hxxp://grswot[.]gilnet[.]net/#YWZldHNjaEBuZXdjZW50dXJ5aGVhbHRoLmNvbQ==

Analysis

max time kernel
39s
max time network
36s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2024 22:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://grswot.gilnet.net/#YWZldHNjaEBuZXdjZW50dXJ5aGVhbHRoLmNvbQ==

Score

7^/10

microsoft discovery phishing

Malware Config

Signatures

A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
48	api.ipify.org
49	api.ipify.org

Detected potential entity reuse from brand MICROSOFT.
phishing microsoft
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133770480585866581"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1444	chrome.exe
1444	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 3836	1444	chrome.exe	82
PID 1444 wrote to memory of 3836	1444	chrome.exe	82
PID 1444 wrote to memory of 4740	1444	chrome.exe	83
PID 1444 wrote to memory of 4740	1444	chrome.exe	83
PID 1444 wrote to memory of 4740	1444	chrome.exe	83
PID 1444 wrote to memory of 4740	1444	chrome.exe	83
PID 1444 wrote to memory of 4740	1444	chrome.exe	83
PID 1444 wrote to memory of 4740	1444	chrome.exe	83
PID 1444 wrote to memory of 4740	1444	chrome.exe	83
PID 1444 wrote to memory of 4740	1444	chrome.exe	83
PID 1444 wrote to memory of 4740	1444	chrome.exe	83
PID 1444 wrote to memory of 4740	1444	chrome.exe	83
PID 1444 wrote to memory of 4740	1444	chrome.exe	83
PID 1444 wrote to memory of 4740	1444	chrome.exe	83
PID 1444 wrote to memory of 4740	1444	chrome.exe	83
PID 1444 wrote to memory of 4740	1444	chrome.exe	83
PID 1444 wrote to memory of 4740	1444	chrome.exe	83
PID 1444 wrote to memory of 4740	1444	chrome.exe	83
PID 1444 wrote to memory of 4740	1444	chrome.exe	83
PID 1444 wrote to memory of 4740	1444	chrome.exe	83
PID 1444 wrote to memory of 4740	1444	chrome.exe	83
PID 1444 wrote to memory of 4740	1444	chrome.exe	83
PID 1444 wrote to memory of 4740	1444	chrome.exe	83
PID 1444 wrote to memory of 4740	1444	chrome.exe	83
PID 1444 wrote to memory of 4740	1444	chrome.exe	83
PID 1444 wrote to memory of 4740	1444	chrome.exe	83
PID 1444 wrote to memory of 4740	1444	chrome.exe	83
PID 1444 wrote to memory of 4740	1444	chrome.exe	83
PID 1444 wrote to memory of 4740	1444	chrome.exe	83
PID 1444 wrote to memory of 4740	1444	chrome.exe	83
PID 1444 wrote to memory of 4740	1444	chrome.exe	83
PID 1444 wrote to memory of 4740	1444	chrome.exe	83
PID 1444 wrote to memory of 3740	1444	chrome.exe	84
PID 1444 wrote to memory of 3740	1444	chrome.exe	84
PID 1444 wrote to memory of 5024	1444	chrome.exe	85
PID 1444 wrote to memory of 5024	1444	chrome.exe	85
PID 1444 wrote to memory of 5024	1444	chrome.exe	85
PID 1444 wrote to memory of 5024	1444	chrome.exe	85
PID 1444 wrote to memory of 5024	1444	chrome.exe	85
PID 1444 wrote to memory of 5024	1444	chrome.exe	85
PID 1444 wrote to memory of 5024	1444	chrome.exe	85
PID 1444 wrote to memory of 5024	1444	chrome.exe	85
PID 1444 wrote to memory of 5024	1444	chrome.exe	85
PID 1444 wrote to memory of 5024	1444	chrome.exe	85
PID 1444 wrote to memory of 5024	1444	chrome.exe	85
PID 1444 wrote to memory of 5024	1444	chrome.exe	85
PID 1444 wrote to memory of 5024	1444	chrome.exe	85
PID 1444 wrote to memory of 5024	1444	chrome.exe	85
PID 1444 wrote to memory of 5024	1444	chrome.exe	85
PID 1444 wrote to memory of 5024	1444	chrome.exe	85
PID 1444 wrote to memory of 5024	1444	chrome.exe	85
PID 1444 wrote to memory of 5024	1444	chrome.exe	85
PID 1444 wrote to memory of 5024	1444	chrome.exe	85
PID 1444 wrote to memory of 5024	1444	chrome.exe	85
PID 1444 wrote to memory of 5024	1444	chrome.exe	85
PID 1444 wrote to memory of 5024	1444	chrome.exe	85
PID 1444 wrote to memory of 5024	1444	chrome.exe	85
PID 1444 wrote to memory of 5024	1444	chrome.exe	85
PID 1444 wrote to memory of 5024	1444	chrome.exe	85
PID 1444 wrote to memory of 5024	1444	chrome.exe	85
PID 1444 wrote to memory of 5024	1444	chrome.exe	85
PID 1444 wrote to memory of 5024	1444	chrome.exe	85
PID 1444 wrote to memory of 5024	1444	chrome.exe	85
PID 1444 wrote to memory of 5024	1444	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://grswot.gilnet.net/#YWZldHNjaEBuZXdjZW50dXJ5aGVhbHRoLmNvbQ==
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff807a1cc40,0x7ff807a1cc4c,0x7ff807a1cc58
  2⤵
  PID:3836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1716,i,2915855815169481418,3700414229933417540,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1720 /prefetch:2
  2⤵
  PID:4740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2124,i,2915855815169481418,3700414229933417540,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2132 /prefetch:3
  2⤵
  PID:3740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2220,i,2915855815169481418,3700414229933417540,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2188 /prefetch:8
  2⤵
  PID:5024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3040,i,2915855815169481418,3700414229933417540,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3064 /prefetch:1
  2⤵
  PID:3860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3048,i,2915855815169481418,3700414229933417540,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:3520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4508,i,2915855815169481418,3700414229933417540,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3800 /prefetch:1
  2⤵
  PID:2720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4516,i,2915855815169481418,3700414229933417540,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4664 /prefetch:1
  2⤵
  PID:4752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4392,i,2915855815169481418,3700414229933417540,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4420 /prefetch:8
  2⤵
  PID:1752

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
26641e18971899f594ec264bed8665f6

SHA1
4057334c99307cfa233aa64f80b8ddc0154b8cfd

SHA256
00e6c52016e145941430109114e32de8133769f7a3336ff932b572904ec0fd43

SHA512
9609b7d45baf6fdb9db3e2b73fd128a20158c50cee6d03e365e44c17791b66045da62626f63f2249061b1c2ac9342c4cfafbb8bd61334dc89126362d5485bf83

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
2c02ff24aa58270ef4d9f71decb22923

SHA1
95b858129f66f210b9bcd3dead4b33ecbf8f3cdc

SHA256
ac9bca99fce5c148527d6dfef41fbb01df33d12e614b118421192ef258f283d5

SHA512
92505bd4732406e11738246ae4d6efcaecee4d41138f17336c5091c8036400bc9fc7b35a257ebc86fa89a347a14c0a8e0cd5a02fcbbcb041d0568e8030c0cee5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
244dc822a8947f9cd48c5d5280b69b76

SHA1
1d2da60406b5cbf01279426c500aea577b6b6908

SHA256
9811577eccee2ae29d6e3d0b8619f88c3ec5ee89dd0d35d54f0af04d0fee411b

SHA512
5cfe5408d46aba527ec9b170e71ac45e1451d77a9272c6f2c98ffe990e5352156c74abb45d1650b9071d90fb0b2fc90662c36005599ada745b1400934bbdb262

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
974c4ac63b9445806993c20cb83df42f

SHA1
924aa79c760905b30a12f3ef8c562b8b544c42f1

SHA256
0a920f3566e8ac3d88b99d2ccbd5269a960888e0dc4dbc6fa122827b119e0dde

SHA512
0a5d8ec38bfbcc9d9f405070c3705c86e74bad4617c7d614b32bf9278c66e73ddf8c4f8a6a608f0032eaea5adaf0abad5ba93599163d6f16d1c5448f0b5f6680

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bda1b3cc8adf23010a5b25601069af61

SHA1
27e8f85ec6739ed0e642a210411a02d639024492

SHA256
da3535791855cd14c04df66873ac0516ae1e7093a6aec29649ccd448ccfeca9f

SHA512
34b8cacd391ff81fb13f3cdb8877f19352b4f108426e7151803ef0fe976c0d41727946721f0c4e68dd4182b385cd57e144c40a0a30bd1d0ae6aee79d861b6ea7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fdd3a238be573ddff9730a822d7fbfb3

SHA1
05ebd0398c1b5cf777ce81884b5a869daf11757c

SHA256
7fdfdc05f079679bb1a281e8e2cae0122d951cb39ecf9ccd637ebee16e7796ca

SHA512
cdc7c9bdf267aa643f299471593394bd30b9c0c17f725f0d573f481009839f9a6e5c04c9c59b5617306ca38724b8e6b0a29204c2bb80359a90c5f68b811a7eb5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
73d44c05feeb8fbcd97e57e495144ac7

SHA1
bcf63ff34ff4c09c6727fc61a75147168e55caa2

SHA256
f58088fe05aad3d3436bffa861a262511ce8adea8e9e174bbcf102d613f59945

SHA512
2c6548dcc5a2f12c5e97aaf5900830e67655c7a5d299bb20b0ea50e47354996477365f92dd478413cac7e46c4b56b770e45e62a43dd8d4ecbb072a070b6bce58

Download Submit