hxxps://iS[.]etulacrav[.]com/BaoC/#test@yahoo[.]com

Analysis

max time kernel
26s
max time network
21s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 18:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://iS.etulacrav.com/BaoC/#[email protected]

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133765141854995556"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2788	chrome.exe
2788	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 552	2788	chrome.exe	83
PID 2788 wrote to memory of 552	2788	chrome.exe	83
PID 2788 wrote to memory of 1484	2788	chrome.exe	84
PID 2788 wrote to memory of 1484	2788	chrome.exe	84
PID 2788 wrote to memory of 1484	2788	chrome.exe	84
PID 2788 wrote to memory of 1484	2788	chrome.exe	84
PID 2788 wrote to memory of 1484	2788	chrome.exe	84
PID 2788 wrote to memory of 1484	2788	chrome.exe	84
PID 2788 wrote to memory of 1484	2788	chrome.exe	84
PID 2788 wrote to memory of 1484	2788	chrome.exe	84
PID 2788 wrote to memory of 1484	2788	chrome.exe	84
PID 2788 wrote to memory of 1484	2788	chrome.exe	84
PID 2788 wrote to memory of 1484	2788	chrome.exe	84
PID 2788 wrote to memory of 1484	2788	chrome.exe	84
PID 2788 wrote to memory of 1484	2788	chrome.exe	84
PID 2788 wrote to memory of 1484	2788	chrome.exe	84
PID 2788 wrote to memory of 1484	2788	chrome.exe	84
PID 2788 wrote to memory of 1484	2788	chrome.exe	84
PID 2788 wrote to memory of 1484	2788	chrome.exe	84
PID 2788 wrote to memory of 1484	2788	chrome.exe	84
PID 2788 wrote to memory of 1484	2788	chrome.exe	84
PID 2788 wrote to memory of 1484	2788	chrome.exe	84
PID 2788 wrote to memory of 1484	2788	chrome.exe	84
PID 2788 wrote to memory of 1484	2788	chrome.exe	84
PID 2788 wrote to memory of 1484	2788	chrome.exe	84
PID 2788 wrote to memory of 1484	2788	chrome.exe	84
PID 2788 wrote to memory of 1484	2788	chrome.exe	84
PID 2788 wrote to memory of 1484	2788	chrome.exe	84
PID 2788 wrote to memory of 1484	2788	chrome.exe	84
PID 2788 wrote to memory of 1484	2788	chrome.exe	84
PID 2788 wrote to memory of 1484	2788	chrome.exe	84
PID 2788 wrote to memory of 1484	2788	chrome.exe	84
PID 2788 wrote to memory of 60	2788	chrome.exe	85
PID 2788 wrote to memory of 60	2788	chrome.exe	85
PID 2788 wrote to memory of 5052	2788	chrome.exe	86
PID 2788 wrote to memory of 5052	2788	chrome.exe	86
PID 2788 wrote to memory of 5052	2788	chrome.exe	86
PID 2788 wrote to memory of 5052	2788	chrome.exe	86
PID 2788 wrote to memory of 5052	2788	chrome.exe	86
PID 2788 wrote to memory of 5052	2788	chrome.exe	86
PID 2788 wrote to memory of 5052	2788	chrome.exe	86
PID 2788 wrote to memory of 5052	2788	chrome.exe	86
PID 2788 wrote to memory of 5052	2788	chrome.exe	86
PID 2788 wrote to memory of 5052	2788	chrome.exe	86
PID 2788 wrote to memory of 5052	2788	chrome.exe	86
PID 2788 wrote to memory of 5052	2788	chrome.exe	86
PID 2788 wrote to memory of 5052	2788	chrome.exe	86
PID 2788 wrote to memory of 5052	2788	chrome.exe	86
PID 2788 wrote to memory of 5052	2788	chrome.exe	86
PID 2788 wrote to memory of 5052	2788	chrome.exe	86
PID 2788 wrote to memory of 5052	2788	chrome.exe	86
PID 2788 wrote to memory of 5052	2788	chrome.exe	86
PID 2788 wrote to memory of 5052	2788	chrome.exe	86
PID 2788 wrote to memory of 5052	2788	chrome.exe	86
PID 2788 wrote to memory of 5052	2788	chrome.exe	86
PID 2788 wrote to memory of 5052	2788	chrome.exe	86
PID 2788 wrote to memory of 5052	2788	chrome.exe	86
PID 2788 wrote to memory of 5052	2788	chrome.exe	86
PID 2788 wrote to memory of 5052	2788	chrome.exe	86
PID 2788 wrote to memory of 5052	2788	chrome.exe	86
PID 2788 wrote to memory of 5052	2788	chrome.exe	86
PID 2788 wrote to memory of 5052	2788	chrome.exe	86
PID 2788 wrote to memory of 5052	2788	chrome.exe	86
PID 2788 wrote to memory of 5052	2788	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://iS.etulacrav.com/BaoC/#[email protected]
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc5f30cc40,0x7ffc5f30cc4c,0x7ffc5f30cc58
  2⤵
  PID:552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1936,i,1694751950760872233,15088405807291608248,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1668 /prefetch:2
  2⤵
  PID:1484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2144,i,1694751950760872233,15088405807291608248,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2176 /prefetch:3
  2⤵
  PID:60
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2264,i,1694751950760872233,15088405807291608248,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2424 /prefetch:8
  2⤵
  PID:5052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,1694751950760872233,15088405807291608248,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:2156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,1694751950760872233,15088405807291608248,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:4072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4220,i,1694751950760872233,15088405807291608248,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4528 /prefetch:1
  2⤵
  PID:1600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4616,i,1694751950760872233,15088405807291608248,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4628 /prefetch:1
  2⤵
  PID:3332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3244,i,1694751950760872233,15088405807291608248,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3208 /prefetch:8
  2⤵
  PID:3096

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
186d8a27be2816a5f326ec355855c526

SHA1
92101457a1a5c672d012e283abff0cc247bafce5

SHA256
dd389256dcca00296c1d5408f564b272abbfa4cf508c1464df812e552cf08fa4

SHA512
3b1e09091e196db1b58920467104d56068e5edead3c9be393383f903286f6371b5749f4dd7bd248a09017fbd205df520627e7bd593ae84b0b7a4a6b0961a837c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
3fe73e8d5b823372664b0f17b5ea8c05

SHA1
f72d4a96b210390bed6c27942568523f5bae4466

SHA256
cc798cdaa13ffd8adda340a47b61a7bb2e7d5c1d282264de9977596e4bc7f122

SHA512
f1d6c7f89f6202a09cc62fcf52e873f9ba8c0089aed39e47290d3f154e0a92d95cab98a416092489f2a7ce206ae4fdb6e43b1a89dadf7c2189bbf5fa770c4146

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
858B

MD5
abe1d88767f2ca65bc5eefc6b371e60a

SHA1
d265ce35f23e8e3ac59a8e451ba1d1c688d5e911

SHA256
413fc69e112644677f995b3717d769c980594b86190b94ad57b77cbe4b2438d5

SHA512
0a102666f1e735b0cf732592ebcd4bd044ccedffe2aab3bf377bf6feae4437b0e8a99cab5318806ea8476c313fd1d5fbe2680c39cd6ed85bc8b4fcc40dd3f704

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
943f2769501c527c18f134f4116e6eda

SHA1
b8cf04a6a02d0bc2afd5bd9416eaacea2dbb999f

SHA256
e6926fe59182a0116196a2772c75240f6a98bd44fab17af25abbe142bcc3595e

SHA512
5910d170c4f46bc927d7e16faf770522f7aeec9e92346066fa2f02a66f04a7bc6fc6debb8c816980f6f7aa401896cf98712b16b3c87df99f1aa20ddba3557c93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2ad470290d74ce5d15f5f00a012c21f6

SHA1
d6d2e4080240ac0fa9f9bf1c2788b4584f9e7cdd

SHA256
2672f6dc7a7f9f507da6a3a78d72311fbb5aa1a348e713030dbf8be14c267984

SHA512
6ddad2b45e80453b8c3ed75a78d5141d95ecc12aafa2493c48b9bba72765c47bf6aadb5e1eca45124dd9b7c0961c7c04f800cce07fca99a67d7ac01ef67fa53b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
e339650cea64cd54aea06e7790f42856

SHA1
85fc29101373abdd41136186b780f166438cddbe

SHA256
2a84ccf027c5824000e62b4593f5ca292fad3e47cb5b3fd44c1d2e9579744915

SHA512
00b734ed983810b359196e5a76676e6b64758d1a34118cd517d8c645b02e1b4f1223b6ba819c16628be784f7a3ac35a4a25a325726f3305830884d8ea1362727

Download Submit