hxxps://ctm[.]toy[.]ru/admin/index[.]php#ben@jamin[.]com

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
18/07/2023, 13:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://ctm.toy.ru/admin/index.php#[email protected]

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133341592391512775"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3804	chrome.exe
3804	chrome.exe
3452	chrome.exe
3452	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3804 wrote to memory of 4892	3804	chrome.exe	76
PID 3804 wrote to memory of 4892	3804	chrome.exe	76
PID 3804 wrote to memory of 1948	3804	chrome.exe	90
PID 3804 wrote to memory of 1948	3804	chrome.exe	90
PID 3804 wrote to memory of 1948	3804	chrome.exe	90
PID 3804 wrote to memory of 1948	3804	chrome.exe	90
PID 3804 wrote to memory of 1948	3804	chrome.exe	90
PID 3804 wrote to memory of 1948	3804	chrome.exe	90
PID 3804 wrote to memory of 1948	3804	chrome.exe	90
PID 3804 wrote to memory of 1948	3804	chrome.exe	90
PID 3804 wrote to memory of 1948	3804	chrome.exe	90
PID 3804 wrote to memory of 1948	3804	chrome.exe	90
PID 3804 wrote to memory of 1948	3804	chrome.exe	90
PID 3804 wrote to memory of 1948	3804	chrome.exe	90
PID 3804 wrote to memory of 1948	3804	chrome.exe	90
PID 3804 wrote to memory of 1948	3804	chrome.exe	90
PID 3804 wrote to memory of 1948	3804	chrome.exe	90
PID 3804 wrote to memory of 1948	3804	chrome.exe	90
PID 3804 wrote to memory of 1948	3804	chrome.exe	90
PID 3804 wrote to memory of 1948	3804	chrome.exe	90
PID 3804 wrote to memory of 1948	3804	chrome.exe	90
PID 3804 wrote to memory of 1948	3804	chrome.exe	90
PID 3804 wrote to memory of 1948	3804	chrome.exe	90
PID 3804 wrote to memory of 1948	3804	chrome.exe	90
PID 3804 wrote to memory of 1948	3804	chrome.exe	90
PID 3804 wrote to memory of 1948	3804	chrome.exe	90
PID 3804 wrote to memory of 1948	3804	chrome.exe	90
PID 3804 wrote to memory of 1948	3804	chrome.exe	90
PID 3804 wrote to memory of 1948	3804	chrome.exe	90
PID 3804 wrote to memory of 1948	3804	chrome.exe	90
PID 3804 wrote to memory of 1948	3804	chrome.exe	90
PID 3804 wrote to memory of 1948	3804	chrome.exe	90
PID 3804 wrote to memory of 1948	3804	chrome.exe	90
PID 3804 wrote to memory of 1948	3804	chrome.exe	90
PID 3804 wrote to memory of 1948	3804	chrome.exe	90
PID 3804 wrote to memory of 1948	3804	chrome.exe	90
PID 3804 wrote to memory of 1948	3804	chrome.exe	90
PID 3804 wrote to memory of 1948	3804	chrome.exe	90
PID 3804 wrote to memory of 1948	3804	chrome.exe	90
PID 3804 wrote to memory of 1948	3804	chrome.exe	90
PID 3804 wrote to memory of 4764	3804	chrome.exe	88
PID 3804 wrote to memory of 4764	3804	chrome.exe	88
PID 3804 wrote to memory of 4268	3804	chrome.exe	89
PID 3804 wrote to memory of 4268	3804	chrome.exe	89
PID 3804 wrote to memory of 4268	3804	chrome.exe	89
PID 3804 wrote to memory of 4268	3804	chrome.exe	89
PID 3804 wrote to memory of 4268	3804	chrome.exe	89
PID 3804 wrote to memory of 4268	3804	chrome.exe	89
PID 3804 wrote to memory of 4268	3804	chrome.exe	89
PID 3804 wrote to memory of 4268	3804	chrome.exe	89
PID 3804 wrote to memory of 4268	3804	chrome.exe	89
PID 3804 wrote to memory of 4268	3804	chrome.exe	89
PID 3804 wrote to memory of 4268	3804	chrome.exe	89
PID 3804 wrote to memory of 4268	3804	chrome.exe	89
PID 3804 wrote to memory of 4268	3804	chrome.exe	89
PID 3804 wrote to memory of 4268	3804	chrome.exe	89
PID 3804 wrote to memory of 4268	3804	chrome.exe	89
PID 3804 wrote to memory of 4268	3804	chrome.exe	89
PID 3804 wrote to memory of 4268	3804	chrome.exe	89
PID 3804 wrote to memory of 4268	3804	chrome.exe	89
PID 3804 wrote to memory of 4268	3804	chrome.exe	89
PID 3804 wrote to memory of 4268	3804	chrome.exe	89
PID 3804 wrote to memory of 4268	3804	chrome.exe	89
PID 3804 wrote to memory of 4268	3804	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://ctm.toy.ru/admin/index.php#[email protected]
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbe0ba9758,0x7ffbe0ba9768,0x7ffbe0ba9778
  2⤵
  PID:4892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 --field-trial-handle=1868,i,1588272153162061132,3071116149225101778,131072 /prefetch:8
  2⤵
  PID:4764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2200 --field-trial-handle=1868,i,1588272153162061132,3071116149225101778,131072 /prefetch:8
  2⤵
  PID:4268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1744 --field-trial-handle=1868,i,1588272153162061132,3071116149225101778,131072 /prefetch:2
  2⤵
  PID:1948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3040 --field-trial-handle=1868,i,1588272153162061132,3071116149225101778,131072 /prefetch:1
  2⤵
  PID:4884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3044 --field-trial-handle=1868,i,1588272153162061132,3071116149225101778,131072 /prefetch:1
  2⤵
  PID:3056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3880 --field-trial-handle=1868,i,1588272153162061132,3071116149225101778,131072 /prefetch:1
  2⤵
  PID:3296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 --field-trial-handle=1868,i,1588272153162061132,3071116149225101778,131072 /prefetch:8
  2⤵
  PID:3980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5156 --field-trial-handle=1868,i,1588272153162061132,3071116149225101778,131072 /prefetch:8
  2⤵
  PID:4980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3484 --field-trial-handle=1868,i,1588272153162061132,3071116149225101778,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3452

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
381b1ccaa67023d5af024e22a1739639

SHA1
30ccf82520b354b9a806381aa08b1892b681a7a2

SHA256
e035ea40b7e8dc608efc1d64a96dca5d979137ef9248a45ea8ddc7745e549689

SHA512
6a9368158b7801d1386a71b30a2328b9119d482e6edbebae412454ffc68bfa990857c3cb94eaaaf7e8c6477464f02c5313c9231ec42aa911237ac91e3a3e2c0c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
5a0e1a20b4365c038b862e1e9adaba29

SHA1
0bdc5f5f271c50bec9db9d57c0ffee94c9a0c745

SHA256
cb7a39acead3710255bd21d5bdce14248fdbbaba589d0b4e7b8b3a9aa6569dfd

SHA512
7cbf91966395c9eae680e88c5e0853bdedb8dc30c724c109547e9900f243a58c6bf9251006cd2d8cde65065ef4753b3f90fe3535075e4b82217025f0381af034

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
873B

MD5
d84953a439c9836a006b3c45b64b5d96

SHA1
d61947b9a05ab185d3bac6dd991fcf4736bad3d8

SHA256
62180cd65d70352525533cdedcc1e7ec964ed83dfb03208ea64e30ecd616c361

SHA512
c72e1443f09c0b4277d95c014f28c97f3d5e9b74a159dc00bea6e083f419d61b03fff873be9adcf919d7e809fcb2558aab49ffa78654fed58f4fc6923b42988d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b7faf8ddb4f349711c5f1f328320548a

SHA1
8c93165322298e06945c35a04ba5e0737af2f790

SHA256
e8990a28e4474328ccc4629c5c16c12a8acfe1ed7b8258b243fa8a2251c079d2

SHA512
ba42233856574a9dd9521c2cf6e6e6236234427b8f7f653d92611397eda26efa63d151c31c82e52633fe0250dba025bc74638bec6021b52f2e1ffcd977d34744

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
9b5860b714669f0ef22ddcd1a8fcb98b

SHA1
270a5793ab2c9c34c1443f306de29f90d9d820ba

SHA256
af875a1fda5eaabc50eba5f5e80c32bba16ceefa842f8462d807d16e0dc85d3a

SHA512
e82d046b0a7b70e192600b53c526efb959a1f7a23887912c25815a9fc3a7179eb836c3f978eb17246e3e3853106cb3daa3595a17959e53bea712bb0f95ae1d20

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit