Analysis
-
max time kernel
21s -
max time network
21s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
27/01/2025, 15:10
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://www.ntd.com/shenyun/how-shen-yun-has-moved-overseas-chinese-to-tears_1036064.html
Resource
win11-20241007-en
General
-
Target
https://www.ntd.com/shenyun/how-shen-yun-has-moved-overseas-chinese-to-tears_1036064.html
Malware Config
Signatures
-
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SystemTemp chrome.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133824642660334480" chrome.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4852 chrome.exe 4852 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 4852 chrome.exe 4852 chrome.exe 4852 chrome.exe -
Suspicious use of AdjustPrivilegeToken 40 IoCs
description pid Process Token: SeShutdownPrivilege 4852 chrome.exe Token: SeCreatePagefilePrivilege 4852 chrome.exe Token: SeShutdownPrivilege 4852 chrome.exe Token: SeCreatePagefilePrivilege 4852 chrome.exe Token: SeShutdownPrivilege 4852 chrome.exe Token: SeCreatePagefilePrivilege 4852 chrome.exe Token: SeShutdownPrivilege 4852 chrome.exe Token: SeCreatePagefilePrivilege 4852 chrome.exe Token: SeShutdownPrivilege 4852 chrome.exe Token: SeCreatePagefilePrivilege 4852 chrome.exe Token: SeShutdownPrivilege 4852 chrome.exe Token: SeCreatePagefilePrivilege 4852 chrome.exe Token: SeShutdownPrivilege 4852 chrome.exe Token: SeCreatePagefilePrivilege 4852 chrome.exe Token: SeShutdownPrivilege 4852 chrome.exe Token: SeCreatePagefilePrivilege 4852 chrome.exe Token: SeShutdownPrivilege 4852 chrome.exe Token: SeCreatePagefilePrivilege 4852 chrome.exe Token: SeShutdownPrivilege 4852 chrome.exe Token: SeCreatePagefilePrivilege 4852 chrome.exe Token: SeShutdownPrivilege 4852 chrome.exe Token: SeCreatePagefilePrivilege 4852 chrome.exe Token: SeShutdownPrivilege 4852 chrome.exe Token: SeCreatePagefilePrivilege 4852 chrome.exe Token: SeShutdownPrivilege 4852 chrome.exe Token: SeCreatePagefilePrivilege 4852 chrome.exe Token: SeShutdownPrivilege 4852 chrome.exe Token: SeCreatePagefilePrivilege 4852 chrome.exe Token: SeShutdownPrivilege 4852 chrome.exe Token: SeCreatePagefilePrivilege 4852 chrome.exe Token: SeShutdownPrivilege 4852 chrome.exe Token: SeCreatePagefilePrivilege 4852 chrome.exe Token: SeShutdownPrivilege 4852 chrome.exe Token: SeCreatePagefilePrivilege 4852 chrome.exe Token: SeShutdownPrivilege 4852 chrome.exe Token: SeCreatePagefilePrivilege 4852 chrome.exe Token: SeShutdownPrivilege 4852 chrome.exe Token: SeCreatePagefilePrivilege 4852 chrome.exe Token: SeShutdownPrivilege 4852 chrome.exe Token: SeCreatePagefilePrivilege 4852 chrome.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 4852 chrome.exe 4852 chrome.exe 4852 chrome.exe 4852 chrome.exe 4852 chrome.exe 4852 chrome.exe 4852 chrome.exe 4852 chrome.exe 4852 chrome.exe 4852 chrome.exe 4852 chrome.exe 4852 chrome.exe 4852 chrome.exe 4852 chrome.exe 4852 chrome.exe 4852 chrome.exe 4852 chrome.exe 4852 chrome.exe 4852 chrome.exe 4852 chrome.exe 4852 chrome.exe 4852 chrome.exe 4852 chrome.exe 4852 chrome.exe 4852 chrome.exe 4852 chrome.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 4852 chrome.exe 4852 chrome.exe 4852 chrome.exe 4852 chrome.exe 4852 chrome.exe 4852 chrome.exe 4852 chrome.exe 4852 chrome.exe 4852 chrome.exe 4852 chrome.exe 4852 chrome.exe 4852 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4852 wrote to memory of 3040 4852 chrome.exe 77 PID 4852 wrote to memory of 3040 4852 chrome.exe 77 PID 4852 wrote to memory of 4524 4852 chrome.exe 78 PID 4852 wrote to memory of 4524 4852 chrome.exe 78 PID 4852 wrote to memory of 4524 4852 chrome.exe 78 PID 4852 wrote to memory of 4524 4852 chrome.exe 78 PID 4852 wrote to memory of 4524 4852 chrome.exe 78 PID 4852 wrote to memory of 4524 4852 chrome.exe 78 PID 4852 wrote to memory of 4524 4852 chrome.exe 78 PID 4852 wrote to memory of 4524 4852 chrome.exe 78 PID 4852 wrote to memory of 4524 4852 chrome.exe 78 PID 4852 wrote to memory of 4524 4852 chrome.exe 78 PID 4852 wrote to memory of 4524 4852 chrome.exe 78 PID 4852 wrote to memory of 4524 4852 chrome.exe 78 PID 4852 wrote to memory of 4524 4852 chrome.exe 78 PID 4852 wrote to memory of 4524 4852 chrome.exe 78 PID 4852 wrote to memory of 4524 4852 chrome.exe 78 PID 4852 wrote to memory of 4524 4852 chrome.exe 78 PID 4852 wrote to memory of 4524 4852 chrome.exe 78 PID 4852 wrote to memory of 4524 4852 chrome.exe 78 PID 4852 wrote to memory of 4524 4852 chrome.exe 78 PID 4852 wrote to memory of 4524 4852 chrome.exe 78 PID 4852 wrote to memory of 4524 4852 chrome.exe 78 PID 4852 wrote to memory of 4524 4852 chrome.exe 78 PID 4852 wrote to memory of 4524 4852 chrome.exe 78 PID 4852 wrote to memory of 4524 4852 chrome.exe 78 PID 4852 wrote to memory of 4524 4852 chrome.exe 78 PID 4852 wrote to memory of 4524 4852 chrome.exe 78 PID 4852 wrote to memory of 4524 4852 chrome.exe 78 PID 4852 wrote to memory of 4524 4852 chrome.exe 78 PID 4852 wrote to memory of 4524 4852 chrome.exe 78 PID 4852 wrote to memory of 4524 4852 chrome.exe 78 PID 4852 wrote to memory of 464 4852 chrome.exe 79 PID 4852 wrote to memory of 464 4852 chrome.exe 79 PID 4852 wrote to memory of 1404 4852 chrome.exe 80 PID 4852 wrote to memory of 1404 4852 chrome.exe 80 PID 4852 wrote to memory of 1404 4852 chrome.exe 80 PID 4852 wrote to memory of 1404 4852 chrome.exe 80 PID 4852 wrote to memory of 1404 4852 chrome.exe 80 PID 4852 wrote to memory of 1404 4852 chrome.exe 80 PID 4852 wrote to memory of 1404 4852 chrome.exe 80 PID 4852 wrote to memory of 1404 4852 chrome.exe 80 PID 4852 wrote to memory of 1404 4852 chrome.exe 80 PID 4852 wrote to memory of 1404 4852 chrome.exe 80 PID 4852 wrote to memory of 1404 4852 chrome.exe 80 PID 4852 wrote to memory of 1404 4852 chrome.exe 80 PID 4852 wrote to memory of 1404 4852 chrome.exe 80 PID 4852 wrote to memory of 1404 4852 chrome.exe 80 PID 4852 wrote to memory of 1404 4852 chrome.exe 80 PID 4852 wrote to memory of 1404 4852 chrome.exe 80 PID 4852 wrote to memory of 1404 4852 chrome.exe 80 PID 4852 wrote to memory of 1404 4852 chrome.exe 80 PID 4852 wrote to memory of 1404 4852 chrome.exe 80 PID 4852 wrote to memory of 1404 4852 chrome.exe 80 PID 4852 wrote to memory of 1404 4852 chrome.exe 80 PID 4852 wrote to memory of 1404 4852 chrome.exe 80 PID 4852 wrote to memory of 1404 4852 chrome.exe 80 PID 4852 wrote to memory of 1404 4852 chrome.exe 80 PID 4852 wrote to memory of 1404 4852 chrome.exe 80 PID 4852 wrote to memory of 1404 4852 chrome.exe 80 PID 4852 wrote to memory of 1404 4852 chrome.exe 80 PID 4852 wrote to memory of 1404 4852 chrome.exe 80 PID 4852 wrote to memory of 1404 4852 chrome.exe 80 PID 4852 wrote to memory of 1404 4852 chrome.exe 80
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.ntd.com/shenyun/how-shen-yun-has-moved-overseas-chinese-to-tears_1036064.html1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbc392cc40,0x7ffbc392cc4c,0x7ffbc392cc582⤵PID:3040
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1872,i,13295727411052459956,887758125587673065,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1764 /prefetch:22⤵PID:4524
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1936,i,13295727411052459956,887758125587673065,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1916 /prefetch:32⤵PID:464
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2152,i,13295727411052459956,887758125587673065,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2500 /prefetch:82⤵PID:1404
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3076,i,13295727411052459956,887758125587673065,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3084 /prefetch:12⤵PID:4992
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3096,i,13295727411052459956,887758125587673065,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3260 /prefetch:12⤵PID:3728
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4348,i,13295727411052459956,887758125587673065,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4372 /prefetch:12⤵PID:4552
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=4512,i,13295727411052459956,887758125587673065,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4536 /prefetch:82⤵PID:1236
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5196,i,13295727411052459956,887758125587673065,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5212 /prefetch:82⤵PID:1576
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:4856
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004CC 0x00000000000004C81⤵PID:1736
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:4440
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
649B
MD5809a3b42a12212faeb823f565019cc4c
SHA1c4f2942202ab218ed2a5839d4950006bea9c1df6
SHA2569216d23aded48adeed58b468636f7051f06b1d5f377e9023c935a12a1014d3d7
SHA5129edbc53faf54e2d31d058759704c13440811e835cb15fe5b053f8af7b9ae116b578c46c54acebb1e89fc612d0a740eb098046fe37a7ea6f023d888102e2ab194
-
Filesize
215KB
MD5db59038c59696d81f487206dbe3354c3
SHA116d894e86fae4e16cc77b9f5e9bfcb39e0d1d2c6
SHA2568d5a3b898adec43ed7e1f931759b1db54fe8fb25875684e6c37b0f28442d7b98
SHA512d4decfbf0c4bf7e3b44e80707ed7e89b24a347efd7c8ef88b2206e9648ead5f6195dfcc1c42e4af2e6ac621f40397f7c85ea96515f7af835a647d1fde9fcdc75
-
Filesize
1024KB
MD56eab60816415f337c446c5ed7bd94a1c
SHA175a12801530a23d82b3b49b43da9e1e089567263
SHA256d855c3c59e4aee618fe6bf76a8d93e4dc61028c3f2262689346dacaedf9397bc
SHA512b1fccaf26e7556b978f557a68c8288cfc3825fd423c72788f906f88cb8d5590fac5a21a3a6c44e35d404fcd914d34ee35eca1d0fb728edd57e06b74677ffbafe
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
2KB
MD53749e7dab171cd769d9790ccc2f52cfa
SHA15129b93cd49b45d968ac4bbfe65d41dd3f11a807
SHA2568d59b6e84b311befc0fa7a455a4beb659a095683bd632b84ff8815949eba1bc0
SHA512909598a745d426dcf34ed2a1b78aef322213548b08d60a5de7f92c94f7a6c39313b248d68684078d5e928bedd299908df2bd8eebb671bd61dfaf784eebbd74b8
-
Filesize
9KB
MD500587616baa90b3489e6800c48a83abc
SHA1785235dbaf5131d6abce9c254bb9e09819bde3a5
SHA2564e3a8a701fa8ff09bee778892c2ed3be9e90840f0c12bd75f69fb068c3e014c4
SHA512f881977e6154ef75397e2452ee084dee82f057e85c5811a65dee2f36ac847c9fc287b17f9352190f3230028d6b6505cacebb33b5346f164e5c4960ed70fb72fe
-
Filesize
228KB
MD569d5bd01e756db61dc6365efbe43cbca
SHA140b157f8679f21f5562805e084894d21aeb6edd5
SHA2566aa7b9981de5ea0c343d7131c98091fc861740f9d2bd2210c07c7eb4874afb65
SHA512ab68cb01707085618efc68cade8b32e31d920625140ca55da075189275133af4a7bf745d57ea2524f3d14aa8a4307e558c956b4610b6c195fce1bdbb3d590a07