hxxp://ezpawn[.]com/stores/tn/nashville/2609-murfreesboro-pike/modules[.]php

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
21/05/2023, 23:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://ezpawn.com/stores/tn/nashville/2609-murfreesboro-pike/modules.php

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133291926953009735"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4784	chrome.exe
4784	chrome.exe
4116	chrome.exe
4116	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4784 wrote to memory of 4708	4784	chrome.exe	83
PID 4784 wrote to memory of 4708	4784	chrome.exe	83
PID 4784 wrote to memory of 768	4784	chrome.exe	84
PID 4784 wrote to memory of 768	4784	chrome.exe	84
PID 4784 wrote to memory of 768	4784	chrome.exe	84
PID 4784 wrote to memory of 768	4784	chrome.exe	84
PID 4784 wrote to memory of 768	4784	chrome.exe	84
PID 4784 wrote to memory of 768	4784	chrome.exe	84
PID 4784 wrote to memory of 768	4784	chrome.exe	84
PID 4784 wrote to memory of 768	4784	chrome.exe	84
PID 4784 wrote to memory of 768	4784	chrome.exe	84
PID 4784 wrote to memory of 768	4784	chrome.exe	84
PID 4784 wrote to memory of 768	4784	chrome.exe	84
PID 4784 wrote to memory of 768	4784	chrome.exe	84
PID 4784 wrote to memory of 768	4784	chrome.exe	84
PID 4784 wrote to memory of 768	4784	chrome.exe	84
PID 4784 wrote to memory of 768	4784	chrome.exe	84
PID 4784 wrote to memory of 768	4784	chrome.exe	84
PID 4784 wrote to memory of 768	4784	chrome.exe	84
PID 4784 wrote to memory of 768	4784	chrome.exe	84
PID 4784 wrote to memory of 768	4784	chrome.exe	84
PID 4784 wrote to memory of 768	4784	chrome.exe	84
PID 4784 wrote to memory of 768	4784	chrome.exe	84
PID 4784 wrote to memory of 768	4784	chrome.exe	84
PID 4784 wrote to memory of 768	4784	chrome.exe	84
PID 4784 wrote to memory of 768	4784	chrome.exe	84
PID 4784 wrote to memory of 768	4784	chrome.exe	84
PID 4784 wrote to memory of 768	4784	chrome.exe	84
PID 4784 wrote to memory of 768	4784	chrome.exe	84
PID 4784 wrote to memory of 768	4784	chrome.exe	84
PID 4784 wrote to memory of 768	4784	chrome.exe	84
PID 4784 wrote to memory of 768	4784	chrome.exe	84
PID 4784 wrote to memory of 768	4784	chrome.exe	84
PID 4784 wrote to memory of 768	4784	chrome.exe	84
PID 4784 wrote to memory of 768	4784	chrome.exe	84
PID 4784 wrote to memory of 768	4784	chrome.exe	84
PID 4784 wrote to memory of 768	4784	chrome.exe	84
PID 4784 wrote to memory of 768	4784	chrome.exe	84
PID 4784 wrote to memory of 768	4784	chrome.exe	84
PID 4784 wrote to memory of 768	4784	chrome.exe	84
PID 4784 wrote to memory of 4744	4784	chrome.exe	85
PID 4784 wrote to memory of 4744	4784	chrome.exe	85
PID 4784 wrote to memory of 3676	4784	chrome.exe	86
PID 4784 wrote to memory of 3676	4784	chrome.exe	86
PID 4784 wrote to memory of 3676	4784	chrome.exe	86
PID 4784 wrote to memory of 3676	4784	chrome.exe	86
PID 4784 wrote to memory of 3676	4784	chrome.exe	86
PID 4784 wrote to memory of 3676	4784	chrome.exe	86
PID 4784 wrote to memory of 3676	4784	chrome.exe	86
PID 4784 wrote to memory of 3676	4784	chrome.exe	86
PID 4784 wrote to memory of 3676	4784	chrome.exe	86
PID 4784 wrote to memory of 3676	4784	chrome.exe	86
PID 4784 wrote to memory of 3676	4784	chrome.exe	86
PID 4784 wrote to memory of 3676	4784	chrome.exe	86
PID 4784 wrote to memory of 3676	4784	chrome.exe	86
PID 4784 wrote to memory of 3676	4784	chrome.exe	86
PID 4784 wrote to memory of 3676	4784	chrome.exe	86
PID 4784 wrote to memory of 3676	4784	chrome.exe	86
PID 4784 wrote to memory of 3676	4784	chrome.exe	86
PID 4784 wrote to memory of 3676	4784	chrome.exe	86
PID 4784 wrote to memory of 3676	4784	chrome.exe	86
PID 4784 wrote to memory of 3676	4784	chrome.exe	86
PID 4784 wrote to memory of 3676	4784	chrome.exe	86
PID 4784 wrote to memory of 3676	4784	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://ezpawn.com/stores/tn/nashville/2609-murfreesboro-pike/modules.php
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcfc249758,0x7ffcfc249768,0x7ffcfc249778
  2⤵
  PID:4708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1812 --field-trial-handle=1788,i,7167079454048378188,11199396302713761231,131072 /prefetch:2
  2⤵
  PID:768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1788,i,7167079454048378188,11199396302713761231,131072 /prefetch:8
  2⤵
  PID:4744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1788,i,7167079454048378188,11199396302713761231,131072 /prefetch:8
  2⤵
  PID:3676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3120 --field-trial-handle=1788,i,7167079454048378188,11199396302713761231,131072 /prefetch:1
  2⤵
  PID:996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3140 --field-trial-handle=1788,i,7167079454048378188,11199396302713761231,131072 /prefetch:1
  2⤵
  PID:1072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4516 --field-trial-handle=1788,i,7167079454048378188,11199396302713761231,131072 /prefetch:1
  2⤵
  PID:1792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5344 --field-trial-handle=1788,i,7167079454048378188,11199396302713761231,131072 /prefetch:8
  2⤵
  PID:1312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5500 --field-trial-handle=1788,i,7167079454048378188,11199396302713761231,131072 /prefetch:8
  2⤵
  PID:1536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 --field-trial-handle=1788,i,7167079454048378188,11199396302713761231,131072 /prefetch:8
  2⤵
  PID:3008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2844 --field-trial-handle=1788,i,7167079454048378188,11199396302713761231,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4116

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000012

Filesize
108KB

MD5
e6855ffb557458f27af6d0bf64e64fb1

SHA1
6e1e830a809bd9cbdd1cf7e4ffe089523e4d6611

SHA256
ed4f0aa2359036b79de76f244e24f19650b4de3d92c2f47d56870c8a53f642fb

SHA512
96484ec153f59b3694c2e3b172f7b228dbaf9aa7997d464e7094a139db09e457d4c34dc52ddc1ace3a8687fd677342c61309143de5acaa05ee397ecccca99bb6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
648B

MD5
6938f3efb4c02067f5cae277dc9ac547

SHA1
b4af63a1d842573946f6478d00b17078c7ebfc82

SHA256
fd3e94d14562a221d3298aabbbf1d6094ac8eadb17b8db77554a26cb4cbb4f79

SHA512
1308133a84dac5e483981d68b92023bdd7ef6d22331e53bb90cb283297c2918718da47ba0d573d84b12039d46ac9e670cad6c971a7350f7035a7ad1f4dc67a96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
198b90c3686595181ea3f40cb38b1f19

SHA1
a1bde336083109bb77cfdf37188ff2fb0abfb035

SHA256
37a91f3f39409a65aff1ee42489629188e6ccdabf3cdd3d1c0abfab5028d7536

SHA512
3a42dc9c5f82da4a420505cc4da88751477f733e2b7f5e171b49c45d737972794a2eb3fd08bced940171ca1ec22d972f1c16db4895d47444e9f71a69d13b18fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
c3a4da3dd54d2e17cbdb81c667750570

SHA1
37da3f9f7d4a17de4dade7ab414f1afb4b7aa965

SHA256
1691a0db8d672e1fd13c98720a789195b9fdb2e86a88ec46c0ebd77971a59e40

SHA512
c0981d0e08aa01e8603384b5dd1be2c68a8ad244fded39ebea84ad2b5fa2b03a829ea21c6a4cdb77db654285a441b03b93f80be6c616b99057cac37a1e125628

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
6c51e8c271acc4b61c061865ab218e1b

SHA1
573720e759196599f03514467e0cce21603146d8

SHA256
42acef7f552d8d00e3213eb7fefb41c6fab4c9bcef8fa7f1279bc75f12cd7cdf

SHA512
c3f344a70ab28de660acfce15f512a553351ced339fd18835fead236b9cd3b0541ecbf3f563ae88addbc6c5d710c7f24f29c70d8e782938135c9321ccec57fa4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
58641778bc36a2a749f028cb9541e454

SHA1
0a11b710c0e39099f397648c0615ef936b401339

SHA256
6fc1857730f7d5fc772cdc6198b3ee07beaeeb31a1a07535a6d28beae18afcc5

SHA512
b3a491a458d41def3a08169672065b8a83c9b91396f89eb5d496467fc8c3e6bca0d55f82818f2430b4c971dbc9f2ea3843ede898678548ff9991822fdf4e3d07

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
151KB

MD5
43f48c26865fc0d406968973ecdfa346

SHA1
9b787f98a1c6f9c30f0c5a11ef85c2e256f67b5f

SHA256
ac1d621965f4e3353685a8e5c2d97addb48a08571803910fdec24c747af779de

SHA512
2d151f9fdf877d002dae214a8e865839889e5005408d77c597a1d5fc8b9f254e4c8462e9d0b614cc6b12f1a3b48c95cdef1aba1a447618d7a83f8883628c8d7b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit