Analysis
-
max time kernel
55s -
max time network
50s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
09/11/2024, 21:39
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://172.21.124.113:80/
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
https://172.21.124.113:80/
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
https://172.21.124.113:80/
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral4
Sample
https://172.21.124.113:80/
Resource
win11-20241007-en
General
-
Target
https://172.21.124.113:80/
Malware Config
Signatures
-
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SystemTemp chrome.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133756620088000110" chrome.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5020 chrome.exe 5020 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
pid Process 5020 chrome.exe 5020 chrome.exe 5020 chrome.exe 5020 chrome.exe 5020 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 5020 chrome.exe Token: SeCreatePagefilePrivilege 5020 chrome.exe Token: SeShutdownPrivilege 5020 chrome.exe Token: SeCreatePagefilePrivilege 5020 chrome.exe Token: SeShutdownPrivilege 5020 chrome.exe Token: SeCreatePagefilePrivilege 5020 chrome.exe Token: SeShutdownPrivilege 5020 chrome.exe Token: SeCreatePagefilePrivilege 5020 chrome.exe Token: SeShutdownPrivilege 5020 chrome.exe Token: SeCreatePagefilePrivilege 5020 chrome.exe Token: SeShutdownPrivilege 5020 chrome.exe Token: SeCreatePagefilePrivilege 5020 chrome.exe Token: SeShutdownPrivilege 5020 chrome.exe Token: SeCreatePagefilePrivilege 5020 chrome.exe Token: SeShutdownPrivilege 5020 chrome.exe Token: SeCreatePagefilePrivilege 5020 chrome.exe Token: SeShutdownPrivilege 5020 chrome.exe Token: SeCreatePagefilePrivilege 5020 chrome.exe Token: SeShutdownPrivilege 5020 chrome.exe Token: SeCreatePagefilePrivilege 5020 chrome.exe Token: SeShutdownPrivilege 5020 chrome.exe Token: SeCreatePagefilePrivilege 5020 chrome.exe Token: SeShutdownPrivilege 5020 chrome.exe Token: SeCreatePagefilePrivilege 5020 chrome.exe Token: SeShutdownPrivilege 5020 chrome.exe Token: SeCreatePagefilePrivilege 5020 chrome.exe Token: SeShutdownPrivilege 5020 chrome.exe Token: SeCreatePagefilePrivilege 5020 chrome.exe Token: SeShutdownPrivilege 5020 chrome.exe Token: SeCreatePagefilePrivilege 5020 chrome.exe Token: SeShutdownPrivilege 5020 chrome.exe Token: SeCreatePagefilePrivilege 5020 chrome.exe Token: SeShutdownPrivilege 5020 chrome.exe Token: SeCreatePagefilePrivilege 5020 chrome.exe Token: SeShutdownPrivilege 5020 chrome.exe Token: SeCreatePagefilePrivilege 5020 chrome.exe Token: SeShutdownPrivilege 5020 chrome.exe Token: SeCreatePagefilePrivilege 5020 chrome.exe Token: SeShutdownPrivilege 5020 chrome.exe Token: SeCreatePagefilePrivilege 5020 chrome.exe Token: SeShutdownPrivilege 5020 chrome.exe Token: SeCreatePagefilePrivilege 5020 chrome.exe Token: SeShutdownPrivilege 5020 chrome.exe Token: SeCreatePagefilePrivilege 5020 chrome.exe Token: SeShutdownPrivilege 5020 chrome.exe Token: SeCreatePagefilePrivilege 5020 chrome.exe Token: SeShutdownPrivilege 5020 chrome.exe Token: SeCreatePagefilePrivilege 5020 chrome.exe Token: SeShutdownPrivilege 5020 chrome.exe Token: SeCreatePagefilePrivilege 5020 chrome.exe Token: SeShutdownPrivilege 5020 chrome.exe Token: SeCreatePagefilePrivilege 5020 chrome.exe Token: SeShutdownPrivilege 5020 chrome.exe Token: SeCreatePagefilePrivilege 5020 chrome.exe Token: SeShutdownPrivilege 5020 chrome.exe Token: SeCreatePagefilePrivilege 5020 chrome.exe Token: SeShutdownPrivilege 5020 chrome.exe Token: SeCreatePagefilePrivilege 5020 chrome.exe Token: SeShutdownPrivilege 5020 chrome.exe Token: SeCreatePagefilePrivilege 5020 chrome.exe Token: SeShutdownPrivilege 5020 chrome.exe Token: SeCreatePagefilePrivilege 5020 chrome.exe Token: SeShutdownPrivilege 5020 chrome.exe Token: SeCreatePagefilePrivilege 5020 chrome.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 5020 chrome.exe 5020 chrome.exe 5020 chrome.exe 5020 chrome.exe 5020 chrome.exe 5020 chrome.exe 5020 chrome.exe 5020 chrome.exe 5020 chrome.exe 5020 chrome.exe 5020 chrome.exe 5020 chrome.exe 5020 chrome.exe 5020 chrome.exe 5020 chrome.exe 5020 chrome.exe 5020 chrome.exe 5020 chrome.exe 5020 chrome.exe 5020 chrome.exe 5020 chrome.exe 5020 chrome.exe 5020 chrome.exe 5020 chrome.exe 5020 chrome.exe 5020 chrome.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 5020 chrome.exe 5020 chrome.exe 5020 chrome.exe 5020 chrome.exe 5020 chrome.exe 5020 chrome.exe 5020 chrome.exe 5020 chrome.exe 5020 chrome.exe 5020 chrome.exe 5020 chrome.exe 5020 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5020 wrote to memory of 2972 5020 chrome.exe 79 PID 5020 wrote to memory of 2972 5020 chrome.exe 79 PID 5020 wrote to memory of 1068 5020 chrome.exe 80 PID 5020 wrote to memory of 1068 5020 chrome.exe 80 PID 5020 wrote to memory of 1068 5020 chrome.exe 80 PID 5020 wrote to memory of 1068 5020 chrome.exe 80 PID 5020 wrote to memory of 1068 5020 chrome.exe 80 PID 5020 wrote to memory of 1068 5020 chrome.exe 80 PID 5020 wrote to memory of 1068 5020 chrome.exe 80 PID 5020 wrote to memory of 1068 5020 chrome.exe 80 PID 5020 wrote to memory of 1068 5020 chrome.exe 80 PID 5020 wrote to memory of 1068 5020 chrome.exe 80 PID 5020 wrote to memory of 1068 5020 chrome.exe 80 PID 5020 wrote to memory of 1068 5020 chrome.exe 80 PID 5020 wrote to memory of 1068 5020 chrome.exe 80 PID 5020 wrote to memory of 1068 5020 chrome.exe 80 PID 5020 wrote to memory of 1068 5020 chrome.exe 80 PID 5020 wrote to memory of 1068 5020 chrome.exe 80 PID 5020 wrote to memory of 1068 5020 chrome.exe 80 PID 5020 wrote to memory of 1068 5020 chrome.exe 80 PID 5020 wrote to memory of 1068 5020 chrome.exe 80 PID 5020 wrote to memory of 1068 5020 chrome.exe 80 PID 5020 wrote to memory of 1068 5020 chrome.exe 80 PID 5020 wrote to memory of 1068 5020 chrome.exe 80 PID 5020 wrote to memory of 1068 5020 chrome.exe 80 PID 5020 wrote to memory of 1068 5020 chrome.exe 80 PID 5020 wrote to memory of 1068 5020 chrome.exe 80 PID 5020 wrote to memory of 1068 5020 chrome.exe 80 PID 5020 wrote to memory of 1068 5020 chrome.exe 80 PID 5020 wrote to memory of 1068 5020 chrome.exe 80 PID 5020 wrote to memory of 1068 5020 chrome.exe 80 PID 5020 wrote to memory of 1068 5020 chrome.exe 80 PID 5020 wrote to memory of 4304 5020 chrome.exe 81 PID 5020 wrote to memory of 4304 5020 chrome.exe 81 PID 5020 wrote to memory of 3516 5020 chrome.exe 82 PID 5020 wrote to memory of 3516 5020 chrome.exe 82 PID 5020 wrote to memory of 3516 5020 chrome.exe 82 PID 5020 wrote to memory of 3516 5020 chrome.exe 82 PID 5020 wrote to memory of 3516 5020 chrome.exe 82 PID 5020 wrote to memory of 3516 5020 chrome.exe 82 PID 5020 wrote to memory of 3516 5020 chrome.exe 82 PID 5020 wrote to memory of 3516 5020 chrome.exe 82 PID 5020 wrote to memory of 3516 5020 chrome.exe 82 PID 5020 wrote to memory of 3516 5020 chrome.exe 82 PID 5020 wrote to memory of 3516 5020 chrome.exe 82 PID 5020 wrote to memory of 3516 5020 chrome.exe 82 PID 5020 wrote to memory of 3516 5020 chrome.exe 82 PID 5020 wrote to memory of 3516 5020 chrome.exe 82 PID 5020 wrote to memory of 3516 5020 chrome.exe 82 PID 5020 wrote to memory of 3516 5020 chrome.exe 82 PID 5020 wrote to memory of 3516 5020 chrome.exe 82 PID 5020 wrote to memory of 3516 5020 chrome.exe 82 PID 5020 wrote to memory of 3516 5020 chrome.exe 82 PID 5020 wrote to memory of 3516 5020 chrome.exe 82 PID 5020 wrote to memory of 3516 5020 chrome.exe 82 PID 5020 wrote to memory of 3516 5020 chrome.exe 82 PID 5020 wrote to memory of 3516 5020 chrome.exe 82 PID 5020 wrote to memory of 3516 5020 chrome.exe 82 PID 5020 wrote to memory of 3516 5020 chrome.exe 82 PID 5020 wrote to memory of 3516 5020 chrome.exe 82 PID 5020 wrote to memory of 3516 5020 chrome.exe 82 PID 5020 wrote to memory of 3516 5020 chrome.exe 82 PID 5020 wrote to memory of 3516 5020 chrome.exe 82 PID 5020 wrote to memory of 3516 5020 chrome.exe 82
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://172.21.124.113:80/1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8faa9cc40,0x7ff8faa9cc4c,0x7ff8faa9cc582⤵PID:2972
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1748,i,4296143604568951112,12965651494249685436,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1744 /prefetch:22⤵PID:1068
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2072,i,4296143604568951112,12965651494249685436,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2096 /prefetch:32⤵PID:4304
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2164,i,4296143604568951112,12965651494249685436,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2340 /prefetch:82⤵PID:3516
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3084,i,4296143604568951112,12965651494249685436,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3112 /prefetch:12⤵PID:3088
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3100,i,4296143604568951112,12965651494249685436,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3140 /prefetch:12⤵PID:2476
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3648,i,4296143604568951112,12965651494249685436,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4552 /prefetch:82⤵PID:2792
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4744,i,4296143604568951112,12965651494249685436,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4720 /prefetch:12⤵PID:4784
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4348,i,4296143604568951112,12965651494249685436,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3296 /prefetch:12⤵PID:2000
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=3104,i,4296143604568951112,12965651494249685436,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4832 /prefetch:12⤵PID:1696
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:4128
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:3808
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
649B
MD5cdcaf17b5508491ba39dabfa6b9c3a73
SHA17400623ba9fd49d834f93d1fb5069ea4361f46e5
SHA2566421da1f3a248c2f5988468e9d332d5dcb5d36abc4d6157c6cff99c179d49e9d
SHA51200bb236b0e03cd0efd391b1bae03765d0c650e93fc020c70ef001c71a979be2feca4bf32ccce8fc1afb27d62de5cef112169b89d91bde3576d39f49a2a478f34
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
9KB
MD53aa47ba96e406f3df421222f44107c27
SHA15ca7d516a8832a978949d80a49320215572fdb84
SHA256912089a9b679897231324a0d499f2de658f285f0d192676d66b7ec422342838a
SHA512247ec453117053f3c52b6ca00f240df66a2528c796793f4b21b299043a0ca0ab5459137da467ca04341b9df61ae5a77eb1c2f8c711cf87e28b9b57d38b9062dd
-
Filesize
9KB
MD518e505f6b002308e59e253969f90f7f9
SHA1f82b38a9785bc8399fce7a774eef4debbe0039ea
SHA25635669c1ab4bd69a7bba6e2a8ea32833fde7590fbddff91824268b05d9a220ccf
SHA5121edbb92d3d417b36fedffb60e5fe73d8e86302b48ef26c27dbb18b982ce2e53f083d8b97ea644a58abf1cf1825bf98685f4afcfb7d9b067438ae5c7f89e938e9
-
Filesize
9KB
MD56f224415e475f18de2e92528616a2aa3
SHA11912f43b994606ed0bc79653afed4e8bc49df6d0
SHA25649f5a0e5df9a4e3884cbe02401510fdcb1c9cd16f8d93df3bfed4eaf34dcfb7e
SHA512b3baaeeac97435330ae4a23e40d5ab96410c1ab9a8202a92f8e87800d39b14c3f339b863237bcea0743dbf45e9e49e18c21bc99b3a44520281f5fa6c96a5180c
-
Filesize
9KB
MD5a0bf408dadbd7d9016170b23abfcd27c
SHA1ca04d8d62f8b57e7b904dd6a218c63df0261f093
SHA2561fceef9755336db41f545c0952510780e744ed6ed507206db8b1a9213a394d7f
SHA51202578a810e3f2f44ccb41d1f88b0598cb69bbf1335509f7aacb7e0da2d8e8230ef7fe1c20ce6f20ebc476677dea67a79e93eb608835c1a749e976bd36e69eceb
-
Filesize
228KB
MD5f24d4149bc74d6f1556c3278c9089a20
SHA1ab2c2d767039fac8c11edcb66c6aeb656fd1aae5
SHA25669c394c236b37393f120a3a23676079b1a98b823051e34271f91c23a6ef78f68
SHA512b904ec33bb685b73d751c2aa980100e0fb7a88dcbbfe7d0f67e28eef5b3457f7863219a9b8fc4e03dfed869ee6c09ed5c3542b6a963360b4a2be4640eac5146f
-
Filesize
228KB
MD5308986cc4820b5c88c6204e8b38cf229
SHA187418a6822909e362a5fd3d8468dce03379bc7bb
SHA256a934cbc8287f5a99624063fc27bd2dbfd2a19ca04ca7d2b9bef499b934b81f3a
SHA5128b04836b273e917ad893b3a47a2731657e65cab916eb67b6bb175af8a84a323e97d05d457df694ccb8766515e185a4a5c87b0473269248b88a0aac14e4dfdec6