hxxps://go[.]redirectingat[.]com/?id=92X363&xcust=trdpro_us_1541938487208509200&xs=1&url=https%3A%2F%2Fmadanimavazi[.]co[.]ke%2Fism%2Fabi%2F/zdjn5y%2F%2F%2F%2Fciosp3@accenturefederal[.]com

General

Target

https://go.redirectingat.com/?id=92X363&xcust=trdpro_us_1541938487208509200&xs=1&url=https%3A%2F%2Fmadanimavazi.co.ke%2Fism%2Fabi%2F/zdjn5y%2F%2F%2F%[email protected]

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133238917140304824"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

2908 chrome.exe
2908 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

2908 chrome.exe
2908 chrome.exe
2908 chrome.exe
2908 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2908 wrote to memory of 2524	2908	chrome.exe	chrome.exe
PID 2908 wrote to memory of 2524	2908	chrome.exe	chrome.exe
PID 2908 wrote to memory of 3804	2908	chrome.exe	chrome.exe
PID 2908 wrote to memory of 3804	2908	chrome.exe	chrome.exe
PID 2908 wrote to memory of 3804	2908	chrome.exe	chrome.exe
PID 2908 wrote to memory of 3804	2908	chrome.exe	chrome.exe
PID 2908 wrote to memory of 3804	2908	chrome.exe	chrome.exe
PID 2908 wrote to memory of 3804	2908	chrome.exe	chrome.exe
PID 2908 wrote to memory of 3804	2908	chrome.exe	chrome.exe
PID 2908 wrote to memory of 3804	2908	chrome.exe	chrome.exe
PID 2908 wrote to memory of 3804	2908	chrome.exe	chrome.exe
PID 2908 wrote to memory of 3804	2908	chrome.exe	chrome.exe
PID 2908 wrote to memory of 3804	2908	chrome.exe	chrome.exe
PID 2908 wrote to memory of 3804	2908	chrome.exe	chrome.exe
PID 2908 wrote to memory of 3804	2908	chrome.exe	chrome.exe
PID 2908 wrote to memory of 3804	2908	chrome.exe	chrome.exe
PID 2908 wrote to memory of 3804	2908	chrome.exe	chrome.exe
PID 2908 wrote to memory of 3804	2908	chrome.exe	chrome.exe
PID 2908 wrote to memory of 3804	2908	chrome.exe	chrome.exe
PID 2908 wrote to memory of 3804	2908	chrome.exe	chrome.exe
PID 2908 wrote to memory of 3804	2908	chrome.exe	chrome.exe
PID 2908 wrote to memory of 3804	2908	chrome.exe	chrome.exe
PID 2908 wrote to memory of 3804	2908	chrome.exe	chrome.exe
PID 2908 wrote to memory of 3804	2908	chrome.exe	chrome.exe
PID 2908 wrote to memory of 3804	2908	chrome.exe	chrome.exe
PID 2908 wrote to memory of 3804	2908	chrome.exe	chrome.exe
PID 2908 wrote to memory of 3804	2908	chrome.exe	chrome.exe
PID 2908 wrote to memory of 3804	2908	chrome.exe	chrome.exe
PID 2908 wrote to memory of 3804	2908	chrome.exe	chrome.exe
PID 2908 wrote to memory of 3804	2908	chrome.exe	chrome.exe
PID 2908 wrote to memory of 3804	2908	chrome.exe	chrome.exe
PID 2908 wrote to memory of 3804	2908	chrome.exe	chrome.exe
PID 2908 wrote to memory of 3804	2908	chrome.exe	chrome.exe
PID 2908 wrote to memory of 3804	2908	chrome.exe	chrome.exe
PID 2908 wrote to memory of 3804	2908	chrome.exe	chrome.exe
PID 2908 wrote to memory of 3804	2908	chrome.exe	chrome.exe
PID 2908 wrote to memory of 3804	2908	chrome.exe	chrome.exe
PID 2908 wrote to memory of 3804	2908	chrome.exe	chrome.exe
PID 2908 wrote to memory of 3804	2908	chrome.exe	chrome.exe
PID 2908 wrote to memory of 3804	2908	chrome.exe	chrome.exe
PID 2908 wrote to memory of 4792	2908	chrome.exe	chrome.exe
PID 2908 wrote to memory of 4792	2908	chrome.exe	chrome.exe
PID 2908 wrote to memory of 4856	2908	chrome.exe	chrome.exe
PID 2908 wrote to memory of 4856	2908	chrome.exe	chrome.exe
PID 2908 wrote to memory of 4856	2908	chrome.exe	chrome.exe
PID 2908 wrote to memory of 4856	2908	chrome.exe	chrome.exe
PID 2908 wrote to memory of 4856	2908	chrome.exe	chrome.exe
PID 2908 wrote to memory of 4856	2908	chrome.exe	chrome.exe
PID 2908 wrote to memory of 4856	2908	chrome.exe	chrome.exe
PID 2908 wrote to memory of 4856	2908	chrome.exe	chrome.exe
PID 2908 wrote to memory of 4856	2908	chrome.exe	chrome.exe
PID 2908 wrote to memory of 4856	2908	chrome.exe	chrome.exe
PID 2908 wrote to memory of 4856	2908	chrome.exe	chrome.exe
PID 2908 wrote to memory of 4856	2908	chrome.exe	chrome.exe
PID 2908 wrote to memory of 4856	2908	chrome.exe	chrome.exe
PID 2908 wrote to memory of 4856	2908	chrome.exe	chrome.exe
PID 2908 wrote to memory of 4856	2908	chrome.exe	chrome.exe
PID 2908 wrote to memory of 4856	2908	chrome.exe	chrome.exe
PID 2908 wrote to memory of 4856	2908	chrome.exe	chrome.exe
PID 2908 wrote to memory of 4856	2908	chrome.exe	chrome.exe
PID 2908 wrote to memory of 4856	2908	chrome.exe	chrome.exe
PID 2908 wrote to memory of 4856	2908	chrome.exe	chrome.exe
PID 2908 wrote to memory of 4856	2908	chrome.exe	chrome.exe
PID 2908 wrote to memory of 4856	2908	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://go.redirectingat.com/?id=92X363&xcust=trdpro_us_1541938487208509200&xs=1&url=https%3A%2F%2Fmadanimavazi.co.ke%2Fism%2Fabi%2F/zdjn5y%2F%2F%2F%[email protected]
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0x88,0xd8,0x7ffec73e9758,0x7ffec73e9768,0x7ffec73e9778
2⤵
PID:2524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1828 --field-trial-handle=1748,i,9329442117099849860,3291558679446078199,131072 /prefetch:8
2⤵
PID:4792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1604 --field-trial-handle=1748,i,9329442117099849860,3291558679446078199,131072 /prefetch:2
2⤵
PID:3804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2116 --field-trial-handle=1748,i,9329442117099849860,3291558679446078199,131072 /prefetch:8
2⤵
PID:4856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3016 --field-trial-handle=1748,i,9329442117099849860,3291558679446078199,131072 /prefetch:1
2⤵
PID:772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3028 --field-trial-handle=1748,i,9329442117099849860,3291558679446078199,131072 /prefetch:1
2⤵
PID:1260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4416 --field-trial-handle=1748,i,9329442117099849860,3291558679446078199,131072 /prefetch:1
2⤵
PID:3872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4740 --field-trial-handle=1748,i,9329442117099849860,3291558679446078199,131072 /prefetch:1
2⤵
PID:3980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4332 --field-trial-handle=1748,i,9329442117099849860,3291558679446078199,131072 /prefetch:8
2⤵
PID:4316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4916 --field-trial-handle=1748,i,9329442117099849860,3291558679446078199,131072 /prefetch:8
2⤵
PID:3320

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5072

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
192B

MD5
50431842083b0dd7efef71ef9f62fde2

SHA1
92b2f49f38e7842d59c18b7dbd844d404f221552

SHA256
70055fb1ee86c84e28da9e9f93c1679259429d5a7610ce9ffdd9e35936a43381

SHA512
5ace79a6426878057b5e79e7d1fb3923533a273b9e24f7b071545c7fb4f4e0cec875f0ac2ae50276f763b9cebf72c3992b71cdaa2436bf80ec70f3183d398516

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
72a5cd8ed254656436acddd0c02fb92b

SHA1
d0d6a568eacadbed0003f3cba110316739a83007

SHA256
9826290fe729ca8fee4c3a53ee42c2db3f46ebe842e96459bfa39dd366c1bb93

SHA512
45dbc45ec2399cbbf86e1b4212ac8c9200e61c8becb5ac51f243ccd9d89d8c40bba9b4d308b62ab06301fd8e2289020e602af82451b2eae44e6febad5d417946

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
2f8ac7962a555c1f4f02b4752c8c17e6

SHA1
70693be9a79ac27478a47c8b908ae4edd0496eb4

SHA256
0701b6198d54a7fac7bce0ffae57d46d944f094fd106e63b49164c56bc6f1086

SHA512
3660a45c466ac857ccfe68e8f54c3d713903d25d3175aa1a50ec8848016bbf033c2ab28dddc12fcd6e63dfaa39ce8a598d31237b74a32caa1f35183423b6032a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
144KB

MD5
8e69b5efee6ba3cc4b60fb1df9afcb52

SHA1
7feb07fc874ee6baf562f13abd3b50d06bb60110

SHA256
22c318c7c1fe7dd4ddf6aa9d580f2abda658e617622609cab5b2a82b3f45954e

SHA512
44e509809e3ff42d1e248b6df7869bb6457320b8dea7d26a6a59a796a386b8fc7f8285724b50f1463ac3d7158eb53a28f3ecc7fc9dc92ff7dffcaad02ecf9cd9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads