hxxp://game-server[.]prod[.]royalmatch[.]drmgms[.]com

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
07-06-2023 09:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://game-server.prod.royalmatch.drmgms.com

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133306026730875631"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
452	chrome.exe
452	chrome.exe
1572	chrome.exe
1572	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
452	chrome.exe
452	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	452	chrome.exe
Token: SeCreatePagefilePrivilege	452	chrome.exe
Token: SeShutdownPrivilege	452	chrome.exe
Token: SeCreatePagefilePrivilege	452	chrome.exe
Token: SeShutdownPrivilege	452	chrome.exe
Token: SeCreatePagefilePrivilege	452	chrome.exe
Token: SeShutdownPrivilege	452	chrome.exe
Token: SeCreatePagefilePrivilege	452	chrome.exe
Token: SeShutdownPrivilege	452	chrome.exe
Token: SeCreatePagefilePrivilege	452	chrome.exe
Token: SeShutdownPrivilege	452	chrome.exe
Token: SeCreatePagefilePrivilege	452	chrome.exe
Token: SeShutdownPrivilege	452	chrome.exe
Token: SeCreatePagefilePrivilege	452	chrome.exe
Token: SeShutdownPrivilege	452	chrome.exe
Token: SeCreatePagefilePrivilege	452	chrome.exe
Token: SeShutdownPrivilege	452	chrome.exe
Token: SeCreatePagefilePrivilege	452	chrome.exe
Token: SeShutdownPrivilege	452	chrome.exe
Token: SeCreatePagefilePrivilege	452	chrome.exe
Token: SeShutdownPrivilege	452	chrome.exe
Token: SeCreatePagefilePrivilege	452	chrome.exe
Token: SeShutdownPrivilege	452	chrome.exe
Token: SeCreatePagefilePrivilege	452	chrome.exe
Token: SeShutdownPrivilege	452	chrome.exe
Token: SeCreatePagefilePrivilege	452	chrome.exe
Token: SeShutdownPrivilege	452	chrome.exe
Token: SeCreatePagefilePrivilege	452	chrome.exe
Token: SeShutdownPrivilege	452	chrome.exe
Token: SeCreatePagefilePrivilege	452	chrome.exe
Token: SeShutdownPrivilege	452	chrome.exe
Token: SeCreatePagefilePrivilege	452	chrome.exe
Token: SeShutdownPrivilege	452	chrome.exe
Token: SeCreatePagefilePrivilege	452	chrome.exe
Token: SeShutdownPrivilege	452	chrome.exe
Token: SeCreatePagefilePrivilege	452	chrome.exe
Token: SeShutdownPrivilege	452	chrome.exe
Token: SeCreatePagefilePrivilege	452	chrome.exe
Token: SeShutdownPrivilege	452	chrome.exe
Token: SeCreatePagefilePrivilege	452	chrome.exe
Token: SeShutdownPrivilege	452	chrome.exe
Token: SeCreatePagefilePrivilege	452	chrome.exe
Token: SeShutdownPrivilege	452	chrome.exe
Token: SeCreatePagefilePrivilege	452	chrome.exe
Token: SeShutdownPrivilege	452	chrome.exe
Token: SeCreatePagefilePrivilege	452	chrome.exe
Token: SeShutdownPrivilege	452	chrome.exe
Token: SeCreatePagefilePrivilege	452	chrome.exe
Token: SeShutdownPrivilege	452	chrome.exe
Token: SeCreatePagefilePrivilege	452	chrome.exe
Token: SeShutdownPrivilege	452	chrome.exe
Token: SeCreatePagefilePrivilege	452	chrome.exe
Token: SeShutdownPrivilege	452	chrome.exe
Token: SeCreatePagefilePrivilege	452	chrome.exe
Token: SeShutdownPrivilege	452	chrome.exe
Token: SeCreatePagefilePrivilege	452	chrome.exe
Token: SeShutdownPrivilege	452	chrome.exe
Token: SeCreatePagefilePrivilege	452	chrome.exe
Token: SeShutdownPrivilege	452	chrome.exe
Token: SeCreatePagefilePrivilege	452	chrome.exe
Token: SeShutdownPrivilege	452	chrome.exe
Token: SeCreatePagefilePrivilege	452	chrome.exe
Token: SeShutdownPrivilege	452	chrome.exe
Token: SeCreatePagefilePrivilege	452	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 452 wrote to memory of 4040	452	chrome.exe	85
PID 452 wrote to memory of 4040	452	chrome.exe	85
PID 452 wrote to memory of 236	452	chrome.exe	86
PID 452 wrote to memory of 236	452	chrome.exe	86
PID 452 wrote to memory of 236	452	chrome.exe	86
PID 452 wrote to memory of 236	452	chrome.exe	86
PID 452 wrote to memory of 236	452	chrome.exe	86
PID 452 wrote to memory of 236	452	chrome.exe	86
PID 452 wrote to memory of 236	452	chrome.exe	86
PID 452 wrote to memory of 236	452	chrome.exe	86
PID 452 wrote to memory of 236	452	chrome.exe	86
PID 452 wrote to memory of 236	452	chrome.exe	86
PID 452 wrote to memory of 236	452	chrome.exe	86
PID 452 wrote to memory of 236	452	chrome.exe	86
PID 452 wrote to memory of 236	452	chrome.exe	86
PID 452 wrote to memory of 236	452	chrome.exe	86
PID 452 wrote to memory of 236	452	chrome.exe	86
PID 452 wrote to memory of 236	452	chrome.exe	86
PID 452 wrote to memory of 236	452	chrome.exe	86
PID 452 wrote to memory of 236	452	chrome.exe	86
PID 452 wrote to memory of 236	452	chrome.exe	86
PID 452 wrote to memory of 236	452	chrome.exe	86
PID 452 wrote to memory of 236	452	chrome.exe	86
PID 452 wrote to memory of 236	452	chrome.exe	86
PID 452 wrote to memory of 236	452	chrome.exe	86
PID 452 wrote to memory of 236	452	chrome.exe	86
PID 452 wrote to memory of 236	452	chrome.exe	86
PID 452 wrote to memory of 236	452	chrome.exe	86
PID 452 wrote to memory of 236	452	chrome.exe	86
PID 452 wrote to memory of 236	452	chrome.exe	86
PID 452 wrote to memory of 236	452	chrome.exe	86
PID 452 wrote to memory of 236	452	chrome.exe	86
PID 452 wrote to memory of 236	452	chrome.exe	86
PID 452 wrote to memory of 236	452	chrome.exe	86
PID 452 wrote to memory of 236	452	chrome.exe	86
PID 452 wrote to memory of 236	452	chrome.exe	86
PID 452 wrote to memory of 236	452	chrome.exe	86
PID 452 wrote to memory of 236	452	chrome.exe	86
PID 452 wrote to memory of 236	452	chrome.exe	86
PID 452 wrote to memory of 236	452	chrome.exe	86
PID 452 wrote to memory of 3572	452	chrome.exe	87
PID 452 wrote to memory of 3572	452	chrome.exe	87
PID 452 wrote to memory of 2472	452	chrome.exe	88
PID 452 wrote to memory of 2472	452	chrome.exe	88
PID 452 wrote to memory of 2472	452	chrome.exe	88
PID 452 wrote to memory of 2472	452	chrome.exe	88
PID 452 wrote to memory of 2472	452	chrome.exe	88
PID 452 wrote to memory of 2472	452	chrome.exe	88
PID 452 wrote to memory of 2472	452	chrome.exe	88
PID 452 wrote to memory of 2472	452	chrome.exe	88
PID 452 wrote to memory of 2472	452	chrome.exe	88
PID 452 wrote to memory of 2472	452	chrome.exe	88
PID 452 wrote to memory of 2472	452	chrome.exe	88
PID 452 wrote to memory of 2472	452	chrome.exe	88
PID 452 wrote to memory of 2472	452	chrome.exe	88
PID 452 wrote to memory of 2472	452	chrome.exe	88
PID 452 wrote to memory of 2472	452	chrome.exe	88
PID 452 wrote to memory of 2472	452	chrome.exe	88
PID 452 wrote to memory of 2472	452	chrome.exe	88
PID 452 wrote to memory of 2472	452	chrome.exe	88
PID 452 wrote to memory of 2472	452	chrome.exe	88
PID 452 wrote to memory of 2472	452	chrome.exe	88
PID 452 wrote to memory of 2472	452	chrome.exe	88
PID 452 wrote to memory of 2472	452	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://game-server.prod.royalmatch.drmgms.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xe0,0x108,0x7ffb0b619758,0x7ffb0b619768,0x7ffb0b619778
  2⤵
  PID:4040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1796 --field-trial-handle=1820,i,16846553324042943947,7849159836162658040,131072 /prefetch:2
  2⤵
  PID:236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1820,i,16846553324042943947,7849159836162658040,131072 /prefetch:8
  2⤵
  PID:3572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2248 --field-trial-handle=1820,i,16846553324042943947,7849159836162658040,131072 /prefetch:8
  2⤵
  PID:2472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3156 --field-trial-handle=1820,i,16846553324042943947,7849159836162658040,131072 /prefetch:1
  2⤵
  PID:3180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3164 --field-trial-handle=1820,i,16846553324042943947,7849159836162658040,131072 /prefetch:1
  2⤵
  PID:956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4812 --field-trial-handle=1820,i,16846553324042943947,7849159836162658040,131072 /prefetch:8
  2⤵
  PID:4388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4908 --field-trial-handle=1820,i,16846553324042943947,7849159836162658040,131072 /prefetch:8
  2⤵
  PID:2352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2848 --field-trial-handle=1820,i,16846553324042943947,7849159836162658040,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1572

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4272

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
f6bff71cbbb45b4bbe45ba7210a3a960

SHA1
77babb8533a11d60ff076e4aa7e4fd01758446bd

SHA256
1ef6b0c1021ac3c0e0b86fdfa6ed195d5f0a179bf767f023b570047295b66cf5

SHA512
41a586dad732478d43c8d5fb02acc2d2fcad5f43b9fb33599a1e5260a8d7186fad2175f8b607181f9bb68505db776e59437067f0c836c2c5260242291e7c0ce3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
5cc4b4bac7df3aff8caf71dde9480a28

SHA1
e8174a8c7e9bc5976b1a95c5869f56b784258066

SHA256
9631b1895e33c5f5453b9be82bb26310fa477da6779e8d38de9a47e64b03e1e1

SHA512
7a8f90c0b4973379d634018dbb2b364668fb6f52b8bc68a477f792ebcf61c6d920466d1108fecaae6c60f176317e6c8b52d54e59522690a205c49ded7af663bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
5c725def9b637c863738971b3800457e

SHA1
051e44deb7835523c3df792f1527464c0aa223de

SHA256
63651fb00cbbba42e9b8b34aebc65599aeb2c9adc8cb15f0d46868e801ce8a67

SHA512
862daabdf134d206df4911a406f69ba34b04b860a6ac126555d58c43c212d71db2f308f67814c1714175ea4a5e112af5acef588c15a94de3adce6192a7f0e7a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
158KB

MD5
0246b473bb911f29ba707eda9adc5811

SHA1
d361cd03addbb0cb46f9bc888dcb9b5c9f27d2d9

SHA256
09bd006c0af36b1ff260e8570710914d548f42bd4b3cbbaa93d84b931dbc4034

SHA512
ead10f0ee8a92da2441d84495e7bbe60fc2e2b8cc3a79871f21bc9de18c9a527ddd3a917d00baaa685cb751ae6efe5d6857bf7853e7afd6e0560133fdf85034b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit