hxxp://northernrailextension[.]com

Analysis

max time kernel
120s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
04-07-2023 17:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://northernrailextension.com

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133329648503637150"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4720	chrome.exe
4720	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4720	chrome.exe
4720	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4720	chrome.exe
Token: SeCreatePagefilePrivilege	4720	chrome.exe
Token: SeShutdownPrivilege	4720	chrome.exe
Token: SeCreatePagefilePrivilege	4720	chrome.exe
Token: SeShutdownPrivilege	4720	chrome.exe
Token: SeCreatePagefilePrivilege	4720	chrome.exe
Token: SeShutdownPrivilege	4720	chrome.exe
Token: SeCreatePagefilePrivilege	4720	chrome.exe
Token: SeShutdownPrivilege	4720	chrome.exe
Token: SeCreatePagefilePrivilege	4720	chrome.exe
Token: SeShutdownPrivilege	4720	chrome.exe
Token: SeCreatePagefilePrivilege	4720	chrome.exe
Token: SeShutdownPrivilege	4720	chrome.exe
Token: SeCreatePagefilePrivilege	4720	chrome.exe
Token: SeShutdownPrivilege	4720	chrome.exe
Token: SeCreatePagefilePrivilege	4720	chrome.exe
Token: SeShutdownPrivilege	4720	chrome.exe
Token: SeCreatePagefilePrivilege	4720	chrome.exe
Token: SeShutdownPrivilege	4720	chrome.exe
Token: SeCreatePagefilePrivilege	4720	chrome.exe
Token: SeShutdownPrivilege	4720	chrome.exe
Token: SeCreatePagefilePrivilege	4720	chrome.exe
Token: SeShutdownPrivilege	4720	chrome.exe
Token: SeCreatePagefilePrivilege	4720	chrome.exe
Token: SeShutdownPrivilege	4720	chrome.exe
Token: SeCreatePagefilePrivilege	4720	chrome.exe
Token: SeShutdownPrivilege	4720	chrome.exe
Token: SeCreatePagefilePrivilege	4720	chrome.exe
Token: SeShutdownPrivilege	4720	chrome.exe
Token: SeCreatePagefilePrivilege	4720	chrome.exe
Token: SeShutdownPrivilege	4720	chrome.exe
Token: SeCreatePagefilePrivilege	4720	chrome.exe
Token: SeShutdownPrivilege	4720	chrome.exe
Token: SeCreatePagefilePrivilege	4720	chrome.exe
Token: SeShutdownPrivilege	4720	chrome.exe
Token: SeCreatePagefilePrivilege	4720	chrome.exe
Token: SeShutdownPrivilege	4720	chrome.exe
Token: SeCreatePagefilePrivilege	4720	chrome.exe
Token: SeShutdownPrivilege	4720	chrome.exe
Token: SeCreatePagefilePrivilege	4720	chrome.exe
Token: SeShutdownPrivilege	4720	chrome.exe
Token: SeCreatePagefilePrivilege	4720	chrome.exe
Token: SeShutdownPrivilege	4720	chrome.exe
Token: SeCreatePagefilePrivilege	4720	chrome.exe
Token: SeShutdownPrivilege	4720	chrome.exe
Token: SeCreatePagefilePrivilege	4720	chrome.exe
Token: SeShutdownPrivilege	4720	chrome.exe
Token: SeCreatePagefilePrivilege	4720	chrome.exe
Token: SeShutdownPrivilege	4720	chrome.exe
Token: SeCreatePagefilePrivilege	4720	chrome.exe
Token: SeShutdownPrivilege	4720	chrome.exe
Token: SeCreatePagefilePrivilege	4720	chrome.exe
Token: SeShutdownPrivilege	4720	chrome.exe
Token: SeCreatePagefilePrivilege	4720	chrome.exe
Token: SeShutdownPrivilege	4720	chrome.exe
Token: SeCreatePagefilePrivilege	4720	chrome.exe
Token: SeShutdownPrivilege	4720	chrome.exe
Token: SeCreatePagefilePrivilege	4720	chrome.exe
Token: SeShutdownPrivilege	4720	chrome.exe
Token: SeCreatePagefilePrivilege	4720	chrome.exe
Token: SeShutdownPrivilege	4720	chrome.exe
Token: SeCreatePagefilePrivilege	4720	chrome.exe
Token: SeShutdownPrivilege	4720	chrome.exe
Token: SeCreatePagefilePrivilege	4720	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4720 wrote to memory of 4532	4720	chrome.exe	30
PID 4720 wrote to memory of 4532	4720	chrome.exe	30
PID 4720 wrote to memory of 536	4720	chrome.exe	89
PID 4720 wrote to memory of 536	4720	chrome.exe	89
PID 4720 wrote to memory of 536	4720	chrome.exe	89
PID 4720 wrote to memory of 536	4720	chrome.exe	89
PID 4720 wrote to memory of 536	4720	chrome.exe	89
PID 4720 wrote to memory of 536	4720	chrome.exe	89
PID 4720 wrote to memory of 536	4720	chrome.exe	89
PID 4720 wrote to memory of 536	4720	chrome.exe	89
PID 4720 wrote to memory of 536	4720	chrome.exe	89
PID 4720 wrote to memory of 536	4720	chrome.exe	89
PID 4720 wrote to memory of 536	4720	chrome.exe	89
PID 4720 wrote to memory of 536	4720	chrome.exe	89
PID 4720 wrote to memory of 536	4720	chrome.exe	89
PID 4720 wrote to memory of 536	4720	chrome.exe	89
PID 4720 wrote to memory of 536	4720	chrome.exe	89
PID 4720 wrote to memory of 536	4720	chrome.exe	89
PID 4720 wrote to memory of 536	4720	chrome.exe	89
PID 4720 wrote to memory of 536	4720	chrome.exe	89
PID 4720 wrote to memory of 536	4720	chrome.exe	89
PID 4720 wrote to memory of 536	4720	chrome.exe	89
PID 4720 wrote to memory of 536	4720	chrome.exe	89
PID 4720 wrote to memory of 536	4720	chrome.exe	89
PID 4720 wrote to memory of 536	4720	chrome.exe	89
PID 4720 wrote to memory of 536	4720	chrome.exe	89
PID 4720 wrote to memory of 536	4720	chrome.exe	89
PID 4720 wrote to memory of 536	4720	chrome.exe	89
PID 4720 wrote to memory of 536	4720	chrome.exe	89
PID 4720 wrote to memory of 536	4720	chrome.exe	89
PID 4720 wrote to memory of 536	4720	chrome.exe	89
PID 4720 wrote to memory of 536	4720	chrome.exe	89
PID 4720 wrote to memory of 536	4720	chrome.exe	89
PID 4720 wrote to memory of 536	4720	chrome.exe	89
PID 4720 wrote to memory of 536	4720	chrome.exe	89
PID 4720 wrote to memory of 536	4720	chrome.exe	89
PID 4720 wrote to memory of 536	4720	chrome.exe	89
PID 4720 wrote to memory of 536	4720	chrome.exe	89
PID 4720 wrote to memory of 536	4720	chrome.exe	89
PID 4720 wrote to memory of 536	4720	chrome.exe	89
PID 4720 wrote to memory of 2604	4720	chrome.exe	87
PID 4720 wrote to memory of 2604	4720	chrome.exe	87
PID 4720 wrote to memory of 5084	4720	chrome.exe	88
PID 4720 wrote to memory of 5084	4720	chrome.exe	88
PID 4720 wrote to memory of 5084	4720	chrome.exe	88
PID 4720 wrote to memory of 5084	4720	chrome.exe	88
PID 4720 wrote to memory of 5084	4720	chrome.exe	88
PID 4720 wrote to memory of 5084	4720	chrome.exe	88
PID 4720 wrote to memory of 5084	4720	chrome.exe	88
PID 4720 wrote to memory of 5084	4720	chrome.exe	88
PID 4720 wrote to memory of 5084	4720	chrome.exe	88
PID 4720 wrote to memory of 5084	4720	chrome.exe	88
PID 4720 wrote to memory of 5084	4720	chrome.exe	88
PID 4720 wrote to memory of 5084	4720	chrome.exe	88
PID 4720 wrote to memory of 5084	4720	chrome.exe	88
PID 4720 wrote to memory of 5084	4720	chrome.exe	88
PID 4720 wrote to memory of 5084	4720	chrome.exe	88
PID 4720 wrote to memory of 5084	4720	chrome.exe	88
PID 4720 wrote to memory of 5084	4720	chrome.exe	88
PID 4720 wrote to memory of 5084	4720	chrome.exe	88
PID 4720 wrote to memory of 5084	4720	chrome.exe	88
PID 4720 wrote to memory of 5084	4720	chrome.exe	88
PID 4720 wrote to memory of 5084	4720	chrome.exe	88
PID 4720 wrote to memory of 5084	4720	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://northernrailextension.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb3ef09758,0x7ffb3ef09768,0x7ffb3ef09778
  2⤵
  PID:4532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 --field-trial-handle=1892,i,9764645732053737693,5775332649860588869,131072 /prefetch:8
  2⤵
  PID:2604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2204 --field-trial-handle=1892,i,9764645732053737693,5775332649860588869,131072 /prefetch:8
  2⤵
  PID:5084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1708 --field-trial-handle=1892,i,9764645732053737693,5775332649860588869,131072 /prefetch:2
  2⤵
  PID:536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2976 --field-trial-handle=1892,i,9764645732053737693,5775332649860588869,131072 /prefetch:1
  2⤵
  PID:4752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2984 --field-trial-handle=1892,i,9764645732053737693,5775332649860588869,131072 /prefetch:1
  2⤵
  PID:1312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4800 --field-trial-handle=1892,i,9764645732053737693,5775332649860588869,131072 /prefetch:8
  2⤵
  PID:4120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4884 --field-trial-handle=1892,i,9764645732053737693,5775332649860588869,131072 /prefetch:8
  2⤵
  PID:3748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4876 --field-trial-handle=1892,i,9764645732053737693,5775332649860588869,131072 /prefetch:8
  2⤵
  PID:3124

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
6a122d28811ff423aa21926632872187

SHA1
1eea6abb318375a6de3685ddaba7c97f9c33b04c

SHA256
5d6995d220b798f231bcf153f383c511aa35b99f70c9dd23f4b37728bb83cb3b

SHA512
43241c5dde003168c47e35ea1a5a444faf97bbc7322c4a567cd8f690afb2ad0af26c09b64595ed2869754f5a80b84d8ca800f6410753868163c9de984db10bb7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f6c87bf6c10dd241d3963011d95c7804

SHA1
7aaa1ab386a3d71e6b90b6e5ab02e634d1d9033b

SHA256
25fb0c7427c30024369c6983a49fd72edc0662f04ec3b1236e8857be869178e4

SHA512
1e17062fca7fe8a5c93b1da1e913e33f0c0eedfa99096c7c2c0e4f4a9bcd74adb8b108d9029c1a19761d99fe82c3a06731aec89cd65ecff979ca5e1145da2568

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
2f9fbaf813f7227e55eaccc14c605a2c

SHA1
c993242b1f5f0ea0a97f27c2d2cf65434ae92e82

SHA256
e1e1f216a10f376365dc6aed54d6fd7506c81261ef7d50a1465a563e43b150af

SHA512
95b59aeb28cf6eff8ca748eff5f5e50c5b83f459ca3b149f36b75f9ef3c884a50e582e24e91cfbca522c99ff50e5c4dfe02f0a40caa06f935b81abe9d1b1511a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
df011b275f3d749b0bff657eb89cb499

SHA1
729adb5d8a2fc2fd43c07d61b07a5a4978200634

SHA256
1895d9a04b3419519fea481887ad5fa951ce86d054f853b7ff276bd92eec77cd

SHA512
c12abdbb019becd2189f67ef4052200ea86ab39b5359035a28a66c9bfa9268e639b9181cd9ed9a61ff6c8c451388b21cb6a1994784355363848500fa7ff5f665

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
024b54f5d174533f90a8f9f7072ec09b

SHA1
00a447d816c13cd04ca01150492862a79edd6edf

SHA256
b0aec5d0ab8a971615c8f9fbe993ce04ebcc50a2d555a9ef658acf71074bc552

SHA512
224d57876eda5c90195db0366cc1ed94f37e3dda9ac59cf5e4bbbb8021cca40d0ff4f7bc0f936558fd73dcad505babafcd272890a84da742496a55e7923fa3fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit