hxxps://github[.]com/Endermanch/MalwareDatabase

Resubmissions

23/02/2023, 03:18

230223-dtzaasee76 6

23/02/2023, 03:06

230223-dl9fasee57 10

23/02/2023, 03:00

230223-dhndnaee52 10

Analysis

max time kernel
324s
max time network
35s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
23/02/2023, 03:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 1980	1996	chrome.exe	28
PID 1996 wrote to memory of 1980	1996	chrome.exe	28
PID 1996 wrote to memory of 1980	1996	chrome.exe	28
PID 1996 wrote to memory of 1812	1996	chrome.exe	30
PID 1996 wrote to memory of 1812	1996	chrome.exe	30
PID 1996 wrote to memory of 1812	1996	chrome.exe	30
PID 1996 wrote to memory of 1812	1996	chrome.exe	30
PID 1996 wrote to memory of 1812	1996	chrome.exe	30
PID 1996 wrote to memory of 1812	1996	chrome.exe	30
PID 1996 wrote to memory of 1812	1996	chrome.exe	30
PID 1996 wrote to memory of 1812	1996	chrome.exe	30
PID 1996 wrote to memory of 1812	1996	chrome.exe	30
PID 1996 wrote to memory of 1812	1996	chrome.exe	30
PID 1996 wrote to memory of 1812	1996	chrome.exe	30
PID 1996 wrote to memory of 1812	1996	chrome.exe	30
PID 1996 wrote to memory of 1812	1996	chrome.exe	30
PID 1996 wrote to memory of 1812	1996	chrome.exe	30
PID 1996 wrote to memory of 1812	1996	chrome.exe	30
PID 1996 wrote to memory of 1812	1996	chrome.exe	30
PID 1996 wrote to memory of 1812	1996	chrome.exe	30
PID 1996 wrote to memory of 1812	1996	chrome.exe	30
PID 1996 wrote to memory of 1812	1996	chrome.exe	30
PID 1996 wrote to memory of 1812	1996	chrome.exe	30
PID 1996 wrote to memory of 1812	1996	chrome.exe	30
PID 1996 wrote to memory of 1812	1996	chrome.exe	30
PID 1996 wrote to memory of 1812	1996	chrome.exe	30
PID 1996 wrote to memory of 1812	1996	chrome.exe	30
PID 1996 wrote to memory of 1812	1996	chrome.exe	30
PID 1996 wrote to memory of 1812	1996	chrome.exe	30
PID 1996 wrote to memory of 1812	1996	chrome.exe	30
PID 1996 wrote to memory of 1812	1996	chrome.exe	30

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://github.com/Endermanch/MalwareDatabase
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6519758,0x7fef6519768,0x7fef6519778
  2⤵
  PID:1980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1128 --field-trial-handle=1176,i,2562810416297318966,10930098361687577165,131072 /prefetch:2
  2⤵
  PID:1812

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\CURRENT~RF6cc978.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
f7f71e9ba927efecf8c5c6fcc32fc414

SHA1
ace8e75c962f0c1abfb1cc9565d4c9f815f85bc0

SHA256
91708820e785c176a35a2688f0460453157853923627ac9b6209b83d27b07017

SHA512
11e4c37cb17a044dac665593a4cb606808829ee4ae89226ca8fed974aaa7576fc8a2a21f75e92e8c12c2ae5185ae67c6e8ebf8782e4e1013fd68b4ce6d8df7c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
2f68133bf38d12069a557874677f851d

SHA1
5a3e59c501d297b38910f2ec7a1532f1df899cbd

SHA256
27337860914fb0626c914847e271820b230cc289e6561458ba2ef03661686740

SHA512
1b6ec15c77218d8e59761e410fbdb10ad4b59ec6e2a6e742f1d12b5369e530d742c4204f59a8e02fa22258d7f9e27514b8c56b56cbefc1465c755096d7a63f13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000004.dbtmp

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
memory/1812-56-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download