620 chrome.exe 1620 chrome.exe 1620 chrome.exe 1620 chrome.exe 1620 chrome.exe 1620 chrome.exe 1620 chrome.exe 1620 chrome.exe 1620 chrome.exe 1620 chrome.exe 1620 chrome.exe 1620 chrome.exe 1620 chrome.exe 1620 chrome.exe 1620 chrome.exe 1620 chrome.exe 1620 chrome.exe 1620 chrome.exe 1620 chrome.exe 1620 chrome.exe 1620 chrome.exe 1620 chrome.exe 1620 chrome.exe 1620 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1620 wrote to memory of 4396 1620 chrome.exe 85 PID 1620 wrote to memory of 4396 1620 chrome.exe 85 PID 1620 wrote to memory of 2192 1620 chrome.exe 86 PID 1620 wrote to memory of 2192 1620 chrome.exe 86 PID 1620 wrote to memory of 2192 1620 chrome.exe 86 PID 1620 wrote to memory of 2192 1620 chrome.exe 86 PID 1620 wrote to memory of 2192 1620 chrome.exe 86 PID 1620 wrote to memory of 2192 1620 chrome.exe 86 PID 1620 wrote to memory of 2192 1620 chrome.exe 86 PID 1620 wrote to memory of 2192 1620 chrome.exe 86 PID 1620 wrote to memory of 2192 1620 chrome.exe 86 PID 1620 wrote to memory of 2192 1620 chrome.exe 86 PID 1620 wrote to memory of 2192 1620 chrome.exe 86 PID 1620 wrote to memory of 2192 1620 chrome.exe 86 PID 1620 wrote to memory of 2192 1620 chrome.exe 86 PID 1620 wrote to memory of 2192 1620 chrome.exe 86 PID 1620 wrote to memory of 2192 1620 chrome.exe 86 PID 1620 wrote to memory of 2192 1620 chrome.exe 86 PID 1620 wrote to memory of 2192 1620 chrome.exe 86 PID 1620 wrote to memory of 2192 1620 chrome.exe 86 PID 1620 wrote to memory of 2192 1620 chrome.exe 86 PID 1620 wrote to memory of 2192 1620 chrome.exe 86 PID 1620 wrote to memory of 2192 1620 chrome.exe 86 PID 1620 wrote to memory of 2192 1620 chrome.exe 86 PID 1620 wrote to memory of 2192 1620 chrome.exe 86 PID 1620 wrote to memory of 2192 1620 chrome.exe 86 PID 1620 wrote to memory of 2192 1620 chrome.exe 86 PID 1620 wrote to memory of 2192 1620 chrome.exe 86 PID 1620 wrote to memory of 2192 1620 chrome.exe 86 PID 1620 wrote to memory of 2192 1620 chrome.exe 86 PID 1620 wrote to memory of 2192 1620 chrome.exe 86 PID 1620 wrote to memory of 2192 1620 chrome.exe 86 PID 1620 wrote to memory of 2976 1620 chrome.exe 87 PID 1620 wrote to memory of 2976 1620 chrome.exe 87 PID 1620 wrote to memory of 2348 1620 chrome.exe 88 PID 1620 wrote to memory of 2348 1620 chrome.exe 88 PID 1620 wrote to memory of 2348 1620 chrome.exe 88 PID 1620 wrote to memory of 2348 1620 chrome.exe 88 PID 1620 wrote to memory of 2348 1620 chrome.exe 88 PID 1620 wrote to memory of 2348 1620 chrome.exe 88 PID 1620 wrote to memory of 2348 1620 chrome.exe 88 PID 1620 wrote to memory of 2348 1620 chrome.exe 88 PID 1620 wrote to memory of 2348 1620 chrome.exe 88 PID 1620 wrote to memory of 2348 1620 chrome.exe 88 PID 1620 wrote to memory of 2348 1620 chrome.exe 88 PID 1620 wrote to memory of 2348 1620 chrome.exe 88 PID 1620 wrote to memory of 2348 1620 chrome.exe 88 PID 1620 wrote to memory of 2348 1620 chrome.exe 88 PID 1620 wrote to memory of 2348 1620 chrome.exe 88 PID 1620 wrote to memory of 2348 1620 chrome.exe 88 PID 1620 wrote to memory of 2348 1620 chrome.exe 88 PID 1620 wrote to memory of 2348 1620 chrome.exe 88 PID 1620 wrote to memory of 2348 1620 chrome.exe 88 PID 1620 wrote to memory of 2348 1620 chrome.exe 88 PID 1620 wrote to memory of 2348 1620 chrome.exe 88 PID 1620 wrote to memory of 2348 1620 chrome.exe 88 PID 1620 wrote to memory of 2348 1620 chrome.exe 88 PID 1620 wrote to memory of 2348 1620 chrome.exe 88 PID 1620 wrote to memory of 2348 1620 chrome.exe 88 PID 1620 wrote to memory of 2348 1620 chrome.exe 88 PID 1620 wrote to memory of 2348 1620 chrome.exe 88 PID 1620 wrote to memory of 2348 1620 chrome.exe 88 PID 1620 wrote to memory of 2348 1620 chrome.exe 88 PID 1620 wrote to memory of 2348 1620 chrome.exe 88
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://restuapp.com/tjorlzcdqbfyibmjwumi1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ff9502ecc40,0x7ff9502ecc4c,0x7ff9502ecc582⤵PID:4396
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1932,i,4814081357167250265,7011592902262723577,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1924 /prefetch:22⤵PID:2192
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2144,i,4814081357167250265,7011592902262723577,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2176 /prefetch:32⤵PID:2976
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2248,i,4814081357167250265,7011592902262723577,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2184 /prefetch:82⤵PID:2348
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3152,i,4814081357167250265,7011592902262723577,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3192 /prefetch:12⤵PID:4748
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3160,i,4814081357167250265,7011592902262723577,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2896 /prefetch:12⤵PID:372
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3860,i,4814081357167250265,7011592902262723577,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4472 /prefetch:12⤵PID:5108
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4812,i,4814081357167250265,7011592902262723577,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4824 /prefetch:82⤵PID:184
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:2696
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:3232
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
649B
MD515f7676f4a1d09346c83997b466a379b
SHA1fece56c5978a929ede1ae7332743a8b98138f2f7
SHA256b9527d5487c645d7bf6fb3bb36e7e3f0a299ec7b873f8639400932e2a9f452fd
SHA512ff81eda254fe2f94b383d41124522c39024d749dd639ec8dd97f6ecf2e54af8590824dd438ca37b971fa0480778341dc8221aa3c3659e53a68a5942175e8440b
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
9KB
MD5c298a026a22548eeb6dcb56da6b6cfa8
SHA1160103c64b00f9285d986a37631478fd661cf213
SHA256d27825c99457dc58cc7b1117ba224b79cca9e2d7152b76d05dd42472a549ebb5
SHA5120e8e2d8046bbe22bde056a9a2ca95894748d8213b0efc3bc2f01c6b28e80444be41919be6c4f0fd8a52f64b9bb123c2542d035f63add169bcedfa3c34397cf6b
-
Filesize
116KB
MD5a6dc55f7c472cdfe696ae2d3d8cd0ff2
SHA189c2f7e8c45a96723a1ffcaee1233d4c65df1603
SHA25626bb9b0d59b1741c2d5ee43a5e25ea9798ebc0e4d1ba6391e041fbdd95e88bcb
SHA51211bd5529d6e7d01daad9ff4540d1f6f7d6526350d82eb4c7971a74c602f6427f7f3d029bca2c75ee30c9efdc74d0afca7aff818094f4f0c45f42fd76d0c479e9