hxxps://u[.]to/_S0QIQ

Analysis

max time kernel
31s
max time network
32s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
13-12-2024 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://u.to/_S0QIQ

Score

7^/10

steam discovery phishing

Malware Config

Signatures

A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
Detected potential entity reuse from brand STEAM.
phishing steam

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133785849780249582"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
656	chrome.exe
656	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
656	chrome.exe
656	chrome.exe
656	chrome.exe

Suspicious use of AdjustPrivilegeToken 60 IoCs

description	pid	Process
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 656 wrote to memory of 844	656	chrome.exe	79
PID 656 wrote to memory of 844	656	chrome.exe	79
PID 656 wrote to memory of 3704	656	chrome.exe	80
PID 656 wrote to memory of 3704	656	chrome.exe	80
PID 656 wrote to memory of 3704	656	chrome.exe	80
PID 656 wrote to memory of 3704	656	chrome.exe	80
PID 656 wrote to memory of 3704	656	chrome.exe	80
PID 656 wrote to memory of 3704	656	chrome.exe	80
PID 656 wrote to memory of 3704	656	chrome.exe	80
PID 656 wrote to memory of 3704	656	chrome.exe	80
PID 656 wrote to memory of 3704	656	chrome.exe	80
PID 656 wrote to memory of 3704	656	chrome.exe	80
PID 656 wrote to memory of 3704	656	chrome.exe	80
PID 656 wrote to memory of 3704	656	chrome.exe	80
PID 656 wrote to memory of 3704	656	chrome.exe	80
PID 656 wrote to memory of 3704	656	chrome.exe	80
PID 656 wrote to memory of 3704	656	chrome.exe	80
PID 656 wrote to memory of 3704	656	chrome.exe	80
PID 656 wrote to memory of 3704	656	chrome.exe	80
PID 656 wrote to memory of 3704	656	chrome.exe	80
PID 656 wrote to memory of 3704	656	chrome.exe	80
PID 656 wrote to memory of 3704	656	chrome.exe	80
PID 656 wrote to memory of 3704	656	chrome.exe	80
PID 656 wrote to memory of 3704	656	chrome.exe	80
PID 656 wrote to memory of 3704	656	chrome.exe	80
PID 656 wrote to memory of 3704	656	chrome.exe	80
PID 656 wrote to memory of 3704	656	chrome.exe	80
PID 656 wrote to memory of 3704	656	chrome.exe	80
PID 656 wrote to memory of 3704	656	chrome.exe	80
PID 656 wrote to memory of 3704	656	chrome.exe	80
PID 656 wrote to memory of 3704	656	chrome.exe	80
PID 656 wrote to memory of 3704	656	chrome.exe	80
PID 656 wrote to memory of 2688	656	chrome.exe	81
PID 656 wrote to memory of 2688	656	chrome.exe	81
PID 656 wrote to memory of 4828	656	chrome.exe	82
PID 656 wrote to memory of 4828	656	chrome.exe	82
PID 656 wrote to memory of 4828	656	chrome.exe	82
PID 656 wrote to memory of 4828	656	chrome.exe	82
PID 656 wrote to memory of 4828	656	chrome.exe	82
PID 656 wrote to memory of 4828	656	chrome.exe	82
PID 656 wrote to memory of 4828	656	chrome.exe	82
PID 656 wrote to memory of 4828	656	chrome.exe	82
PID 656 wrote to memory of 4828	656	chrome.exe	82
PID 656 wrote to memory of 4828	656	chrome.exe	82
PID 656 wrote to memory of 4828	656	chrome.exe	82
PID 656 wrote to memory of 4828	656	chrome.exe	82
PID 656 wrote to memory of 4828	656	chrome.exe	82
PID 656 wrote to memory of 4828	656	chrome.exe	82
PID 656 wrote to memory of 4828	656	chrome.exe	82
PID 656 wrote to memory of 4828	656	chrome.exe	82
PID 656 wrote to memory of 4828	656	chrome.exe	82
PID 656 wrote to memory of 4828	656	chrome.exe	82
PID 656 wrote to memory of 4828	656	chrome.exe	82
PID 656 wrote to memory of 4828	656	chrome.exe	82
PID 656 wrote to memory of 4828	656	chrome.exe	82
PID 656 wrote to memory of 4828	656	chrome.exe	82
PID 656 wrote to memory of 4828	656	chrome.exe	82
PID 656 wrote to memory of 4828	656	chrome.exe	82
PID 656 wrote to memory of 4828	656	chrome.exe	82
PID 656 wrote to memory of 4828	656	chrome.exe	82
PID 656 wrote to memory of 4828	656	chrome.exe	82
PID 656 wrote to memory of 4828	656	chrome.exe	82
PID 656 wrote to memory of 4828	656	chrome.exe	82
PID 656 wrote to memory of 4828	656	chrome.exe	82

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://u.to/_S0QIQ
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc3d2dcc40,0x7ffc3d2dcc4c,0x7ffc3d2dcc58
  2⤵
  PID:844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2040,i,7269936472102595071,8757966472763924682,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2036 /prefetch:2
  2⤵
  PID:3704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1840,i,7269936472102595071,8757966472763924682,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2068 /prefetch:3
  2⤵
  PID:2688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2200,i,7269936472102595071,8757966472763924682,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2224 /prefetch:8
  2⤵
  PID:4828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,7269936472102595071,8757966472763924682,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3112 /prefetch:1
  2⤵
  PID:664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3092,i,7269936472102595071,8757966472763924682,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3136 /prefetch:1
  2⤵
  PID:5572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4356,i,7269936472102595071,8757966472763924682,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4244 /prefetch:1
  2⤵
  PID:472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3344,i,7269936472102595071,8757966472763924682,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4344 /prefetch:8
  2⤵
  PID:3020

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2016

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
e06e352f1682044ebd170f5060faf1de

SHA1
bd03dac42a0794eb98594c186c823d0e0497db9f

SHA256
0ac6e0945fe9dcb8aba0e4afe3a174e8b1b7260fe5834b615d3bfb68b8c978d7

SHA512
b105f1729155aa84433e002a45fdf61f46b1d53afbf4108e1e2df3247b57df489feeab1a53bff26fb33f0be64259a3d6cda195ddaffa8ad72c74dee53185334a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
37KB

MD5
231913fdebabcbe65f4b0052372bde56

SHA1
553909d080e4f210b64dc73292f3a111d5a0781f

SHA256
9f890a9debcdfccc339149a7943be9aff9e4c9203c2fa37d5671a5b2c88503ad

SHA512
7b11b709968c5a52b9b60189fb534f5df56912417243820e9d1c00c97f4bd6d0835f2cdf574d0c36ecb32dbbf5fc397324df54f7fdf9e1b062b5dbda2c02e919

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
10aa6a582016cb5a4fa8d60206dd8740

SHA1
22c75400123898f94d003b595794ab92e6994792

SHA256
800996de4519b8cba5a79cc5f5dcc8d5fdac707970d7e59aac1b7344cefde115

SHA512
937752a2f202bf7ae59c1e23d098a0149b87fe1acf6a7a44c66a42f5fe66fd80e0ad6308d6764cc65f74deebbb4b7dc1c18b723b4ca6b2fd733b20ce997a0994

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1023B

MD5
45c7293cda1a75f9b95d4c10bd78a6c9

SHA1
54f36218aa5304bc21de344ff510114ba07bd157

SHA256
7992a548ce86c9d9761665a97a7ab3646c782ce8429ea86e13e67ebe0715c280

SHA512
751ad00165ce0f9f1ad930352588e414bd2572456cb76ed89df334c018d6e632612d5ed1d25be8aab0ed645a90d2f1023561897a73bddbe43c967bea9371c32c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4a45473a82657ae5e7713444af446262

SHA1
ba300743baf423dd5f89d725f5bc3cc503cb5018

SHA256
2be9788452556dd22728fbdf3befea56ccba58381de0d048ee21d7b94bd99a81

SHA512
106ca9f2032be0012f49908437e4f9b62cf4f88dce4f27bbfd51d9b844a95fb9f75188b8dc1f39a42041e5c0bcccccc807673822e31f40c208d1b92e11e7a334

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9427f84dcc5c486ce3af6b4eb8e285f9

SHA1
6199ece0124afad5fd470835ed5097ccd51bf936

SHA256
53112f4fe9df56c51a7ef8ffeebcbfdaae7f3cf3f751c7f32f3ab87bedc655f6

SHA512
94c2f8ee617c00f13915b372a6213c43900bdd051a78a39cb5785cd70b3ec0aa730ea5500eb239d4fae0bb144b139fed5bc72f8e0c52957753c1e550324c16ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
f5df7b40b8ddbd76bdcb7ea041a5c230

SHA1
cc99e816452293380df3aaa623447d70c99c7e0d

SHA256
08162cc308e0b74d153b505d9b89fe9f9061a87a829efc6984eb58e044934508

SHA512
dbebd7ad626f157d552ceae0b4fbee4d3364e54e34ca85ee181062a1ea621f0d470ec97b8a76be77c66f31ff315c4eb018a6427ee2e05fea1c117b1c94e3330d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
1ca57c65b546d34f3ba177ec25fd7e2c

SHA1
85a5b15e9487221d4e4a6534def96a1aee8c54f6

SHA256
2f841e7e18791d770e535e973a487f31adceebdd0de8cdc137c72a06775d3cc7

SHA512
9719a78b8f5abeab0c802a9db0e62ecebeed2f8f0f409aca24eecf55d73e2e5718a2fa11db355daf7e5a0ab83c6803086498825181ce5c701c1c9b78c76fd08f

Download Submit