hxxps://roughedgesmerchandise[.]com/se/se[.]php

Analysis

max time kernel
1799s
max time network
1689s
platform
windows10-2004_x64
resource
win10v2004-20230220-es
resource tags

arch:x64arch:x86image:win10v2004-20230220-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
20/04/2023, 09:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://roughedgesmerchandise.com/se/se.php

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133264628950394252"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4396	chrome.exe
4396	chrome.exe
4084	chrome.exe
4084	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4396	chrome.exe
4396	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4396 wrote to memory of 3700	4396	chrome.exe	83
PID 4396 wrote to memory of 3700	4396	chrome.exe	83
PID 4396 wrote to memory of 4432	4396	chrome.exe	84
PID 4396 wrote to memory of 4432	4396	chrome.exe	84
PID 4396 wrote to memory of 4432	4396	chrome.exe	84
PID 4396 wrote to memory of 4432	4396	chrome.exe	84
PID 4396 wrote to memory of 4432	4396	chrome.exe	84
PID 4396 wrote to memory of 4432	4396	chrome.exe	84
PID 4396 wrote to memory of 4432	4396	chrome.exe	84
PID 4396 wrote to memory of 4432	4396	chrome.exe	84
PID 4396 wrote to memory of 4432	4396	chrome.exe	84
PID 4396 wrote to memory of 4432	4396	chrome.exe	84
PID 4396 wrote to memory of 4432	4396	chrome.exe	84
PID 4396 wrote to memory of 4432	4396	chrome.exe	84
PID 4396 wrote to memory of 4432	4396	chrome.exe	84
PID 4396 wrote to memory of 4432	4396	chrome.exe	84
PID 4396 wrote to memory of 4432	4396	chrome.exe	84
PID 4396 wrote to memory of 4432	4396	chrome.exe	84
PID 4396 wrote to memory of 4432	4396	chrome.exe	84
PID 4396 wrote to memory of 4432	4396	chrome.exe	84
PID 4396 wrote to memory of 4432	4396	chrome.exe	84
PID 4396 wrote to memory of 4432	4396	chrome.exe	84
PID 4396 wrote to memory of 4432	4396	chrome.exe	84
PID 4396 wrote to memory of 4432	4396	chrome.exe	84
PID 4396 wrote to memory of 4432	4396	chrome.exe	84
PID 4396 wrote to memory of 4432	4396	chrome.exe	84
PID 4396 wrote to memory of 4432	4396	chrome.exe	84
PID 4396 wrote to memory of 4432	4396	chrome.exe	84
PID 4396 wrote to memory of 4432	4396	chrome.exe	84
PID 4396 wrote to memory of 4432	4396	chrome.exe	84
PID 4396 wrote to memory of 4432	4396	chrome.exe	84
PID 4396 wrote to memory of 4432	4396	chrome.exe	84
PID 4396 wrote to memory of 4432	4396	chrome.exe	84
PID 4396 wrote to memory of 4432	4396	chrome.exe	84
PID 4396 wrote to memory of 4432	4396	chrome.exe	84
PID 4396 wrote to memory of 4432	4396	chrome.exe	84
PID 4396 wrote to memory of 4432	4396	chrome.exe	84
PID 4396 wrote to memory of 4432	4396	chrome.exe	84
PID 4396 wrote to memory of 4432	4396	chrome.exe	84
PID 4396 wrote to memory of 4432	4396	chrome.exe	84
PID 4396 wrote to memory of 3988	4396	chrome.exe	85
PID 4396 wrote to memory of 3988	4396	chrome.exe	85
PID 4396 wrote to memory of 4140	4396	chrome.exe	86
PID 4396 wrote to memory of 4140	4396	chrome.exe	86
PID 4396 wrote to memory of 4140	4396	chrome.exe	86
PID 4396 wrote to memory of 4140	4396	chrome.exe	86
PID 4396 wrote to memory of 4140	4396	chrome.exe	86
PID 4396 wrote to memory of 4140	4396	chrome.exe	86
PID 4396 wrote to memory of 4140	4396	chrome.exe	86
PID 4396 wrote to memory of 4140	4396	chrome.exe	86
PID 4396 wrote to memory of 4140	4396	chrome.exe	86
PID 4396 wrote to memory of 4140	4396	chrome.exe	86
PID 4396 wrote to memory of 4140	4396	chrome.exe	86
PID 4396 wrote to memory of 4140	4396	chrome.exe	86
PID 4396 wrote to memory of 4140	4396	chrome.exe	86
PID 4396 wrote to memory of 4140	4396	chrome.exe	86
PID 4396 wrote to memory of 4140	4396	chrome.exe	86
PID 4396 wrote to memory of 4140	4396	chrome.exe	86
PID 4396 wrote to memory of 4140	4396	chrome.exe	86
PID 4396 wrote to memory of 4140	4396	chrome.exe	86
PID 4396 wrote to memory of 4140	4396	chrome.exe	86
PID 4396 wrote to memory of 4140	4396	chrome.exe	86
PID 4396 wrote to memory of 4140	4396	chrome.exe	86
PID 4396 wrote to memory of 4140	4396	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://roughedgesmerchandise.com/se/se.php
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8890e9758,0x7ff8890e9768,0x7ff8890e9778
  2⤵
  PID:3700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1792 --field-trial-handle=1816,i,3306582969100184934,9125666001831695236,131072 /prefetch:2
  2⤵
  PID:4432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1816,i,3306582969100184934,9125666001831695236,131072 /prefetch:8
  2⤵
  PID:3988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2220 --field-trial-handle=1816,i,3306582969100184934,9125666001831695236,131072 /prefetch:8
  2⤵
  PID:4140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3084 --field-trial-handle=1816,i,3306582969100184934,9125666001831695236,131072 /prefetch:1
  2⤵
  PID:380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3088 --field-trial-handle=1816,i,3306582969100184934,9125666001831695236,131072 /prefetch:1
  2⤵
  PID:236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4892 --field-trial-handle=1816,i,3306582969100184934,9125666001831695236,131072 /prefetch:8
  2⤵
  PID:2888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5052 --field-trial-handle=1816,i,3306582969100184934,9125666001831695236,131072 /prefetch:8
  2⤵
  PID:3232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4916 --field-trial-handle=1816,i,3306582969100184934,9125666001831695236,131072 /prefetch:8
  2⤵
  PID:2700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1744 --field-trial-handle=1816,i,3306582969100184934,9125666001831695236,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4084

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
965B

MD5
200086c52ed45e9ebd79f95caba5895d

SHA1
6f27e0ab6057ee98d976651b6c31c62dd134dfe8

SHA256
914e6de20f33b5dbf2a6425e1160b0a6dfb2db24edbbe7299dbf701a0eb8fdcc

SHA512
5b4576c509012afa9c7aeb356219a3af352e9b7f1fdcd468776bcf07106dd3684ece54a4241c432b3ddcb4b7d6ec005508e730201fa432f9ba64333f1ae4ef0c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
8360e7d3354292362e55428521b142d7

SHA1
0e21ba1ddf90cb21f540fdaca0dc613afd859343

SHA256
74b7967f04d488e66fd3155ae24248ab6459e5f901eba5b5aa97ac24e39265d4

SHA512
c8481109eb30fc60bd6cc05db9ffb738a0c0f8aaee495c612242dd03019e7c5db3d9b78b1119759367a20f755fc740188f9c3784a43f322165a3327bb3166684

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
3662153a9c2dda3a9409f25814f6da6a

SHA1
f00d8853fb827a89e2381a4598f478952b85b4d1

SHA256
352b9302d423dff536eba33d61bc0d771d6395d190baaeff8241ea2375401aca

SHA512
b2a356f064502718d73bfcfe6250bbef10ace772284f02f20455bdc337fcd1505663d5a8c21499d576cd9f4b61ef85c48be7b9ad300b38034c7c605c83e48fcc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
200KB

MD5
273a7742fa614e42715b5d9eb08e1f5e

SHA1
4360b51f963964400b6cc91914d48c8e8695c2a2

SHA256
5acd6bddc81e756333e11831cf218ed9baa35eba31a1836f9c4dbcb1e14da8b9

SHA512
3d2ccc0dafcd04ae4a9ebb2bc8a65365cf9e64735fb8805294f3838c7a025ca7975b8a865b10832cde095a2d3c44b4f92a8634e3bd2bc7834ef0dce3422d8da8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit