hxxps://nexi[.]13-50-224-87[.]cprapid[.]com/

General

Target

https://nexi.13-50-224-87.cprapid.com/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133238062837009647"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

1268 chrome.exe
1268 chrome.exe
3220 chrome.exe
3220 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

1268 chrome.exe
1268 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	1268	chrome.exe
Token: SeCreatePagefilePrivilege	1268	chrome.exe
Token: SeShutdownPrivilege	1268	chrome.exe
Token: SeCreatePagefilePrivilege	1268	chrome.exe
Token: SeShutdownPrivilege	1268	chrome.exe
Token: SeCreatePagefilePrivilege	1268	chrome.exe
Token: SeShutdownPrivilege	1268	chrome.exe
Token: SeCreatePagefilePrivilege	1268	chrome.exe
Token: SeShutdownPrivilege	1268	chrome.exe
Token: SeCreatePagefilePrivilege	1268	chrome.exe
Token: SeShutdownPrivilege	1268	chrome.exe
Token: SeCreatePagefilePrivilege	1268	chrome.exe
Token: SeShutdownPrivilege	1268	chrome.exe
Token: SeCreatePagefilePrivilege	1268	chrome.exe
Token: SeShutdownPrivilege	1268	chrome.exe
Token: SeCreatePagefilePrivilege	1268	chrome.exe
Token: SeShutdownPrivilege	1268	chrome.exe
Token: SeCreatePagefilePrivilege	1268	chrome.exe
Token: SeShutdownPrivilege	1268	chrome.exe
Token: SeCreatePagefilePrivilege	1268	chrome.exe
Token: SeShutdownPrivilege	1268	chrome.exe
Token: SeCreatePagefilePrivilege	1268	chrome.exe
Token: SeShutdownPrivilege	1268	chrome.exe
Token: SeCreatePagefilePrivilege	1268	chrome.exe
Token: SeShutdownPrivilege	1268	chrome.exe
Token: SeCreatePagefilePrivilege	1268	chrome.exe
Token: SeShutdownPrivilege	1268	chrome.exe
Token: SeCreatePagefilePrivilege	1268	chrome.exe
Token: SeShutdownPrivilege	1268	chrome.exe
Token: SeCreatePagefilePrivilege	1268	chrome.exe
Token: SeShutdownPrivilege	1268	chrome.exe
Token: SeCreatePagefilePrivilege	1268	chrome.exe
Token: SeShutdownPrivilege	1268	chrome.exe
Token: SeCreatePagefilePrivilege	1268	chrome.exe
Token: SeShutdownPrivilege	1268	chrome.exe
Token: SeCreatePagefilePrivilege	1268	chrome.exe
Token: SeShutdownPrivilege	1268	chrome.exe
Token: SeCreatePagefilePrivilege	1268	chrome.exe
Token: SeShutdownPrivilege	1268	chrome.exe
Token: SeCreatePagefilePrivilege	1268	chrome.exe
Token: SeShutdownPrivilege	1268	chrome.exe
Token: SeCreatePagefilePrivilege	1268	chrome.exe
Token: SeShutdownPrivilege	1268	chrome.exe
Token: SeCreatePagefilePrivilege	1268	chrome.exe
Token: SeShutdownPrivilege	1268	chrome.exe
Token: SeCreatePagefilePrivilege	1268	chrome.exe
Token: SeShutdownPrivilege	1268	chrome.exe
Token: SeCreatePagefilePrivilege	1268	chrome.exe
Token: SeShutdownPrivilege	1268	chrome.exe
Token: SeCreatePagefilePrivilege	1268	chrome.exe
Token: SeShutdownPrivilege	1268	chrome.exe
Token: SeCreatePagefilePrivilege	1268	chrome.exe
Token: SeShutdownPrivilege	1268	chrome.exe
Token: SeCreatePagefilePrivilege	1268	chrome.exe
Token: SeShutdownPrivilege	1268	chrome.exe
Token: SeCreatePagefilePrivilege	1268	chrome.exe
Token: SeShutdownPrivilege	1268	chrome.exe
Token: SeCreatePagefilePrivilege	1268	chrome.exe
Token: SeShutdownPrivilege	1268	chrome.exe
Token: SeCreatePagefilePrivilege	1268	chrome.exe
Token: SeShutdownPrivilege	1268	chrome.exe
Token: SeCreatePagefilePrivilege	1268	chrome.exe
Token: SeShutdownPrivilege	1268	chrome.exe
Token: SeCreatePagefilePrivilege	1268	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
1268	chrome.exe
1268	chrome.exe
1268	chrome.exe
1268	chrome.exe
1268	chrome.exe
1268	chrome.exe
1268	chrome.exe
1268	chrome.exe
1268	chrome.exe
1268	chrome.exe
1268	chrome.exe
1268	chrome.exe
1268	chrome.exe
1268	chrome.exe
1268	chrome.exe
1268	chrome.exe
1268	chrome.exe
1268	chrome.exe
1268	chrome.exe
1268	chrome.exe
1268	chrome.exe
1268	chrome.exe
1268	chrome.exe
1268	chrome.exe
1268	chrome.exe
1268	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
1268	chrome.exe
1268	chrome.exe
1268	chrome.exe
1268	chrome.exe
1268	chrome.exe
1268	chrome.exe
1268	chrome.exe
1268	chrome.exe
1268	chrome.exe
1268	chrome.exe
1268	chrome.exe
1268	chrome.exe
1268	chrome.exe
1268	chrome.exe
1268	chrome.exe
1268	chrome.exe
1268	chrome.exe
1268	chrome.exe
1268	chrome.exe
1268	chrome.exe
1268	chrome.exe
1268	chrome.exe
1268	chrome.exe
1268	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1268 wrote to memory of 3856	1268	chrome.exe	chrome.exe
PID 1268 wrote to memory of 3856	1268	chrome.exe	chrome.exe
PID 1268 wrote to memory of 548	1268	chrome.exe	chrome.exe
PID 1268 wrote to memory of 548	1268	chrome.exe	chrome.exe
PID 1268 wrote to memory of 548	1268	chrome.exe	chrome.exe
PID 1268 wrote to memory of 548	1268	chrome.exe	chrome.exe
PID 1268 wrote to memory of 548	1268	chrome.exe	chrome.exe
PID 1268 wrote to memory of 548	1268	chrome.exe	chrome.exe
PID 1268 wrote to memory of 548	1268	chrome.exe	chrome.exe
PID 1268 wrote to memory of 548	1268	chrome.exe	chrome.exe
PID 1268 wrote to memory of 548	1268	chrome.exe	chrome.exe
PID 1268 wrote to memory of 548	1268	chrome.exe	chrome.exe
PID 1268 wrote to memory of 548	1268	chrome.exe	chrome.exe
PID 1268 wrote to memory of 548	1268	chrome.exe	chrome.exe
PID 1268 wrote to memory of 548	1268	chrome.exe	chrome.exe
PID 1268 wrote to memory of 548	1268	chrome.exe	chrome.exe
PID 1268 wrote to memory of 548	1268	chrome.exe	chrome.exe
PID 1268 wrote to memory of 548	1268	chrome.exe	chrome.exe
PID 1268 wrote to memory of 548	1268	chrome.exe	chrome.exe
PID 1268 wrote to memory of 548	1268	chrome.exe	chrome.exe
PID 1268 wrote to memory of 548	1268	chrome.exe	chrome.exe
PID 1268 wrote to memory of 548	1268	chrome.exe	chrome.exe
PID 1268 wrote to memory of 548	1268	chrome.exe	chrome.exe
PID 1268 wrote to memory of 548	1268	chrome.exe	chrome.exe
PID 1268 wrote to memory of 548	1268	chrome.exe	chrome.exe
PID 1268 wrote to memory of 548	1268	chrome.exe	chrome.exe
PID 1268 wrote to memory of 548	1268	chrome.exe	chrome.exe
PID 1268 wrote to memory of 548	1268	chrome.exe	chrome.exe
PID 1268 wrote to memory of 548	1268	chrome.exe	chrome.exe
PID 1268 wrote to memory of 548	1268	chrome.exe	chrome.exe
PID 1268 wrote to memory of 548	1268	chrome.exe	chrome.exe
PID 1268 wrote to memory of 548	1268	chrome.exe	chrome.exe
PID 1268 wrote to memory of 548	1268	chrome.exe	chrome.exe
PID 1268 wrote to memory of 548	1268	chrome.exe	chrome.exe
PID 1268 wrote to memory of 548	1268	chrome.exe	chrome.exe
PID 1268 wrote to memory of 548	1268	chrome.exe	chrome.exe
PID 1268 wrote to memory of 548	1268	chrome.exe	chrome.exe
PID 1268 wrote to memory of 548	1268	chrome.exe	chrome.exe
PID 1268 wrote to memory of 548	1268	chrome.exe	chrome.exe
PID 1268 wrote to memory of 548	1268	chrome.exe	chrome.exe
PID 1268 wrote to memory of 2112	1268	chrome.exe	chrome.exe
PID 1268 wrote to memory of 2112	1268	chrome.exe	chrome.exe
PID 1268 wrote to memory of 2384	1268	chrome.exe	chrome.exe
PID 1268 wrote to memory of 2384	1268	chrome.exe	chrome.exe
PID 1268 wrote to memory of 2384	1268	chrome.exe	chrome.exe
PID 1268 wrote to memory of 2384	1268	chrome.exe	chrome.exe
PID 1268 wrote to memory of 2384	1268	chrome.exe	chrome.exe
PID 1268 wrote to memory of 2384	1268	chrome.exe	chrome.exe
PID 1268 wrote to memory of 2384	1268	chrome.exe	chrome.exe
PID 1268 wrote to memory of 2384	1268	chrome.exe	chrome.exe
PID 1268 wrote to memory of 2384	1268	chrome.exe	chrome.exe
PID 1268 wrote to memory of 2384	1268	chrome.exe	chrome.exe
PID 1268 wrote to memory of 2384	1268	chrome.exe	chrome.exe
PID 1268 wrote to memory of 2384	1268	chrome.exe	chrome.exe
PID 1268 wrote to memory of 2384	1268	chrome.exe	chrome.exe
PID 1268 wrote to memory of 2384	1268	chrome.exe	chrome.exe
PID 1268 wrote to memory of 2384	1268	chrome.exe	chrome.exe
PID 1268 wrote to memory of 2384	1268	chrome.exe	chrome.exe
PID 1268 wrote to memory of 2384	1268	chrome.exe	chrome.exe
PID 1268 wrote to memory of 2384	1268	chrome.exe	chrome.exe
PID 1268 wrote to memory of 2384	1268	chrome.exe	chrome.exe
PID 1268 wrote to memory of 2384	1268	chrome.exe	chrome.exe
PID 1268 wrote to memory of 2384	1268	chrome.exe	chrome.exe
PID 1268 wrote to memory of 2384	1268	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://nexi.13-50-224-87.cprapid.com/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff999889758,0x7ff999889768,0x7ff999889778
2⤵
PID:3856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1784 --field-trial-handle=1756,i,13574201473340925454,13754013474311846971,131072 /prefetch:2
2⤵
PID:548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1756,i,13574201473340925454,13754013474311846971,131072 /prefetch:8
2⤵
PID:2112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2212 --field-trial-handle=1756,i,13574201473340925454,13754013474311846971,131072 /prefetch:8
2⤵
PID:2384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3120 --field-trial-handle=1756,i,13574201473340925454,13754013474311846971,131072 /prefetch:1
2⤵
PID:1384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3128 --field-trial-handle=1756,i,13574201473340925454,13754013474311846971,131072 /prefetch:1
2⤵
PID:2108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5040 --field-trial-handle=1756,i,13574201473340925454,13754013474311846971,131072 /prefetch:8
2⤵
PID:2236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 --field-trial-handle=1756,i,13574201473340925454,13754013474311846971,131072 /prefetch:8
2⤵
PID:4696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5024 --field-trial-handle=1756,i,13574201473340925454,13754013474311846971,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3220

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005
Filesize
1.8MB

MD5
5f3358828daeb5a655f8f607422c1d33

SHA1
a105cd53cfcbfe2215de338c8237eea9874006a2

SHA256
ebca2a57850f42b7e56adfde80ccf258494e6367ec780b3e8824350e3bee50b6

SHA512
034119ce0e3201421f94940adec93af6a0bf227e235881e949308d22500b89a19574a32d4f1c0f76897a9fedfab715100983553edc2461850ac055b45668b938

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
0fcf525c65a5a6166936b040c36fb72d

SHA1
828b733de0a22be22b9c94262fd1fc7cbb4920a2

SHA256
c3abd7c03d35336f55d71675cef37b73855c7c4362b4c58b5b9990ddb6f91e64

SHA512
40e53de4dd315759c753b7aee2915973c6004893d14cd9bc475ec4f575817a752e0325ebd5331648239f27d2e9f3540081c39f7d6eeba015d5a200fd3f73eeeb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
397924e1948393b3bdc1a7c22b564ee3

SHA1
fa7f8212fe34a6d13d761258017dc276ba0d1345

SHA256
814c9ed8d5868440dcdd1fe1e7c045ec0bd0a9967d65f7f9ecdf60b052bc4131

SHA512
8101a9a800855ea3deb841ae94a2ddf5141547abc18081413270c835c551f8a9d2bab769d146c113269ba9093e427b26e5a0c18e77216cb525d3f9701e5e5b41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
abe878b19f47279be043a968651a2b34

SHA1
3a7501eb4d40b03df88cfab06cccfcc676296760

SHA256
c8e956218e0be5571fdf8bf92a3fb59195c987fd0cf49fa351b653a6674269d6

SHA512
6a22149a33963c91289ea1574be4873aef0e8c5a483190850c52c634032054ba99d620165b8d562d0343aa409205e88f228d7268b5009ecffbc01c53aa268a3d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
7f2c49b569d07374fe4c2b5b41e6c013

SHA1
0c48206122bf9aab965205ce8c6aab3767d343ce

SHA256
f3f05229a02c79eff9f7eae30c21d0fd2cc68f5fe56aae9fcf96688e63cd92c2

SHA512
ec27c62cf87cb4963861f12bba3a48e3020e1a6bf50794a613f9a91a1e2a170afe2b534b5f49bc0a684b42965099a9e7a326b624f531603969b9c1ed8c6f1df1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
dcaabb529e40f2d2df43625d39ccbfd9

SHA1
a5b56d186dace7db0ecf6c3d077109528a22611a

SHA256
feda47d9de31554f19d0c6d53326edf5dd7dd714f7b7ca8c59ff22b1dfb3430f

SHA512
ca2d754aeffe1a0d2d235dfe0e2fd1b4d8e286d9bd0e4c0cbcaf5e2594c98ba83f250fbdba969c764e6e6641dc0262ca3a3ce8f473371df9c29b2e8ec4d27310

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\c45b5520-ccdd-48f6-a2df-fbff1910fbc6.tmp
Filesize
143KB

MD5
1bb74a04d18a09142ddcfc8630b4d68f

SHA1
be6411d7faf12b79a7dc7a4b7f72fde11b095195

SHA256
8cff898f9ef6f0e3741c0906a8bf27f5b7a8935d9a3801a4793264712fcf2911

SHA512
a66b07370b640d02e99006c8cc3f0ac59175a39fe7ede37e9180e924ad505c9bb55d350fd3647572101a4a1d33834a4d1fc5451a4c29162f836a76da4df0078e

Download Submit
\??\pipe\crashpad_1268_ZNTTLZHQDRJYINJZ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads