Analysis

  • max time kernel
    43s
  • max time network
    22s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-es
  • resource tags

    arch:x64arch:x86image:win11-20241007-eslocale:es-esos:windows11-21h2-x64systemwindows
  • submitted
    25-11-2024 15:49

General

  • Target

    http://oval.az/license.html

Score
6/10

Malware Config

Signatures

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://oval.az/license.html
    1⤵
    • Drops file in Windows directory
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:5076
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe0627cc40,0x7ffe0627cc4c,0x7ffe0627cc58
      2⤵
        PID:3372
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1616,i,16396715104261746999,5944989196994916533,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1804 /prefetch:2
        2⤵
          PID:4396
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2056,i,16396715104261746999,5944989196994916533,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2104 /prefetch:3
          2⤵
            PID:4460
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2168,i,16396715104261746999,5944989196994916533,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2332 /prefetch:8
            2⤵
              PID:4052
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3000,i,16396715104261746999,5944989196994916533,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3028 /prefetch:1
              2⤵
                PID:2084
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3012,i,16396715104261746999,5944989196994916533,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3228 /prefetch:1
                2⤵
                  PID:3604
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4276,i,16396715104261746999,5944989196994916533,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4280 /prefetch:1
                  2⤵
                    PID:4756
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4696,i,16396715104261746999,5944989196994916533,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4708 /prefetch:8
                    2⤵
                      PID:3288
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=3692,i,16396715104261746999,5944989196994916533,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4968 /prefetch:1
                      2⤵
                        PID:4740
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4328,i,16396715104261746999,5944989196994916533,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4540 /prefetch:1
                        2⤵
                          PID:1172
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3224,i,16396715104261746999,5944989196994916533,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4492 /prefetch:1
                          2⤵
                            PID:2520
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4852,i,16396715104261746999,5944989196994916533,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4840 /prefetch:1
                            2⤵
                              PID:992
                          • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
                            "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
                            1⤵
                              PID:3928
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                              1⤵
                                PID:2032
                              • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
                                "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
                                1⤵
                                • Modifies registry class
                                • Suspicious use of SetWindowsHookEx
                                PID:1424

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

                                Filesize

                                649B

                                MD5

                                b4993c6e09b2e70697656a2076fea273

                                SHA1

                                de67bee988448affdb8dcd8eb076d19eff5fa004

                                SHA256

                                414c2a3162a0fa951b4f9488ba4be4e1c3c254b6656d2716bbece549c08a5bfc

                                SHA512

                                cf9d1b32eda54bc2996d34e4128d0412b6223c776893654c2d386438e57603280d1937b7c592407df17ba03c8adff2cee28157eea4cc54a4989cc4e947e09c47

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

                                Filesize

                                192B

                                MD5

                                c1dc83d38b1022d04ce2526369bc4ff7

                                SHA1

                                d3593e88be8c6625b2bd6ca3f194095f87195b3b

                                SHA256

                                645dc6e550339e6c507bd3fce5f8b5733bddb3ff0720f18e15b8b4abbc0a268c

                                SHA512

                                101f82e0260f11970f56f0988a9ae03dcdc769bc3149f42bc6970d5ea9b7cf524c9dbb97f70ad31cd5735405acc1c7d7e63f66dff6e28a23ef30b946ae8ea2d1

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

                                Filesize

                                2B

                                MD5

                                d751713988987e9331980363e24189ce

                                SHA1

                                97d170e1550eee4afc0af065b78cda302a97674c

                                SHA256

                                4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                SHA512

                                b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                Filesize

                                858B

                                MD5

                                2c9369bc1218c11a70e653250737bab7

                                SHA1

                                36c146d09721c606bfaf5b3ea77e10edfd0365d8

                                SHA256

                                f6102addb148783514cdf77560310a72f7ed2ddc92250d3972934f6d7b870e2e

                                SHA512

                                cecbc20d2487fc0b6b4af08f6da8719e2417207c1d184f2d06ac02f460fda0c178c87c6803bfc7b1eb49c5ccd9a180db99bd1174936751d94684f3e4db54023b

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                Filesize

                                1KB

                                MD5

                                ed94814d6c93b8f22f33898c0a0a3b3a

                                SHA1

                                da603f861bec5cb68ad7fc0c3b9010c499a5347c

                                SHA256

                                b9b7b07e32dea8ba83a80a6ec645ab117e7042d7f7ffc27d1682096e8f0cb1ed

                                SHA512

                                a76b4b193d426cb93d0dc69b5f8793b1352749cc1fc6fd5eb89bc8418f0d9d38cff0872afa0a7df42818780921a938dcaa912c51d3feebcaf02c61b897094c60

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                Filesize

                                9KB

                                MD5

                                95fbfda63b072983571afe2457a5dd04

                                SHA1

                                7bd93afcf350e24a334dd30419b4bef543947099

                                SHA256

                                cd2aec3d8abfa14d64e7c638c89e2e64f3a631fc4c5b218aca2f323fd56eb045

                                SHA512

                                ce8c0bd8dc0c867022039795fade26efec94e5efeb8a259d4f96fbb3b317e4c9bd9018433d4ae013df6ee71b5b8e8f2a28577dad60a5611e7d670cd626f0ee18

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                Filesize

                                9KB

                                MD5

                                7798bd94ddb8c2c6e5a83d708b9161a1

                                SHA1

                                bab2b9e6405b54ec86159edcda224b3260cdd1fd

                                SHA256

                                7d6e2ae59998fe648a4a3184a2eaa4ae43a6fc6414bc2b936a139221d7eaf2a7

                                SHA512

                                6d42c0707ef7c623cebe08531b9df4e85ff5e6b29fadf3e2a3b0f7979a7ec6b0618fb8773176154da775b909ba4611848eeb8cbd2c2687a8b6d437af644dace0

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                Filesize

                                9KB

                                MD5

                                58f07561ed576429fc5600b52cde66a4

                                SHA1

                                6807be632edb33ddd5266c2a86a948116fae3d0d

                                SHA256

                                e65a1fcf48248f3d241292c7d5a408345828633990858867a06af820031b1bc8

                                SHA512

                                1b3a97bd792050f260a35094a465f84ebc62813d0fbb25ee30181d8ca546720316490700bedab9f9417736f66503029485d79053ec451affdf331e28a3beb175

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                Filesize

                                228KB

                                MD5

                                f10680d080de2c693b4f0eda8d8ebbd6

                                SHA1

                                e0fbe107904b506c113b795ca44f542236331f9e

                                SHA256

                                460247696a57629359e153968ccfd514cc70aa6926b7a66bd167979101fdbd2e

                                SHA512

                                0199efbbc2aadd99c3d2ea6a609169c98206221ca02942c9cf1f4e8c2d677be2961b31737ec606449aa6923abd5f290e24b4948eda0470b3aa6c92d2853951fa

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                Filesize

                                228KB

                                MD5

                                9c05ccf59486aa75d3b2db3949cc73d5

                                SHA1

                                4b2fb61052e09d5e43ddc85606dabcc7ffc72be4

                                SHA256

                                ce57821ed2dfb17ab965dfe20b1f57fc3198e3e228aa0908a2cdc594a8c66b1e

                                SHA512

                                f0f64940d6941be392638a48473646942a1624cdcedebd48db4a66be4db86d7861dc80e95295596aec0e3cefc9aff6ac0a4d08b27648ba6f47eeb943dcf92679

                              • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

                                Filesize

                                10KB

                                MD5

                                d95aee77c8737b4cac06d30110ccc00b

                                SHA1

                                31251bf2af0421a1e285540184d18f14a19108fb

                                SHA256

                                d5f53c542363775cd4224aadaf128ead5f17208ac8d13765458d3ec0c9d3a7d2

                                SHA512

                                8023ce80fc913e0529263cd0170f057419e9afa660ebbca76f747350f938ae07a135b97d16963c2c68063f16a5d7b31c0b35fcdb2eaf05576e624eacad7c8c2b