hxxp://www[.]cavalrydoomeddoorbell[.]com

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
26/04/2023, 17:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://www.cavalrydoomeddoorbell.com

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133270021418152052"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4496	chrome.exe
4496	chrome.exe
336	chrome.exe
336	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4496 wrote to memory of 936	4496	chrome.exe	85
PID 4496 wrote to memory of 936	4496	chrome.exe	85
PID 4496 wrote to memory of 220	4496	chrome.exe	87
PID 4496 wrote to memory of 220	4496	chrome.exe	87
PID 4496 wrote to memory of 220	4496	chrome.exe	87
PID 4496 wrote to memory of 220	4496	chrome.exe	87
PID 4496 wrote to memory of 220	4496	chrome.exe	87
PID 4496 wrote to memory of 220	4496	chrome.exe	87
PID 4496 wrote to memory of 220	4496	chrome.exe	87
PID 4496 wrote to memory of 220	4496	chrome.exe	87
PID 4496 wrote to memory of 220	4496	chrome.exe	87
PID 4496 wrote to memory of 220	4496	chrome.exe	87
PID 4496 wrote to memory of 220	4496	chrome.exe	87
PID 4496 wrote to memory of 220	4496	chrome.exe	87
PID 4496 wrote to memory of 220	4496	chrome.exe	87
PID 4496 wrote to memory of 220	4496	chrome.exe	87
PID 4496 wrote to memory of 220	4496	chrome.exe	87
PID 4496 wrote to memory of 220	4496	chrome.exe	87
PID 4496 wrote to memory of 220	4496	chrome.exe	87
PID 4496 wrote to memory of 220	4496	chrome.exe	87
PID 4496 wrote to memory of 220	4496	chrome.exe	87
PID 4496 wrote to memory of 220	4496	chrome.exe	87
PID 4496 wrote to memory of 220	4496	chrome.exe	87
PID 4496 wrote to memory of 220	4496	chrome.exe	87
PID 4496 wrote to memory of 220	4496	chrome.exe	87
PID 4496 wrote to memory of 220	4496	chrome.exe	87
PID 4496 wrote to memory of 220	4496	chrome.exe	87
PID 4496 wrote to memory of 220	4496	chrome.exe	87
PID 4496 wrote to memory of 220	4496	chrome.exe	87
PID 4496 wrote to memory of 220	4496	chrome.exe	87
PID 4496 wrote to memory of 220	4496	chrome.exe	87
PID 4496 wrote to memory of 220	4496	chrome.exe	87
PID 4496 wrote to memory of 220	4496	chrome.exe	87
PID 4496 wrote to memory of 220	4496	chrome.exe	87
PID 4496 wrote to memory of 220	4496	chrome.exe	87
PID 4496 wrote to memory of 220	4496	chrome.exe	87
PID 4496 wrote to memory of 220	4496	chrome.exe	87
PID 4496 wrote to memory of 220	4496	chrome.exe	87
PID 4496 wrote to memory of 220	4496	chrome.exe	87
PID 4496 wrote to memory of 220	4496	chrome.exe	87
PID 4496 wrote to memory of 4620	4496	chrome.exe	88
PID 4496 wrote to memory of 4620	4496	chrome.exe	88
PID 4496 wrote to memory of 1300	4496	chrome.exe	89
PID 4496 wrote to memory of 1300	4496	chrome.exe	89
PID 4496 wrote to memory of 1300	4496	chrome.exe	89
PID 4496 wrote to memory of 1300	4496	chrome.exe	89
PID 4496 wrote to memory of 1300	4496	chrome.exe	89
PID 4496 wrote to memory of 1300	4496	chrome.exe	89
PID 4496 wrote to memory of 1300	4496	chrome.exe	89
PID 4496 wrote to memory of 1300	4496	chrome.exe	89
PID 4496 wrote to memory of 1300	4496	chrome.exe	89
PID 4496 wrote to memory of 1300	4496	chrome.exe	89
PID 4496 wrote to memory of 1300	4496	chrome.exe	89
PID 4496 wrote to memory of 1300	4496	chrome.exe	89
PID 4496 wrote to memory of 1300	4496	chrome.exe	89
PID 4496 wrote to memory of 1300	4496	chrome.exe	89
PID 4496 wrote to memory of 1300	4496	chrome.exe	89
PID 4496 wrote to memory of 1300	4496	chrome.exe	89
PID 4496 wrote to memory of 1300	4496	chrome.exe	89
PID 4496 wrote to memory of 1300	4496	chrome.exe	89
PID 4496 wrote to memory of 1300	4496	chrome.exe	89
PID 4496 wrote to memory of 1300	4496	chrome.exe	89
PID 4496 wrote to memory of 1300	4496	chrome.exe	89
PID 4496 wrote to memory of 1300	4496	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://www.cavalrydoomeddoorbell.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xb4,0x108,0x7ff87f649758,0x7ff87f649768,0x7ff87f649778
  2⤵
  PID:936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1676 --field-trial-handle=1808,i,3507630688513479017,8354216275706289967,131072 /prefetch:2
  2⤵
  PID:220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1808,i,3507630688513479017,8354216275706289967,131072 /prefetch:8
  2⤵
  PID:4620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2212 --field-trial-handle=1808,i,3507630688513479017,8354216275706289967,131072 /prefetch:8
  2⤵
  PID:1300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3060 --field-trial-handle=1808,i,3507630688513479017,8354216275706289967,131072 /prefetch:1
  2⤵
  PID:1232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3052 --field-trial-handle=1808,i,3507630688513479017,8354216275706289967,131072 /prefetch:1
  2⤵
  PID:4460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3872 --field-trial-handle=1808,i,3507630688513479017,8354216275706289967,131072 /prefetch:1
  2⤵
  PID:2340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4792 --field-trial-handle=1808,i,3507630688513479017,8354216275706289967,131072 /prefetch:8
  2⤵
  PID:3912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4820 --field-trial-handle=1808,i,3507630688513479017,8354216275706289967,131072 /prefetch:8
  2⤵
  PID:2600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4688 --field-trial-handle=1808,i,3507630688513479017,8354216275706289967,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:336

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3300

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
f2a0db77f82ea7189555e1a4344b619a

SHA1
8821e2329417204057361d6e86f48792a90c5769

SHA256
bbe55f80c98ff82c80b336217f02dd4a71172103895d5679e62ef4ecd78a8243

SHA512
d067bf99a7d52d974df2286e7f3697620c47829a685871ab6e3e99a3bb49bd50941f7dee007c8a91dc1ef5e3c195bb11045ec8540d029f2a70a5887e3ad79e2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
4035d48e9ac985291a865c49df1ab4a1

SHA1
5c569dc127e7aaf21f6336e0fcc95e9a8990ea6d

SHA256
d9bb3efe78078f70cf379c1cd8db7de9f1926746f0be9ec5fa6e204819b7e6e2

SHA512
2a31014e30975e07da25f93c0c62301d9a175135bb73094254cb28ce0e8b6ea4c8f1fe324fd8246979a8a0121340f917409d0cffc42b7759d60111e0f365c026

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
a6f995b32f0fc113104699726cb4043e

SHA1
500bf3b69c9094025ea8bf830223377507690411

SHA256
8279cfd5af25e69071451086f612909fa258a468863174d8ed90599ffb33dcda

SHA512
6a654c5c3e0950de06f3153540a3a8a0de8f930dcca4e6044819bbd3c0d0df94f2d2151302875185b4e902c743ff10867c23295c38f22d86002b92003d1af4cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
505e516bddd012ed24204058b9f608f4

SHA1
7e6b0729d06889fe1ee0459f08dc63c52bec6999

SHA256
5f8695c245feae5ef564c99a6fe3fe5191ae57c402b81a2b34177e7f3c9ec44e

SHA512
6e66e761dc568530f0b466115c2cff153cea8cf31cc20f38db650f1b7c2898d934e7b12b36a2f5de676ecb6551d37684812638f3ebb2c25a01e6f3e290ce5751

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f00ded3456ec7150db26a51743d4d13f

SHA1
e5276fac5ebda7c0273adeffdc1488a5b8db6f3f

SHA256
93967ba1191d6db5b2ccb8030b50200680b4d8d677b623887d295b7f84bea2c7

SHA512
c6e670f2681d274c401012c735a4e6cb66a2a624c7a009b0f87b1f9e02c231240f319aa5cde8cee228ef9299e4ca89008ff4f9c40d0788c67e4eda33e2926322

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
05680c6641d023ed318c88436f1329d6

SHA1
824a0443833a3598fb05c3abf5c5094481e8f634

SHA256
b83575a9e4142c14686e22622b7e350e4a50c3c34f57a866375d4b057370af7d

SHA512
160ec09628950f83e14f482fafc48bbbafa3bf185ff86ea9d26671c132c2d5de953855cd0a8873079dbf71de3229b28e1541fd1d6a3b0e4df647517d53ed940e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
939772a96e320b481e51f1abbebeeb8f

SHA1
a1889b6313ace90b0f48514125aacf622cb6c5b3

SHA256
972a3751d17acfd41e6d1edef4c45a4083b860cff0723b16304ab0705a985152

SHA512
e2bd28cd2f69de7d9851134ec859534f88c76d5a0a4f60a4fd8d557fa85f408d8234fc8f6ea7e976d18600e4621fc92cc6a201a5165df1acc54bfd47f72577d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
200KB

MD5
5d1f792d10b7d97b7aa43c87883c27f2

SHA1
1a7dc96fb6c86fc19a0e192f02f9398d45d0d645

SHA256
9164f09b068cfd68b399357b0bc91ddd2c51101e9264769e1b5206b66a8f5546

SHA512
f686a5c7c37ab4f7bbeb8fb51f6ea1d2a5ab11b0b80077e4a226d5cfc12a51f1a10766b732e4a7467778dd3f757333fc82a67762417b44386206d5c0fbe258db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit