hxxps://vettersculliganwater[.]site/__;!!CS2toJ4K6ao!RWDqQj2-sTVGHPfN6SH_24ZdFrkl1FBWz8ReG6-A00l8TsYWf3KwSuS4kw-YUzilYR_zjHLrEX9qG4ZYzxl8QWvJCrEExRA$

Resubmissions

20/04/2023, 07:58

230420-jt6l9sad8z 1

20/04/2023, 07:57

20/04/2023, 07:57

20/04/2023, 06:53

20/04/2023, 06:51

Analysis

max time kernel
59s
max time network
62s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2023, 07:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://vettersculliganwater.site/__;!!CS2toJ4K6ao!RWDqQj2-sTVGHPfN6SH_24ZdFrkl1FBWz8ReG6-A00l8TsYWf3KwSuS4kw-YUzilYR_zjHLrEX9qG4ZYzxl8QWvJCrEExRA$

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133264583449594716"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4260	chrome.exe
4260	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4260 wrote to memory of 4776	4260	chrome.exe	83
PID 4260 wrote to memory of 4776	4260	chrome.exe	83
PID 4260 wrote to memory of 4180	4260	chrome.exe	84
PID 4260 wrote to memory of 4180	4260	chrome.exe	84
PID 4260 wrote to memory of 4180	4260	chrome.exe	84
PID 4260 wrote to memory of 4180	4260	chrome.exe	84
PID 4260 wrote to memory of 4180	4260	chrome.exe	84
PID 4260 wrote to memory of 4180	4260	chrome.exe	84
PID 4260 wrote to memory of 4180	4260	chrome.exe	84
PID 4260 wrote to memory of 4180	4260	chrome.exe	84
PID 4260 wrote to memory of 4180	4260	chrome.exe	84
PID 4260 wrote to memory of 4180	4260	chrome.exe	84
PID 4260 wrote to memory of 4180	4260	chrome.exe	84
PID 4260 wrote to memory of 4180	4260	chrome.exe	84
PID 4260 wrote to memory of 4180	4260	chrome.exe	84
PID 4260 wrote to memory of 4180	4260	chrome.exe	84
PID 4260 wrote to memory of 4180	4260	chrome.exe	84
PID 4260 wrote to memory of 4180	4260	chrome.exe	84
PID 4260 wrote to memory of 4180	4260	chrome.exe	84
PID 4260 wrote to memory of 4180	4260	chrome.exe	84
PID 4260 wrote to memory of 4180	4260	chrome.exe	84
PID 4260 wrote to memory of 4180	4260	chrome.exe	84
PID 4260 wrote to memory of 4180	4260	chrome.exe	84
PID 4260 wrote to memory of 4180	4260	chrome.exe	84
PID 4260 wrote to memory of 4180	4260	chrome.exe	84
PID 4260 wrote to memory of 4180	4260	chrome.exe	84
PID 4260 wrote to memory of 4180	4260	chrome.exe	84
PID 4260 wrote to memory of 4180	4260	chrome.exe	84
PID 4260 wrote to memory of 4180	4260	chrome.exe	84
PID 4260 wrote to memory of 4180	4260	chrome.exe	84
PID 4260 wrote to memory of 4180	4260	chrome.exe	84
PID 4260 wrote to memory of 4180	4260	chrome.exe	84
PID 4260 wrote to memory of 4180	4260	chrome.exe	84
PID 4260 wrote to memory of 4180	4260	chrome.exe	84
PID 4260 wrote to memory of 4180	4260	chrome.exe	84
PID 4260 wrote to memory of 4180	4260	chrome.exe	84
PID 4260 wrote to memory of 4180	4260	chrome.exe	84
PID 4260 wrote to memory of 4180	4260	chrome.exe	84
PID 4260 wrote to memory of 4180	4260	chrome.exe	84
PID 4260 wrote to memory of 4180	4260	chrome.exe	84
PID 4260 wrote to memory of 1908	4260	chrome.exe	85
PID 4260 wrote to memory of 1908	4260	chrome.exe	85
PID 4260 wrote to memory of 2804	4260	chrome.exe	86
PID 4260 wrote to memory of 2804	4260	chrome.exe	86
PID 4260 wrote to memory of 2804	4260	chrome.exe	86
PID 4260 wrote to memory of 2804	4260	chrome.exe	86
PID 4260 wrote to memory of 2804	4260	chrome.exe	86
PID 4260 wrote to memory of 2804	4260	chrome.exe	86
PID 4260 wrote to memory of 2804	4260	chrome.exe	86
PID 4260 wrote to memory of 2804	4260	chrome.exe	86
PID 4260 wrote to memory of 2804	4260	chrome.exe	86
PID 4260 wrote to memory of 2804	4260	chrome.exe	86
PID 4260 wrote to memory of 2804	4260	chrome.exe	86
PID 4260 wrote to memory of 2804	4260	chrome.exe	86
PID 4260 wrote to memory of 2804	4260	chrome.exe	86
PID 4260 wrote to memory of 2804	4260	chrome.exe	86
PID 4260 wrote to memory of 2804	4260	chrome.exe	86
PID 4260 wrote to memory of 2804	4260	chrome.exe	86
PID 4260 wrote to memory of 2804	4260	chrome.exe	86
PID 4260 wrote to memory of 2804	4260	chrome.exe	86
PID 4260 wrote to memory of 2804	4260	chrome.exe	86
PID 4260 wrote to memory of 2804	4260	chrome.exe	86
PID 4260 wrote to memory of 2804	4260	chrome.exe	86
PID 4260 wrote to memory of 2804	4260	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://vettersculliganwater.site/__;!!CS2toJ4K6ao!RWDqQj2-sTVGHPfN6SH_24ZdFrkl1FBWz8ReG6-A00l8TsYWf3KwSuS4kw-YUzilYR_zjHLrEX9qG4ZYzxl8QWvJCrEExRA$
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffad8a39758,0x7ffad8a39768,0x7ffad8a39778
  2⤵
  PID:4776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1800 --field-trial-handle=1816,i,906429591178962468,7469403099062564718,131072 /prefetch:2
  2⤵
  PID:4180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1816,i,906429591178962468,7469403099062564718,131072 /prefetch:8
  2⤵
  PID:1908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1816,i,906429591178962468,7469403099062564718,131072 /prefetch:8
  2⤵
  PID:2804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3144 --field-trial-handle=1816,i,906429591178962468,7469403099062564718,131072 /prefetch:1
  2⤵
  PID:1612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3152 --field-trial-handle=1816,i,906429591178962468,7469403099062564718,131072 /prefetch:1
  2⤵
  PID:4832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 --field-trial-handle=1816,i,906429591178962468,7469403099062564718,131072 /prefetch:8
  2⤵
  PID:2720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4468 --field-trial-handle=1816,i,906429591178962468,7469403099062564718,131072 /prefetch:1
  2⤵
  PID:2808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5524 --field-trial-handle=1816,i,906429591178962468,7469403099062564718,131072 /prefetch:8
  2⤵
  PID:1440

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
35370ad98609cc308ebc743b694fb2c0

SHA1
fa53021d1838e0ba598c19d613d7acb3c777cd76

SHA256
ce3037d051c59273c70b32bee993dadd3baac9bfb6aefd64cc8da214cbf7682b

SHA512
ac020f82dd20157713352e55ef638f8d4427e133bae245410b6dc2cdc5da9ef8a87a0d025d78286bd2dcca1e7e2f31f052711f90c818463c1cb77479be76098a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
706B

MD5
8000e24daafea8b8a300de083f4d1aaf

SHA1
9cc61117e5d98f88b86ace7173c5beabfa221ccf

SHA256
ba7dffe2f008618ce7a3af895c24bbf3b8b066695e703eb36171f99a396ebaab

SHA512
158d617221ae46de3da158968f465aa35152b848e8fee695095b4efd650b932db7670a888b7cab1eaa48e30deaa788f9d2655f0a7c776ca9b83e1adc0edeeba4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
df5a07d4dd8e3b5568603e7db14f7160

SHA1
659a0ecbf22979bf88e6b064cf9282c26a1d3e70

SHA256
73adedc96f5e2fc05d17187c8a6d53fdfab63e24ada7b865ff54895092598417

SHA512
6fa77f455aa9ee788788fb3f4d1e2779980ae6c14670485599650c571bfb11223fcafdbef730c21dfeb1092587e42d824c8648ccb460e54724f5c8768a520c9d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
d3b751327a237e3506a885158ea6acf7

SHA1
d2cad87c35bd8457c5417d28e58248129bddabd8

SHA256
1947f9e3c23fe97f6196a0fbdfc995aebc767bb47d40d1bf795febe77e717779

SHA512
1a0def77bd5208074283535d6ef2155612579548f634db7793aba6ef3723b401bbcc6cd36ddebe1ab5512c0dbfaf415bf42d8491d5ce28a01b44acb7f4acde2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
200KB

MD5
2a975219bff70b844ba1d488c9c0efb1

SHA1
08b87c4d41278646c675d6a303a7c7d0e4e5c969

SHA256
c2792065315a1f73e3bae9ca4219875aaf84b1accee9f4d3d121fedd8ea9488d

SHA512
11260bff19295f8d04def8c93c205475ccd887c3115c2ad597dc772059d0aad056c3eb4aaf41d55828020397660e5a7515abd4a60c2c645c189b99a4dc684c81

Download Submit