Analysis
-
max time kernel
104s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12-12-2024 14:10
URLScan task
urlscan1
General
Malware Config
Signatures
-
A potential corporate email address has been identified in the URL: [email protected]
-
A potential corporate email address has been identified in the URL: [email protected]
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 33 ipapi.co 37 ipapi.co 56 ipapi.co -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133784862329665102" chrome.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4876 chrome.exe 4876 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 4876 chrome.exe 4876 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4876 chrome.exe Token: SeCreatePagefilePrivilege 4876 chrome.exe Token: SeShutdownPrivilege 4876 chrome.exe Token: SeCreatePagefilePrivilege 4876 chrome.exe Token: SeShutdownPrivilege 4876 chrome.exe Token: SeCreatePagefilePrivilege 4876 chrome.exe Token: SeShutdownPrivilege 4876 chrome.exe Token: SeCreatePagefilePrivilege 4876 chrome.exe Token: SeShutdownPrivilege 4876 chrome.exe Token: SeCreatePagefilePrivilege 4876 chrome.exe Token: SeShutdownPrivilege 4876 chrome.exe Token: SeCreatePagefilePrivilege 4876 chrome.exe Token: SeShutdownPrivilege 4876 chrome.exe Token: SeCreatePagefilePrivilege 4876 chrome.exe Token: SeShutdownPrivilege 4876 chrome.exe Token: SeCreatePagefilePrivilege 4876 chrome.exe Token: SeShutdownPrivilege 4876 chrome.exe Token: SeCreatePagefilePrivilege 4876 chrome.exe Token: SeShutdownPrivilege 4876 chrome.exe Token: SeCreatePagefilePrivilege 4876 chrome.exe Token: SeShutdownPrivilege 4876 chrome.exe Token: SeCreatePagefilePrivilege 4876 chrome.exe Token: SeShutdownPrivilege 4876 chrome.exe Token: SeCreatePagefilePrivilege 4876 chrome.exe Token: SeShutdownPrivilege 4876 chrome.exe Token: SeCreatePagefilePrivilege 4876 chrome.exe Token: SeShutdownPrivilege 4876 chrome.exe Token: SeCreatePagefilePrivilege 4876 chrome.exe Token: SeShutdownPrivilege 4876 chrome.exe Token: SeCreatePagefilePrivilege 4876 chrome.exe Token: SeShutdownPrivilege 4876 chrome.exe Token: SeCreatePagefilePrivilege 4876 chrome.exe Token: SeShutdownPrivilege 4876 chrome.exe Token: SeCreatePagefilePrivilege 4876 chrome.exe Token: SeShutdownPrivilege 4876 chrome.exe Token: SeCreatePagefilePrivilege 4876 chrome.exe Token: SeShutdownPrivilege 4876 chrome.exe Token: SeCreatePagefilePrivilege 4876 chrome.exe Token: SeShutdownPrivilege 4876 chrome.exe Token: SeCreatePagefilePrivilege 4876 chrome.exe Token: SeShutdownPrivilege 4876 chrome.exe Token: SeCreatePagefilePrivilege 4876 chrome.exe Token: SeShutdownPrivilege 4876 chrome.exe Token: SeCreatePagefilePrivilege 4876 chrome.exe Token: SeShutdownPrivilege 4876 chrome.exe Token: SeCreatePagefilePrivilege 4876 chrome.exe Token: SeShutdownPrivilege 4876 chrome.exe Token: SeCreatePagefilePrivilege 4876 chrome.exe Token: SeShutdownPrivilege 4876 chrome.exe Token: SeCreatePagefilePrivilege 4876 chrome.exe Token: SeShutdownPrivilege 4876 chrome.exe Token: SeCreatePagefilePrivilege 4876 chrome.exe Token: SeShutdownPrivilege 4876 chrome.exe Token: SeCreatePagefilePrivilege 4876 chrome.exe Token: SeShutdownPrivilege 4876 chrome.exe Token: SeCreatePagefilePrivilege 4876 chrome.exe Token: SeShutdownPrivilege 4876 chrome.exe Token: SeCreatePagefilePrivilege 4876 chrome.exe Token: SeShutdownPrivilege 4876 chrome.exe Token: SeCreatePagefilePrivilege 4876 chrome.exe Token: SeShutdownPrivilege 4876 chrome.exe Token: SeCreatePagefilePrivilege 4876 chrome.exe Token: SeShutdownPrivilege 4876 chrome.exe Token: SeCreatePagefilePrivilege 4876 chrome.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 4876 chrome.exe 4876 chrome.exe 4876 chrome.exe 4876 chrome.exe 4876 chrome.exe 4876 chrome.exe 4876 chrome.exe 4876 chrome.exe 4876 chrome.exe 4876 chrome.exe 4876 chrome.exe 4876 chrome.exe 4876 chrome.exe 4876 chrome.exe 4876 chrome.exe 4876 chrome.exe 4876 chrome.exe 4876 chrome.exe 4876 chrome.exe 4876 chrome.exe 4876 chrome.exe 4876 chrome.exe 4876 chrome.exe 4876 chrome.exe 4876 chrome.exe 4876 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4876 chrome.exe 4876 chrome.exe 4876 chrome.exe 4876 chrome.exe 4876 chrome.exe 4876 chrome.exe 4876 chrome.exe 4876 chrome.exe 4876 chrome.exe 4876 chrome.exe 4876 chrome.exe 4876 chrome.exe 4876 chrome.exe 4876 chrome.exe 4876 chrome.exe 4876 chrome.exe 4876 chrome.exe 4876 chrome.exe 4876 chrome.exe 4876 chrome.exe 4876 chrome.exe 4876 chrome.exe 4876 chrome.exe 4876 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4876 wrote to memory of 1936 4876 chrome.exe 82 PID 4876 wrote to memory of 1936 4876 chrome.exe 82 PID 4876 wrote to memory of 3944 4876 chrome.exe 83 PID 4876 wrote to memory of 3944 4876 chrome.exe 83 PID 4876 wrote to memory of 3944 4876 chrome.exe 83 PID 4876 wrote to memory of 3944 4876 chrome.exe 83 PID 4876 wrote to memory of 3944 4876 chrome.exe 83 PID 4876 wrote to memory of 3944 4876 chrome.exe 83 PID 4876 wrote to memory of 3944 4876 chrome.exe 83 PID 4876 wrote to memory of 3944 4876 chrome.exe 83 PID 4876 wrote to memory of 3944 4876 chrome.exe 83 PID 4876 wrote to memory of 3944 4876 chrome.exe 83 PID 4876 wrote to memory of 3944 4876 chrome.exe 83 PID 4876 wrote to memory of 3944 4876 chrome.exe 83 PID 4876 wrote to memory of 3944 4876 chrome.exe 83 PID 4876 wrote to memory of 3944 4876 chrome.exe 83 PID 4876 wrote to memory of 3944 4876 chrome.exe 83 PID 4876 wrote to memory of 3944 4876 chrome.exe 83 PID 4876 wrote to memory of 3944 4876 chrome.exe 83 PID 4876 wrote to memory of 3944 4876 chrome.exe 83 PID 4876 wrote to memory of 3944 4876 chrome.exe 83 PID 4876 wrote to memory of 3944 4876 chrome.exe 83 PID 4876 wrote to memory of 3944 4876 chrome.exe 83 PID 4876 wrote to memory of 3944 4876 chrome.exe 83 PID 4876 wrote to memory of 3944 4876 chrome.exe 83 PID 4876 wrote to memory of 3944 4876 chrome.exe 83 PID 4876 wrote to memory of 3944 4876 chrome.exe 83 PID 4876 wrote to memory of 3944 4876 chrome.exe 83 PID 4876 wrote to memory of 3944 4876 chrome.exe 83 PID 4876 wrote to memory of 3944 4876 chrome.exe 83 PID 4876 wrote to memory of 3944 4876 chrome.exe 83 PID 4876 wrote to memory of 3944 4876 chrome.exe 83 PID 4876 wrote to memory of 3988 4876 chrome.exe 84 PID 4876 wrote to memory of 3988 4876 chrome.exe 84 PID 4876 wrote to memory of 4920 4876 chrome.exe 85 PID 4876 wrote to memory of 4920 4876 chrome.exe 85 PID 4876 wrote to memory of 4920 4876 chrome.exe 85 PID 4876 wrote to memory of 4920 4876 chrome.exe 85 PID 4876 wrote to memory of 4920 4876 chrome.exe 85 PID 4876 wrote to memory of 4920 4876 chrome.exe 85 PID 4876 wrote to memory of 4920 4876 chrome.exe 85 PID 4876 wrote to memory of 4920 4876 chrome.exe 85 PID 4876 wrote to memory of 4920 4876 chrome.exe 85 PID 4876 wrote to memory of 4920 4876 chrome.exe 85 PID 4876 wrote to memory of 4920 4876 chrome.exe 85 PID 4876 wrote to memory of 4920 4876 chrome.exe 85 PID 4876 wrote to memory of 4920 4876 chrome.exe 85 PID 4876 wrote to memory of 4920 4876 chrome.exe 85 PID 4876 wrote to memory of 4920 4876 chrome.exe 85 PID 4876 wrote to memory of 4920 4876 chrome.exe 85 PID 4876 wrote to memory of 4920 4876 chrome.exe 85 PID 4876 wrote to memory of 4920 4876 chrome.exe 85 PID 4876 wrote to memory of 4920 4876 chrome.exe 85 PID 4876 wrote to memory of 4920 4876 chrome.exe 85 PID 4876 wrote to memory of 4920 4876 chrome.exe 85 PID 4876 wrote to memory of 4920 4876 chrome.exe 85 PID 4876 wrote to memory of 4920 4876 chrome.exe 85 PID 4876 wrote to memory of 4920 4876 chrome.exe 85 PID 4876 wrote to memory of 4920 4876 chrome.exe 85 PID 4876 wrote to memory of 4920 4876 chrome.exe 85 PID 4876 wrote to memory of 4920 4876 chrome.exe 85 PID 4876 wrote to memory of 4920 4876 chrome.exe 85 PID 4876 wrote to memory of 4920 4876 chrome.exe 85 PID 4876 wrote to memory of 4920 4876 chrome.exe 85
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://planinvestgroup.pccwv.com/researvewa/70936546/?ae206=YmFmaXNoZXJAZnQubmV3eW9ya2xpZmUuY29t1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffed618cc40,0x7ffed618cc4c,0x7ffed618cc582⤵PID:1936
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1900,i,3394591007965235060,14749734297294510380,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1896 /prefetch:22⤵PID:3944
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2152,i,3394591007965235060,14749734297294510380,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2164 /prefetch:32⤵PID:3988
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2236,i,3394591007965235060,14749734297294510380,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2420 /prefetch:82⤵PID:4920
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3124,i,3394591007965235060,14749734297294510380,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3160 /prefetch:12⤵PID:4064
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3132,i,3394591007965235060,14749734297294510380,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3196 /prefetch:12⤵PID:2056
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4596,i,3394591007965235060,14749734297294510380,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4612 /prefetch:82⤵PID:1324
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:1360
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:1708
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
649B
MD51aa96efbdb88884b749edcc80c757808
SHA1660b6cab830e9953703d18f2709372b0c1618b89
SHA256fdc50eae2e0c4f8822394a53014168b3c59dd84e1b3d06f4d0dc29730791bad4
SHA51254c3965455579bf64e7a29a063fe4c422fb2402c54876bb2a72d9a9a2d2dcc10cabef33a28abbcf211c10ae9781ffdef869b50ee1ddb472cea83b06144d9fcfa
-
Filesize
192B
MD523036b9f3958756e227cae7b33ce4906
SHA155639da4a14ee8d1f8c79441835f917f0029e147
SHA2568de7d658ffcfb8c9fe065048e77f85dd407dd9ceb14d28a91e97a61ede71e7b5
SHA512d2972cdff691996c39057ef962dcef5d607455cd504e7d532d3d1bcc32d6987b86df1e1c798431af9a9ce9a6e206b206725265354d51c7c8b00079df468abb18
-
Filesize
3KB
MD57bea06d6981c58c42eb87f116bad7277
SHA12efe94310d678f1745ead8a63cdc6c9d13c60163
SHA256568bf29002203bd3abaa624c5f5ec0cc2bba182f72fd3c08d5849535902b0fc1
SHA5123ef9a8372e71a8983de996c327529552ee8f588a7ff8818df4662503bfe0b1f61af874b8202217495277a435a0b4b93830f2239f3ae6471b9760a956a39fc740
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
852B
MD5e5c78a913e8f5b484b04f477a28382b7
SHA1f750af480a855227202f5302565b7fb2dfbc37d7
SHA25665be59f9bc3c8f377717438bbf0087f76fa8cb836d3a132f0c7acb6e9ed0ebf6
SHA5120e3fa7cb1ee87703666c81f7992d6a85123a6aed22b06aec94a509945073d1ac4b75b97d5ca752697029b468a39b8b6e35a7b0006ad94da29e2be3d2b6c771fc
-
Filesize
9KB
MD54938d967c5ef932c5e2f1fcd6fd441a2
SHA11b81c1557fe82ffdec745fd4e70ed3242b32d879
SHA256e4ad6c429745306960d0c7e1e356a988fe0381b7467df2a4822dba38a9e1e98d
SHA51267a245bab2635d3829313c67cab3dd4a02fc16ef44129d75f65f5ab7d8914daba16da3a251bbad01f7b02894414c5a57fc0bacbeb9731b6c348eecb227f94f14
-
Filesize
9KB
MD583d65bb7fe0beda34c466594ffdd167e
SHA1847b07cc232096e735c235e0f71c988eb49c04a0
SHA256d3c4b09088994f7f51f0ffcfd03eec5f1c7f9eea32b7fa0f33628cca0f35a18e
SHA5124ef4ef690a203fb02e232ae266dfd9208714b85a8d517c6a8ab38f5e7a6b214cf49947b2b6dd8f09b6b15a2a57aff73755b4161c0a85577f2e203c6e88d94642
-
Filesize
9KB
MD55d8a093a70ef6b685f95c47a981b5ae8
SHA10652a04d405f7ddbab8367b59964cf0320b71ecc
SHA2563f6ab8e510ba475a25af2c074f060da119c6735161d617153bc691d1d2a67b36
SHA512730ac087bceafc117719384a6ddbc5a8c90e3c9cd1644239f18f881f182fb2cd597deee0200bc143005daa971371540f153688b0dc1f5de872c28207fe06ca86
-
Filesize
9KB
MD5375825c0a67c99efb16f82ef0739be9d
SHA13d34b86492bede6c46d8afe6d91fbf0f75eb06fa
SHA256d23c7ef65af3e98701f6117338d8f61f0954747869f66eb5ac588182b561873c
SHA5124221309e3fb87f62cc9c32640f1999ab585ce7d896d34f243ae42a109c462fb2e8dcde398e81ac52baa48391504c3cc8f4caca1602821f4ac30602a2c1e9c047
-
Filesize
9KB
MD5fa58dd14161b55648554813f2beafa2b
SHA17335796fc809733c03e08c8cf395c52a0662122e
SHA256d1647718c0e3850c9644bb1c8c8543fea1f2fca55b54ca41842ec6c7e58c76f8
SHA51222a048552f9da97814dd31d55c226ce8d013c9bc3883973a6720088bbd61feb52aa9b4d963d5c7a8231eaf819a7519c8fef07068e847bbc8a8db6b629ac4bc64
-
Filesize
9KB
MD5fd629aa9503c2fe18c104edc758c8ff4
SHA1f2e66a405fbbd6a79c5b3d0619b591b688a86b09
SHA256f977cf9319e29b509272ad06ff2dd3d473ac5722ee71922d6ae1844aa582066d
SHA5127a0fc415e605f5a0d86744b5ff86d12150ae43928af714d0760af0544bfcf44569e38e4b781f2371d74223ba890b5d7ca121b4409bac6c2e40d8a98b683b640f
-
Filesize
9KB
MD58d567ede23c15f31a846857806e37aae
SHA1aa50a24f77888b81cde84f49ff07e9c22209d9f2
SHA2560b8bd224a12189b11377bc0575818e202b1a508cb3449dff25cde32b5eec7251
SHA5123fb11f4b187419ad13557510d99ae872418edb571f6a135647426989384bdd921b449c0a589158d573835acf5a35e935a3e501deac5cf3669014e71c92533fa4
-
Filesize
116KB
MD5f9daaae3fa9c6f37d9cf24387343f157
SHA16adb30bcf7270040fe1f585b53f2fa6f446360c8
SHA256848e01e067c5012cb16f11930af2e7d1f8284f1ec8bd52bf2bfa52697f9bb018
SHA512b9905daae5609664a0c046b2aaa657f85efc34174acbbfe9055f7dabf0afd6a56d5b6247654713e438c402bd66382dbeec8f0201d771931a1f47ca4a515f5dff
-
Filesize
116KB
MD54b744a7536a814dfabb89ee383e9036b
SHA19eeeb5b37ea99d7ad695ad551e0745ff94a38c7e
SHA25643e3ea80449ced2d771de2b62d73b746b6fcd9d3c9839b7f5d68d3714eebbcca
SHA512099229117cffa857d292f8b595e96ab4d479501f8b1e95fa6b28cc0d02fdcf0e3a94b71cd05ff24c8c4d4e39c16e3ed84db4a45280951ea55e388dfcb360a38e