hxxps://sales[.]whirlpool[.]com/Account/ChangeCulture?lan=es-MX&url=[//]stumadferechofork[.]ga/113saleswhirlpoolcomZCe651

Analysis

max time kernel
33s
max time network
35s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
29/03/2023, 14:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://sales.whirlpool.com/Account/ChangeCulture?lan=es-MX&url=//stumadferechofork.ga/113saleswhirlpoolcomZCe651

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133245799913965277"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2056	chrome.exe
2056	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe

Suspicious use of AdjustPrivilegeToken 62 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2056	chrome.exe
Token: SeCreatePagefilePrivilege	2056	chrome.exe
Token: SeShutdownPrivilege	2056	chrome.exe
Token: SeCreatePagefilePrivilege	2056	chrome.exe
Token: SeShutdownPrivilege	2056	chrome.exe
Token: SeCreatePagefilePrivilege	2056	chrome.exe
Token: SeShutdownPrivilege	2056	chrome.exe
Token: SeCreatePagefilePrivilege	2056	chrome.exe
Token: SeShutdownPrivilege	2056	chrome.exe
Token: SeCreatePagefilePrivilege	2056	chrome.exe
Token: SeShutdownPrivilege	2056	chrome.exe
Token: SeCreatePagefilePrivilege	2056	chrome.exe
Token: SeShutdownPrivilege	2056	chrome.exe
Token: SeCreatePagefilePrivilege	2056	chrome.exe
Token: SeShutdownPrivilege	2056	chrome.exe
Token: SeCreatePagefilePrivilege	2056	chrome.exe
Token: SeShutdownPrivilege	2056	chrome.exe
Token: SeCreatePagefilePrivilege	2056	chrome.exe
Token: SeShutdownPrivilege	2056	chrome.exe
Token: SeCreatePagefilePrivilege	2056	chrome.exe
Token: SeShutdownPrivilege	2056	chrome.exe
Token: SeCreatePagefilePrivilege	2056	chrome.exe
Token: SeShutdownPrivilege	2056	chrome.exe
Token: SeCreatePagefilePrivilege	2056	chrome.exe
Token: SeShutdownPrivilege	2056	chrome.exe
Token: SeCreatePagefilePrivilege	2056	chrome.exe
Token: SeShutdownPrivilege	2056	chrome.exe
Token: SeCreatePagefilePrivilege	2056	chrome.exe
Token: SeShutdownPrivilege	2056	chrome.exe
Token: SeCreatePagefilePrivilege	2056	chrome.exe
Token: SeShutdownPrivilege	2056	chrome.exe
Token: SeCreatePagefilePrivilege	2056	chrome.exe
Token: SeShutdownPrivilege	2056	chrome.exe
Token: SeCreatePagefilePrivilege	2056	chrome.exe
Token: SeShutdownPrivilege	2056	chrome.exe
Token: SeCreatePagefilePrivilege	2056	chrome.exe
Token: SeShutdownPrivilege	2056	chrome.exe
Token: SeCreatePagefilePrivilege	2056	chrome.exe
Token: SeShutdownPrivilege	2056	chrome.exe
Token: SeCreatePagefilePrivilege	2056	chrome.exe
Token: SeShutdownPrivilege	2056	chrome.exe
Token: SeCreatePagefilePrivilege	2056	chrome.exe
Token: SeShutdownPrivilege	2056	chrome.exe
Token: SeCreatePagefilePrivilege	2056	chrome.exe
Token: SeShutdownPrivilege	2056	chrome.exe
Token: SeCreatePagefilePrivilege	2056	chrome.exe
Token: SeShutdownPrivilege	2056	chrome.exe
Token: SeCreatePagefilePrivilege	2056	chrome.exe
Token: SeShutdownPrivilege	2056	chrome.exe
Token: SeCreatePagefilePrivilege	2056	chrome.exe
Token: SeShutdownPrivilege	2056	chrome.exe
Token: SeCreatePagefilePrivilege	2056	chrome.exe
Token: SeShutdownPrivilege	2056	chrome.exe
Token: SeCreatePagefilePrivilege	2056	chrome.exe
Token: SeShutdownPrivilege	2056	chrome.exe
Token: SeCreatePagefilePrivilege	2056	chrome.exe
Token: SeShutdownPrivilege	2056	chrome.exe
Token: SeCreatePagefilePrivilege	2056	chrome.exe
Token: SeShutdownPrivilege	2056	chrome.exe
Token: SeCreatePagefilePrivilege	2056	chrome.exe
Token: SeShutdownPrivilege	2056	chrome.exe
Token: SeCreatePagefilePrivilege	2056	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 1612	2056	chrome.exe	84
PID 2056 wrote to memory of 1612	2056	chrome.exe	84
PID 2056 wrote to memory of 4444	2056	chrome.exe	86
PID 2056 wrote to memory of 4444	2056	chrome.exe	86
PID 2056 wrote to memory of 4444	2056	chrome.exe	86
PID 2056 wrote to memory of 4444	2056	chrome.exe	86
PID 2056 wrote to memory of 4444	2056	chrome.exe	86
PID 2056 wrote to memory of 4444	2056	chrome.exe	86
PID 2056 wrote to memory of 4444	2056	chrome.exe	86
PID 2056 wrote to memory of 4444	2056	chrome.exe	86
PID 2056 wrote to memory of 4444	2056	chrome.exe	86
PID 2056 wrote to memory of 4444	2056	chrome.exe	86
PID 2056 wrote to memory of 4444	2056	chrome.exe	86
PID 2056 wrote to memory of 4444	2056	chrome.exe	86
PID 2056 wrote to memory of 4444	2056	chrome.exe	86
PID 2056 wrote to memory of 4444	2056	chrome.exe	86
PID 2056 wrote to memory of 4444	2056	chrome.exe	86
PID 2056 wrote to memory of 4444	2056	chrome.exe	86
PID 2056 wrote to memory of 4444	2056	chrome.exe	86
PID 2056 wrote to memory of 4444	2056	chrome.exe	86
PID 2056 wrote to memory of 4444	2056	chrome.exe	86
PID 2056 wrote to memory of 4444	2056	chrome.exe	86
PID 2056 wrote to memory of 4444	2056	chrome.exe	86
PID 2056 wrote to memory of 4444	2056	chrome.exe	86
PID 2056 wrote to memory of 4444	2056	chrome.exe	86
PID 2056 wrote to memory of 4444	2056	chrome.exe	86
PID 2056 wrote to memory of 4444	2056	chrome.exe	86
PID 2056 wrote to memory of 4444	2056	chrome.exe	86
PID 2056 wrote to memory of 4444	2056	chrome.exe	86
PID 2056 wrote to memory of 4444	2056	chrome.exe	86
PID 2056 wrote to memory of 4444	2056	chrome.exe	86
PID 2056 wrote to memory of 4444	2056	chrome.exe	86
PID 2056 wrote to memory of 4444	2056	chrome.exe	86
PID 2056 wrote to memory of 4444	2056	chrome.exe	86
PID 2056 wrote to memory of 4444	2056	chrome.exe	86
PID 2056 wrote to memory of 4444	2056	chrome.exe	86
PID 2056 wrote to memory of 4444	2056	chrome.exe	86
PID 2056 wrote to memory of 4444	2056	chrome.exe	86
PID 2056 wrote to memory of 4444	2056	chrome.exe	86
PID 2056 wrote to memory of 4444	2056	chrome.exe	86
PID 2056 wrote to memory of 4912	2056	chrome.exe	87
PID 2056 wrote to memory of 4912	2056	chrome.exe	87
PID 2056 wrote to memory of 1696	2056	chrome.exe	88
PID 2056 wrote to memory of 1696	2056	chrome.exe	88
PID 2056 wrote to memory of 1696	2056	chrome.exe	88
PID 2056 wrote to memory of 1696	2056	chrome.exe	88
PID 2056 wrote to memory of 1696	2056	chrome.exe	88
PID 2056 wrote to memory of 1696	2056	chrome.exe	88
PID 2056 wrote to memory of 1696	2056	chrome.exe	88
PID 2056 wrote to memory of 1696	2056	chrome.exe	88
PID 2056 wrote to memory of 1696	2056	chrome.exe	88
PID 2056 wrote to memory of 1696	2056	chrome.exe	88
PID 2056 wrote to memory of 1696	2056	chrome.exe	88
PID 2056 wrote to memory of 1696	2056	chrome.exe	88
PID 2056 wrote to memory of 1696	2056	chrome.exe	88
PID 2056 wrote to memory of 1696	2056	chrome.exe	88
PID 2056 wrote to memory of 1696	2056	chrome.exe	88
PID 2056 wrote to memory of 1696	2056	chrome.exe	88
PID 2056 wrote to memory of 1696	2056	chrome.exe	88
PID 2056 wrote to memory of 1696	2056	chrome.exe	88
PID 2056 wrote to memory of 1696	2056	chrome.exe	88
PID 2056 wrote to memory of 1696	2056	chrome.exe	88
PID 2056 wrote to memory of 1696	2056	chrome.exe	88
PID 2056 wrote to memory of 1696	2056	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://sales.whirlpool.com/Account/ChangeCulture?lan=es-MX&url=//stumadferechofork.ga/113saleswhirlpoolcomZCe651
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xd8,0x100,0x104,0xdc,0x108,0x7ffd840c9758,0x7ffd840c9768,0x7ffd840c9778
  2⤵
  PID:1612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1804 --field-trial-handle=1820,i,16124602883403584673,8619420040892978071,131072 /prefetch:2
  2⤵
  PID:4444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1820,i,16124602883403584673,8619420040892978071,131072 /prefetch:8
  2⤵
  PID:4912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1820,i,16124602883403584673,8619420040892978071,131072 /prefetch:8
  2⤵
  PID:1696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3152 --field-trial-handle=1820,i,16124602883403584673,8619420040892978071,131072 /prefetch:1
  2⤵
  PID:5096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3172 --field-trial-handle=1820,i,16124602883403584673,8619420040892978071,131072 /prefetch:1
  2⤵
  PID:4564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4528 --field-trial-handle=1820,i,16124602883403584673,8619420040892978071,131072 /prefetch:1
  2⤵
  PID:1704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3184 --field-trial-handle=1820,i,16124602883403584673,8619420040892978071,131072 /prefetch:1
  2⤵
  PID:1964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4944 --field-trial-handle=1820,i,16124602883403584673,8619420040892978071,131072 /prefetch:8
  2⤵
  PID:1916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5036 --field-trial-handle=1820,i,16124602883403584673,8619420040892978071,131072 /prefetch:8
  2⤵
  PID:4716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 --field-trial-handle=1820,i,16124602883403584673,8619420040892978071,131072 /prefetch:8
  2⤵
  PID:2880

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3144

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
252bc8d0fd5a423cde9d3388a619b45e

SHA1
67e51ede0ad54eb08a76600738ebe7d16403821a

SHA256
a6d2260904d053c6ea9469334b3921cbe9dd24b240cf2ab3075c12b2fe851f98

SHA512
0779062327d59be8043daf48cba4080befe927d1a8908aeb17e27123f5ef09d76f796d5fd5f1639432658c4de6b53f0fe2a038a43baf93f538476b983488224c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
706B

MD5
0bbec80daa2a1a08a064db20e01630d7

SHA1
596a47640783df532e9ba1eb0b482935c9b6b768

SHA256
fed9b24f813e6febce338764bf9242eee26be40d12b6f37bfa98433cd887c2dd

SHA512
32840bad78e9181e6fb94ccf1408d17126f4bb00298e1038d535067212d1ae194625494d2ff5e7115978e0fa241a79f8de9e79e54df5db0ae8edde0ff4a0dcd6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f1307569627d822a7860b72a83828268

SHA1
8736472b8effe085c1f76020ae7260e7ccd94eb4

SHA256
6db15fe2c9214b6445e4db04d80f32677037da4c198acf8c99b43025bdb2261a

SHA512
ee853a83f79613c8609d31a356cab0abf154794d24accd40cc714019184aacc21415a7f99caf5e2d075a57a7f8b6d4d4fb01461c1a37284ca5a3304a7d3a2f7d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
14609a260d958c17f2689774df155602

SHA1
b60d7dd590e293d58a8c36f082c94abf2ab7cbd4

SHA256
385099143c38aca7e98836a8694a40033f07e09af1980dbd8714d925d9add8e9

SHA512
e708ce14a586762005a33a488b81a3d075a5b869454a13de977460d0f1d7eb9d9a2684640fb226315225f4db3f50ec3a925be67379887045c7ca638da8dac300

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
144KB

MD5
52c38c90dccf6785d4552596b278a971

SHA1
34aa71ba561dcecdcd3a186dc8ffc55d2fc4ccec

SHA256
b54e31f18f0eefcf499abdce493a084804abbb90906ef88ac700199c13775bc1

SHA512
e1613db410aa5684ab84f23e89cb37f280b81931bf8726d7326a45539a3afac4ec0814aaa4a7434917bbe24c51e4a0fd673582299fdbcb21339382f95a56a83a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit