hxxps://clickproxy[.]retailrocket[.]net/?url=hxxps://nhdrawing[.]co[.]uk%2Fnew%2Fauth%2Fh69K%2F%2F%2F%2Ffefe4@yahoo[.]com

General

Target

https://clickproxy.retailrocket.net/?url=https://nhdrawing.co.uk%2Fnew%2Fauth%2Fh69K%2F%2F%2F%[email protected]

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 1 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{659468DD-39BF-4F6D-A6C6-968B4C4AB74B}.catalogItem	svchost.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exechrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133350205223401937"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

4960 chrome.exe
4960 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

4960 chrome.exe
4960 chrome.exe
4960 chrome.exe
4960 chrome.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	4960	chrome.exe
Token: SeCreatePagefilePrivilege	4960	chrome.exe
Token: SeShutdownPrivilege	4960	chrome.exe
Token: SeCreatePagefilePrivilege	4960	chrome.exe
Token: SeShutdownPrivilege	4960	chrome.exe
Token: SeCreatePagefilePrivilege	4960	chrome.exe
Token: SeShutdownPrivilege	4960	chrome.exe
Token: SeCreatePagefilePrivilege	4960	chrome.exe
Token: SeShutdownPrivilege	4960	chrome.exe
Token: SeCreatePagefilePrivilege	4960	chrome.exe
Token: SeShutdownPrivilege	4960	chrome.exe
Token: SeCreatePagefilePrivilege	4960	chrome.exe
Token: SeShutdownPrivilege	4960	chrome.exe
Token: SeCreatePagefilePrivilege	4960	chrome.exe
Token: SeShutdownPrivilege	4960	chrome.exe
Token: SeCreatePagefilePrivilege	4960	chrome.exe
Token: SeShutdownPrivilege	4960	chrome.exe
Token: SeCreatePagefilePrivilege	4960	chrome.exe
Token: SeShutdownPrivilege	4960	chrome.exe
Token: SeCreatePagefilePrivilege	4960	chrome.exe
Token: SeShutdownPrivilege	4960	chrome.exe
Token: SeCreatePagefilePrivilege	4960	chrome.exe
Token: SeShutdownPrivilege	4960	chrome.exe
Token: SeCreatePagefilePrivilege	4960	chrome.exe
Token: SeShutdownPrivilege	4960	chrome.exe
Token: SeCreatePagefilePrivilege	4960	chrome.exe
Token: SeShutdownPrivilege	4960	chrome.exe
Token: SeCreatePagefilePrivilege	4960	chrome.exe
Token: SeShutdownPrivilege	4960	chrome.exe
Token: SeCreatePagefilePrivilege	4960	chrome.exe
Token: SeShutdownPrivilege	4960	chrome.exe
Token: SeCreatePagefilePrivilege	4960	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe
4960	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4960 wrote to memory of 1608	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 1608	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 3392	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 3392	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 3392	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 3392	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 3392	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 3392	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 3392	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 3392	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 3392	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 3392	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 3392	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 3392	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 3392	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 3392	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 3392	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 3392	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 3392	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 3392	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 3392	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 3392	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 3392	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 3392	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 3392	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 3392	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 3392	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 3392	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 3392	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 3392	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 3392	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 3392	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 3392	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 3392	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 3392	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 3392	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 3392	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 3392	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 3392	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 3392	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 1276	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 1276	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 4572	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 4572	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 4572	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 4572	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 4572	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 4572	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 4572	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 4572	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 4572	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 4572	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 4572	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 4572	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 4572	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 4572	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 4572	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 4572	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 4572	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 4572	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 4572	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 4572	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 4572	4960	chrome.exe	chrome.exe
PID 4960 wrote to memory of 4572	4960	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://clickproxy.retailrocket.net/?url=https://nhdrawing.co.uk%2Fnew%2Fauth%2Fh69K%2F%2F%2F%[email protected]
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb3ef09758,0x7ffb3ef09768,0x7ffb3ef09778
2⤵
PID:1608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1724 --field-trial-handle=1892,i,10698342430469492596,16867466376300047366,131072 /prefetch:2
2⤵
PID:3392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 --field-trial-handle=1892,i,10698342430469492596,16867466376300047366,131072 /prefetch:8
2⤵
PID:1276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2216 --field-trial-handle=1892,i,10698342430469492596,16867466376300047366,131072 /prefetch:8
2⤵
PID:4572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3024 --field-trial-handle=1892,i,10698342430469492596,16867466376300047366,131072 /prefetch:1
2⤵
PID:1744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3016 --field-trial-handle=1892,i,10698342430469492596,16867466376300047366,131072 /prefetch:1
2⤵
PID:4824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4840 --field-trial-handle=1892,i,10698342430469492596,16867466376300047366,131072 /prefetch:1
2⤵
PID:3644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4932 --field-trial-handle=1892,i,10698342430469492596,16867466376300047366,131072 /prefetch:1
2⤵
PID:4776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3864 --field-trial-handle=1892,i,10698342430469492596,16867466376300047366,131072 /prefetch:8
2⤵
PID:1388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 --field-trial-handle=1892,i,10698342430469492596,16867466376300047366,131072 /prefetch:8
2⤵
PID:1132

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:4800

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4676

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
874B

MD5
e378211b9c818a1927179d53e54b78c7

SHA1
a3b7ebcf4f95a0d0cf03070eac8d054aa48facef

SHA256
4d98330efa7ad19b756e76c2c95ab35f08708dacff52b01583b8f28c4d9519b1

SHA512
14c74523fce3dd79e63c688fea6026e720ba46ecb8fba7b97727bc6a809eecf62105cd7683c1d092035cb9668f7cbcc35a7adefdf89494926f73923351532ff7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
5150d7b7c7f5c3d107e62638af4878a1

SHA1
a60c630398a5fbed3a919daa4dbb7148b9db627c

SHA256
bf9794f8f553eeaa436e9252601a4089fd3c7760081deb4260fbd674145c9d5d

SHA512
79d7f26c1db659133983fe2895d0290739c52fc3b2ef41a20caa3416436ede344c549aab115cbb42a2393c77aa8794c23245ec09ba03ae992d8f1b585b87e986

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
87KB

MD5
40d19f4c195ff77ac45daf87e3f83be0

SHA1
4755f379199bd2f390e2355c5f220e7a2df8eebb

SHA256
aa11e833c72e3d5f77e02fe989768486a9ab89fc7bd3cf244a4750fb4049165b

SHA512
9bdf0aa031b0f3b92c4871b2286bc0321a19de076aec4e3cf115d8b43f4a34f39d5f6b2f566adf1481c7976d6c6f6d2bdc849d140354af413586a86d240fe3a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
\??\pipe\crashpad_4960_MQTBKNZYHHAWDQWW
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads