Analysis
-
max time kernel
20s -
max time network
18s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241211-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
24-12-2024 08:04
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://navyp.ryokanlaluna.com/ghgfdsa/dfiokjfyujikj/T492uS/[email protected]
Resource
win10ltsc2021-20241211-en
General
-
Target
https://navyp.ryokanlaluna.com/ghgfdsa/dfiokjfyujikj/T492uS/[email protected]
Malware Config
Signatures
-
A potential corporate email address has been identified in the URL: [email protected]
-
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SystemTemp chrome.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133795010946724812" chrome.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4836 chrome.exe 4836 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
pid Process 4836 chrome.exe 4836 chrome.exe 4836 chrome.exe 4836 chrome.exe -
Suspicious use of AdjustPrivilegeToken 40 IoCs
description pid Process Token: SeShutdownPrivilege 4836 chrome.exe Token: SeCreatePagefilePrivilege 4836 chrome.exe Token: SeShutdownPrivilege 4836 chrome.exe Token: SeCreatePagefilePrivilege 4836 chrome.exe Token: SeShutdownPrivilege 4836 chrome.exe Token: SeCreatePagefilePrivilege 4836 chrome.exe Token: SeShutdownPrivilege 4836 chrome.exe Token: SeCreatePagefilePrivilege 4836 chrome.exe Token: SeShutdownPrivilege 4836 chrome.exe Token: SeCreatePagefilePrivilege 4836 chrome.exe Token: SeShutdownPrivilege 4836 chrome.exe Token: SeCreatePagefilePrivilege 4836 chrome.exe Token: SeShutdownPrivilege 4836 chrome.exe Token: SeCreatePagefilePrivilege 4836 chrome.exe Token: SeShutdownPrivilege 4836 chrome.exe Token: SeCreatePagefilePrivilege 4836 chrome.exe Token: SeShutdownPrivilege 4836 chrome.exe Token: SeCreatePagefilePrivilege 4836 chrome.exe Token: SeShutdownPrivilege 4836 chrome.exe Token: SeCreatePagefilePrivilege 4836 chrome.exe Token: SeShutdownPrivilege 4836 chrome.exe Token: SeCreatePagefilePrivilege 4836 chrome.exe Token: SeShutdownPrivilege 4836 chrome.exe Token: SeCreatePagefilePrivilege 4836 chrome.exe Token: SeShutdownPrivilege 4836 chrome.exe Token: SeCreatePagefilePrivilege 4836 chrome.exe Token: SeShutdownPrivilege 4836 chrome.exe Token: SeCreatePagefilePrivilege 4836 chrome.exe Token: SeShutdownPrivilege 4836 chrome.exe Token: SeCreatePagefilePrivilege 4836 chrome.exe Token: SeShutdownPrivilege 4836 chrome.exe Token: SeCreatePagefilePrivilege 4836 chrome.exe Token: SeShutdownPrivilege 4836 chrome.exe Token: SeCreatePagefilePrivilege 4836 chrome.exe Token: SeShutdownPrivilege 4836 chrome.exe Token: SeCreatePagefilePrivilege 4836 chrome.exe Token: SeShutdownPrivilege 4836 chrome.exe Token: SeCreatePagefilePrivilege 4836 chrome.exe Token: SeShutdownPrivilege 4836 chrome.exe Token: SeCreatePagefilePrivilege 4836 chrome.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 4836 chrome.exe 4836 chrome.exe 4836 chrome.exe 4836 chrome.exe 4836 chrome.exe 4836 chrome.exe 4836 chrome.exe 4836 chrome.exe 4836 chrome.exe 4836 chrome.exe 4836 chrome.exe 4836 chrome.exe 4836 chrome.exe 4836 chrome.exe 4836 chrome.exe 4836 chrome.exe 4836 chrome.exe 4836 chrome.exe 4836 chrome.exe 4836 chrome.exe 4836 chrome.exe 4836 chrome.exe 4836 chrome.exe 4836 chrome.exe 4836 chrome.exe 4836 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4836 chrome.exe 4836 chrome.exe 4836 chrome.exe 4836 chrome.exe 4836 chrome.exe 4836 chrome.exe 4836 chrome.exe 4836 chrome.exe 4836 chrome.exe 4836 chrome.exe 4836 chrome.exe 4836 chrome.exe 4836 chrome.exe 4836 chrome.exe 4836 chrome.exe 4836 chrome.exe 4836 chrome.exe 4836 chrome.exe 4836 chrome.exe 4836 chrome.exe 4836 chrome.exe 4836 chrome.exe 4836 chrome.exe 4836 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4836 wrote to memory of 3792 4836 chrome.exe 84 PID 4836 wrote to memory of 3792 4836 chrome.exe 84 PID 4836 wrote to memory of 1196 4836 chrome.exe 85 PID 4836 wrote to memory of 1196 4836 chrome.exe 85 PID 4836 wrote to memory of 1196 4836 chrome.exe 85 PID 4836 wrote to memory of 1196 4836 chrome.exe 85 PID 4836 wrote to memory of 1196 4836 chrome.exe 85 PID 4836 wrote to memory of 1196 4836 chrome.exe 85 PID 4836 wrote to memory of 1196 4836 chrome.exe 85 PID 4836 wrote to memory of 1196 4836 chrome.exe 85 PID 4836 wrote to memory of 1196 4836 chrome.exe 85 PID 4836 wrote to memory of 1196 4836 chrome.exe 85 PID 4836 wrote to memory of 1196 4836 chrome.exe 85 PID 4836 wrote to memory of 1196 4836 chrome.exe 85 PID 4836 wrote to memory of 1196 4836 chrome.exe 85 PID 4836 wrote to memory of 1196 4836 chrome.exe 85 PID 4836 wrote to memory of 1196 4836 chrome.exe 85 PID 4836 wrote to memory of 1196 4836 chrome.exe 85 PID 4836 wrote to memory of 1196 4836 chrome.exe 85 PID 4836 wrote to memory of 1196 4836 chrome.exe 85 PID 4836 wrote to memory of 1196 4836 chrome.exe 85 PID 4836 wrote to memory of 1196 4836 chrome.exe 85 PID 4836 wrote to memory of 1196 4836 chrome.exe 85 PID 4836 wrote to memory of 1196 4836 chrome.exe 85 PID 4836 wrote to memory of 1196 4836 chrome.exe 85 PID 4836 wrote to memory of 1196 4836 chrome.exe 85 PID 4836 wrote to memory of 1196 4836 chrome.exe 85 PID 4836 wrote to memory of 1196 4836 chrome.exe 85 PID 4836 wrote to memory of 1196 4836 chrome.exe 85 PID 4836 wrote to memory of 1196 4836 chrome.exe 85 PID 4836 wrote to memory of 1196 4836 chrome.exe 85 PID 4836 wrote to memory of 1196 4836 chrome.exe 85 PID 4836 wrote to memory of 3292 4836 chrome.exe 86 PID 4836 wrote to memory of 3292 4836 chrome.exe 86 PID 4836 wrote to memory of 3404 4836 chrome.exe 87 PID 4836 wrote to memory of 3404 4836 chrome.exe 87 PID 4836 wrote to memory of 3404 4836 chrome.exe 87 PID 4836 wrote to memory of 3404 4836 chrome.exe 87 PID 4836 wrote to memory of 3404 4836 chrome.exe 87 PID 4836 wrote to memory of 3404 4836 chrome.exe 87 PID 4836 wrote to memory of 3404 4836 chrome.exe 87 PID 4836 wrote to memory of 3404 4836 chrome.exe 87 PID 4836 wrote to memory of 3404 4836 chrome.exe 87 PID 4836 wrote to memory of 3404 4836 chrome.exe 87 PID 4836 wrote to memory of 3404 4836 chrome.exe 87 PID 4836 wrote to memory of 3404 4836 chrome.exe 87 PID 4836 wrote to memory of 3404 4836 chrome.exe 87 PID 4836 wrote to memory of 3404 4836 chrome.exe 87 PID 4836 wrote to memory of 3404 4836 chrome.exe 87 PID 4836 wrote to memory of 3404 4836 chrome.exe 87 PID 4836 wrote to memory of 3404 4836 chrome.exe 87 PID 4836 wrote to memory of 3404 4836 chrome.exe 87 PID 4836 wrote to memory of 3404 4836 chrome.exe 87 PID 4836 wrote to memory of 3404 4836 chrome.exe 87 PID 4836 wrote to memory of 3404 4836 chrome.exe 87 PID 4836 wrote to memory of 3404 4836 chrome.exe 87 PID 4836 wrote to memory of 3404 4836 chrome.exe 87 PID 4836 wrote to memory of 3404 4836 chrome.exe 87 PID 4836 wrote to memory of 3404 4836 chrome.exe 87 PID 4836 wrote to memory of 3404 4836 chrome.exe 87 PID 4836 wrote to memory of 3404 4836 chrome.exe 87 PID 4836 wrote to memory of 3404 4836 chrome.exe 87 PID 4836 wrote to memory of 3404 4836 chrome.exe 87 PID 4836 wrote to memory of 3404 4836 chrome.exe 87
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://navyp.ryokanlaluna.com/ghgfdsa/dfiokjfyujikj/T492uS/[email protected]1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ffd3185cc40,0x7ffd3185cc4c,0x7ffd3185cc582⤵PID:3792
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1908,i,2534554588280461468,10842195701968508562,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=1904 /prefetch:22⤵PID:1196
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2176,i,2534554588280461468,10842195701968508562,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=1792 /prefetch:32⤵PID:3292
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2300,i,2534554588280461468,10842195701968508562,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2456 /prefetch:82⤵PID:3404
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3132,i,2534554588280461468,10842195701968508562,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3152 /prefetch:12⤵PID:2400
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3148,i,2534554588280461468,10842195701968508562,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3196 /prefetch:12⤵PID:5000
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3136,i,2534554588280461468,10842195701968508562,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4384 /prefetch:12⤵PID:2976
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4656,i,2534554588280461468,10842195701968508562,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3412 /prefetch:12⤵PID:3144
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4648,i,2534554588280461468,10842195701968508562,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4828 /prefetch:82⤵PID:2972
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:1000
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:1656
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
649B
MD5b62864b5e0004b3c3b6e4a95c424ca0b
SHA1492ec4bf5a7a22acda5de78f08ced44b4058b8b7
SHA25643ba08029dd0c800227c521bde7a43ceec6857318d4f5bf081806229da4186b1
SHA5129e302b181d060a7910a6657d7599ac00bd97ae89e2c768aa8bd8e71291410084724ba5a3cf14135f2e071f8272aff4a02561ec20dc5fd36c412ae804adf28721
-
Filesize
1KB
MD5c84ab641ca6d9350614d948ce019776e
SHA1f7015e9ba167e69dbaa900b8941be2c8883c2d38
SHA256db3d88bc122c6c0908b72ee6f460efa111af5c1ad323a5901340715de0c8228b
SHA51294ba2d0e432112c307a2c09bdfdd7f6c169d430ed2af87136c7416c6e928658ae50e9899eddf1aa0fe9c704e6646f1ad918bda2fc337235920739710a247bd3d
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
1017B
MD5a434d47b8369b098c9b5e3b942ddce96
SHA1a7358e63a65c32505c84a5e3b7fdaa7bbb78e0fd
SHA256d60dfca5b345db39209ff8b0056ad6b996de2edfd5f5a3211ad14ce81ab615f2
SHA512f473c540c267b1f6906ebe001efa18626eca8a220a83e5298fdb87e79bd8cbd4a9bd5f444ae06f7da98876758c29d3ef4e08248cd7d968081abda8bc09ee0f66
-
Filesize
9KB
MD52f7a7359957f62b2fd336c8ba5b68c63
SHA1d2fbcf419b53a38e65a0d1252c3ae0dceec05b4f
SHA2568817e20468b3bbcfcc2603cf34121771d351fa08f3fee1802b509187d2c4aa68
SHA5120c6be46116461f4d0947fad47e876a8325cd600401455305f8e3ad5e2cb8ab6d646c9f9371d41f631431d8341e5c42be82fcf135b1f8c0fc9ea544235aae13ed
-
Filesize
118KB
MD50f5065bdddb6db6642abf21a76b07aee
SHA1ab4dbfcac5ba13491fac21fc0acc01ad5d715405
SHA2563d6b5d7afce68a595951a15f43060d171212e389216799864fe1858f4d88151d
SHA51223073f7212209c2f95d79bf8767fae116aebc56847831d4d7a29b37ca69dc756275d3fb3597a364271bde9ce3d41eab4bdc51ba9b9893268162f5e1c7159cdf2