hxxps://www[.]cncartmaster[.]com/set_currency?code=INR&redirect=https%3A%2F%2Fturismoturquia[.]com/tik/3854926/contract[.]admin@city-holdings[.]com[.]au/25840009 Investigation status 

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
25/05/2023, 13:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.cncartmaster.com/set_currency?code=INR&redirect=https%3A%2F%2Fturismoturquia.com/tik/3854926/[email protected]/25840009 Investigation status 

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133295018835902661"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
876	chrome.exe
876	chrome.exe
3336	chrome.exe
3336	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
876	chrome.exe
876	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 876 wrote to memory of 2640	876	chrome.exe	83
PID 876 wrote to memory of 2640	876	chrome.exe	83
PID 876 wrote to memory of 1516	876	chrome.exe	84
PID 876 wrote to memory of 1516	876	chrome.exe	84
PID 876 wrote to memory of 1516	876	chrome.exe	84
PID 876 wrote to memory of 1516	876	chrome.exe	84
PID 876 wrote to memory of 1516	876	chrome.exe	84
PID 876 wrote to memory of 1516	876	chrome.exe	84
PID 876 wrote to memory of 1516	876	chrome.exe	84
PID 876 wrote to memory of 1516	876	chrome.exe	84
PID 876 wrote to memory of 1516	876	chrome.exe	84
PID 876 wrote to memory of 1516	876	chrome.exe	84
PID 876 wrote to memory of 1516	876	chrome.exe	84
PID 876 wrote to memory of 1516	876	chrome.exe	84
PID 876 wrote to memory of 1516	876	chrome.exe	84
PID 876 wrote to memory of 1516	876	chrome.exe	84
PID 876 wrote to memory of 1516	876	chrome.exe	84
PID 876 wrote to memory of 1516	876	chrome.exe	84
PID 876 wrote to memory of 1516	876	chrome.exe	84
PID 876 wrote to memory of 1516	876	chrome.exe	84
PID 876 wrote to memory of 1516	876	chrome.exe	84
PID 876 wrote to memory of 1516	876	chrome.exe	84
PID 876 wrote to memory of 1516	876	chrome.exe	84
PID 876 wrote to memory of 1516	876	chrome.exe	84
PID 876 wrote to memory of 1516	876	chrome.exe	84
PID 876 wrote to memory of 1516	876	chrome.exe	84
PID 876 wrote to memory of 1516	876	chrome.exe	84
PID 876 wrote to memory of 1516	876	chrome.exe	84
PID 876 wrote to memory of 1516	876	chrome.exe	84
PID 876 wrote to memory of 1516	876	chrome.exe	84
PID 876 wrote to memory of 1516	876	chrome.exe	84
PID 876 wrote to memory of 1516	876	chrome.exe	84
PID 876 wrote to memory of 1516	876	chrome.exe	84
PID 876 wrote to memory of 1516	876	chrome.exe	84
PID 876 wrote to memory of 1516	876	chrome.exe	84
PID 876 wrote to memory of 1516	876	chrome.exe	84
PID 876 wrote to memory of 1516	876	chrome.exe	84
PID 876 wrote to memory of 1516	876	chrome.exe	84
PID 876 wrote to memory of 1516	876	chrome.exe	84
PID 876 wrote to memory of 1516	876	chrome.exe	84
PID 876 wrote to memory of 316	876	chrome.exe	85
PID 876 wrote to memory of 316	876	chrome.exe	85
PID 876 wrote to memory of 3960	876	chrome.exe	86
PID 876 wrote to memory of 3960	876	chrome.exe	86
PID 876 wrote to memory of 3960	876	chrome.exe	86
PID 876 wrote to memory of 3960	876	chrome.exe	86
PID 876 wrote to memory of 3960	876	chrome.exe	86
PID 876 wrote to memory of 3960	876	chrome.exe	86
PID 876 wrote to memory of 3960	876	chrome.exe	86
PID 876 wrote to memory of 3960	876	chrome.exe	86
PID 876 wrote to memory of 3960	876	chrome.exe	86
PID 876 wrote to memory of 3960	876	chrome.exe	86
PID 876 wrote to memory of 3960	876	chrome.exe	86
PID 876 wrote to memory of 3960	876	chrome.exe	86
PID 876 wrote to memory of 3960	876	chrome.exe	86
PID 876 wrote to memory of 3960	876	chrome.exe	86
PID 876 wrote to memory of 3960	876	chrome.exe	86
PID 876 wrote to memory of 3960	876	chrome.exe	86
PID 876 wrote to memory of 3960	876	chrome.exe	86
PID 876 wrote to memory of 3960	876	chrome.exe	86
PID 876 wrote to memory of 3960	876	chrome.exe	86
PID 876 wrote to memory of 3960	876	chrome.exe	86
PID 876 wrote to memory of 3960	876	chrome.exe	86
PID 876 wrote to memory of 3960	876	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" "https://www.cncartmaster.com/set_currency?code=INR&redirect=https%3A%2F%2Fturismoturquia.com/tik/3854926/[email protected]/25840009 Investigation status "
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb2de49758,0x7ffb2de49768,0x7ffb2de49778
  2⤵
  PID:2640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1684 --field-trial-handle=1784,i,3188397043335507424,6908550455043654522,131072 /prefetch:2
  2⤵
  PID:1516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1784,i,3188397043335507424,6908550455043654522,131072 /prefetch:8
  2⤵
  PID:316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2204 --field-trial-handle=1784,i,3188397043335507424,6908550455043654522,131072 /prefetch:8
  2⤵
  PID:3960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3084 --field-trial-handle=1784,i,3188397043335507424,6908550455043654522,131072 /prefetch:1
  2⤵
  PID:3296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3136 --field-trial-handle=1784,i,3188397043335507424,6908550455043654522,131072 /prefetch:1
  2⤵
  PID:2112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 --field-trial-handle=1784,i,3188397043335507424,6908550455043654522,131072 /prefetch:8
  2⤵
  PID:1068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4852 --field-trial-handle=1784,i,3188397043335507424,6908550455043654522,131072 /prefetch:8
  2⤵
  PID:3676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2792 --field-trial-handle=1784,i,3188397043335507424,6908550455043654522,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3336

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
e3816234e87900de2c2d4a0e430bf2be

SHA1
244e5bf7d1c13ffe6439e0a1126d771b704fa554

SHA256
e28f8d3bb1f2f1b7dd4c215018bdce1299bbf901307ea2955800185217977158

SHA512
56df3e2f7af10a9932ef70025c658766bc3e4ed9c0231da17640f7dcf6186d3fb12358839201f1e2eeade1552423ce4c17603802c33e9465738d8a99b0efab6a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
852787b31b87ce784723461f89ff23e3

SHA1
21fabf29240aa0430073f4cc70344c020ccab59d

SHA256
95b0b0e9d2f83308f5fccd22dbc6557b098fc93bd5946cea53cd91372bb5721d

SHA512
0e2d7e209d418620d3d1e484c20e621d55597801e317a05c98da6929fa7ce7ad8bfebea4c37ee4f338023c270d014b9d7d47a6f361974f9d994cfa80844f4221

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
858B

MD5
e44c24c96001c2e28369f5aa91aa864c

SHA1
a70646060983f19c77b12be42fccaad47320cd09

SHA256
1b641c5d3792837b34169ded302d46f924d126d381fc08f2c553e36b8b0ab2d3

SHA512
b5011a8e8bb9fc85f2443e69baec6ebffdcf6c9cacb345cc57a09886cd72e66a32def9e9bdf909508d4f7ca7c31742361ef61ab5b6f0ee793f181e04b28e98f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
b41293672d7e1889fda740f3172dde3e

SHA1
f7e6b1d68a8e90b8751124ebbd91024ad1da1fbe

SHA256
1e076cea01ce02ffdba3f97ef9592a6ccd075585ef205c4d051f977438b4c77e

SHA512
6c077cf329a00ea1a0c3d2438c8fb87dceefeea28ec5b49debcbbca7be6810b061eee9682f886458a98d2a4c79feca83a21f8491f3bba2e225423825ad338147

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
482469c52f6bcb90543a539c2d8b4b83

SHA1
b77dfbedb0059780140a8c6b0877c4a665f555fc

SHA256
07a5fc01ac73616ae0d72810478964abef75c8458d42cb32a1b4112ad72ece4f

SHA512
4989663f87ac33e574b456487b2794e881f5e2253452b4acbd6e7ee5e35b19c59c86506eebe74314c81c934c2ac8c380e3defa47c5a437c4247b5bffb47b6dfd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
79f622847d57ced4fefefdc2338b9c75

SHA1
8c93bcbac45e4d8294d2f1b63c47a305e9e671cd

SHA256
52fc6fba51c4057338d785e9a4eae286d08cf2175628eff75ca8ef7b22cbc9d1

SHA512
d6911c227f0f065a2d2a795f04246bc24bd84be0ac3ae6f431049b38b788cc4ac0c0877056fedce200d1c60656a24b6cd5e38b72ecc13c30eb2e56acf37018a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
a4295d30d7f49b63e3798e7ab72b238a

SHA1
112b9c81d9916ea05b31210313ed53dcfee07555

SHA256
f1b8e4815f85c4c90985477bb660b528cea5cc19ec10c8aa96b3f2947fcff99c

SHA512
32bd37a83a4b55b29bcf6bd77edfb105577e859f95b00beb13cc243a072de1fcb9e79d3511fc323d7eeb587261409ec98a2885e79fefc7384a9e3d5e8eaac5ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
153KB

MD5
6a280c3b7a1390af15ac38bcbf5aa50c

SHA1
9d876ef9390f021892c32206613b4d4df3cdf242

SHA256
596ee008e38c9be4f2f52923ea3eb30f78b07199c51aee1e386f88d038f9369a

SHA512
ba8241dc605b446ae3e6888014e8897eea1eb7826f8909bbca5b9c93f30a6576af980cabf0c281e26055da302764e59be1dda4dbdb81aeed163552c5bc397b44

Download Submit