hxxp://citadelle-cerf[.]online

Analysis

max time kernel
150s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
06/08/2023, 17:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://citadelle-cerf.online

Score

1^/10

Malware Config

Signatures

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133358174912071761"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3572	chrome.exe
3572	chrome.exe
3096	chrome.exe
3096	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3572	chrome.exe
Token: SeCreatePagefilePrivilege	3572	chrome.exe
Token: SeShutdownPrivilege	3572	chrome.exe
Token: SeCreatePagefilePrivilege	3572	chrome.exe
Token: SeShutdownPrivilege	3572	chrome.exe
Token: SeCreatePagefilePrivilege	3572	chrome.exe
Token: SeShutdownPrivilege	3572	chrome.exe
Token: SeCreatePagefilePrivilege	3572	chrome.exe
Token: SeShutdownPrivilege	3572	chrome.exe
Token: SeCreatePagefilePrivilege	3572	chrome.exe
Token: SeShutdownPrivilege	3572	chrome.exe
Token: SeCreatePagefilePrivilege	3572	chrome.exe
Token: SeShutdownPrivilege	3572	chrome.exe
Token: SeCreatePagefilePrivilege	3572	chrome.exe
Token: SeShutdownPrivilege	3572	chrome.exe
Token: SeCreatePagefilePrivilege	3572	chrome.exe
Token: SeShutdownPrivilege	3572	chrome.exe
Token: SeCreatePagefilePrivilege	3572	chrome.exe
Token: SeShutdownPrivilege	3572	chrome.exe
Token: SeCreatePagefilePrivilege	3572	chrome.exe
Token: SeShutdownPrivilege	3572	chrome.exe
Token: SeCreatePagefilePrivilege	3572	chrome.exe
Token: SeShutdownPrivilege	3572	chrome.exe
Token: SeCreatePagefilePrivilege	3572	chrome.exe
Token: SeShutdownPrivilege	3572	chrome.exe
Token: SeCreatePagefilePrivilege	3572	chrome.exe
Token: SeShutdownPrivilege	3572	chrome.exe
Token: SeCreatePagefilePrivilege	3572	chrome.exe
Token: SeShutdownPrivilege	3572	chrome.exe
Token: SeCreatePagefilePrivilege	3572	chrome.exe
Token: SeShutdownPrivilege	3572	chrome.exe
Token: SeCreatePagefilePrivilege	3572	chrome.exe
Token: SeShutdownPrivilege	3572	chrome.exe
Token: SeCreatePagefilePrivilege	3572	chrome.exe
Token: SeShutdownPrivilege	3572	chrome.exe
Token: SeCreatePagefilePrivilege	3572	chrome.exe
Token: SeShutdownPrivilege	3572	chrome.exe
Token: SeCreatePagefilePrivilege	3572	chrome.exe
Token: SeShutdownPrivilege	3572	chrome.exe
Token: SeCreatePagefilePrivilege	3572	chrome.exe
Token: SeShutdownPrivilege	3572	chrome.exe
Token: SeCreatePagefilePrivilege	3572	chrome.exe
Token: SeShutdownPrivilege	3572	chrome.exe
Token: SeCreatePagefilePrivilege	3572	chrome.exe
Token: SeShutdownPrivilege	3572	chrome.exe
Token: SeCreatePagefilePrivilege	3572	chrome.exe
Token: SeShutdownPrivilege	3572	chrome.exe
Token: SeCreatePagefilePrivilege	3572	chrome.exe
Token: SeShutdownPrivilege	3572	chrome.exe
Token: SeCreatePagefilePrivilege	3572	chrome.exe
Token: SeShutdownPrivilege	3572	chrome.exe
Token: SeCreatePagefilePrivilege	3572	chrome.exe
Token: SeShutdownPrivilege	3572	chrome.exe
Token: SeCreatePagefilePrivilege	3572	chrome.exe
Token: SeShutdownPrivilege	3572	chrome.exe
Token: SeCreatePagefilePrivilege	3572	chrome.exe
Token: SeShutdownPrivilege	3572	chrome.exe
Token: SeCreatePagefilePrivilege	3572	chrome.exe
Token: SeShutdownPrivilege	3572	chrome.exe
Token: SeCreatePagefilePrivilege	3572	chrome.exe
Token: SeShutdownPrivilege	3572	chrome.exe
Token: SeCreatePagefilePrivilege	3572	chrome.exe
Token: SeShutdownPrivilege	3572	chrome.exe
Token: SeCreatePagefilePrivilege	3572	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3572 wrote to memory of 4424	3572	chrome.exe	42
PID 3572 wrote to memory of 4424	3572	chrome.exe	42
PID 3572 wrote to memory of 4680	3572	chrome.exe	86
PID 3572 wrote to memory of 4680	3572	chrome.exe	86
PID 3572 wrote to memory of 4680	3572	chrome.exe	86
PID 3572 wrote to memory of 4680	3572	chrome.exe	86
PID 3572 wrote to memory of 4680	3572	chrome.exe	86
PID 3572 wrote to memory of 4680	3572	chrome.exe	86
PID 3572 wrote to memory of 4680	3572	chrome.exe	86
PID 3572 wrote to memory of 4680	3572	chrome.exe	86
PID 3572 wrote to memory of 4680	3572	chrome.exe	86
PID 3572 wrote to memory of 4680	3572	chrome.exe	86
PID 3572 wrote to memory of 4680	3572	chrome.exe	86
PID 3572 wrote to memory of 4680	3572	chrome.exe	86
PID 3572 wrote to memory of 4680	3572	chrome.exe	86
PID 3572 wrote to memory of 4680	3572	chrome.exe	86
PID 3572 wrote to memory of 4680	3572	chrome.exe	86
PID 3572 wrote to memory of 4680	3572	chrome.exe	86
PID 3572 wrote to memory of 4680	3572	chrome.exe	86
PID 3572 wrote to memory of 4680	3572	chrome.exe	86
PID 3572 wrote to memory of 4680	3572	chrome.exe	86
PID 3572 wrote to memory of 4680	3572	chrome.exe	86
PID 3572 wrote to memory of 4680	3572	chrome.exe	86
PID 3572 wrote to memory of 4680	3572	chrome.exe	86
PID 3572 wrote to memory of 4680	3572	chrome.exe	86
PID 3572 wrote to memory of 4680	3572	chrome.exe	86
PID 3572 wrote to memory of 4680	3572	chrome.exe	86
PID 3572 wrote to memory of 4680	3572	chrome.exe	86
PID 3572 wrote to memory of 4680	3572	chrome.exe	86
PID 3572 wrote to memory of 4680	3572	chrome.exe	86
PID 3572 wrote to memory of 4680	3572	chrome.exe	86
PID 3572 wrote to memory of 4680	3572	chrome.exe	86
PID 3572 wrote to memory of 4680	3572	chrome.exe	86
PID 3572 wrote to memory of 4680	3572	chrome.exe	86
PID 3572 wrote to memory of 4680	3572	chrome.exe	86
PID 3572 wrote to memory of 4680	3572	chrome.exe	86
PID 3572 wrote to memory of 4680	3572	chrome.exe	86
PID 3572 wrote to memory of 4680	3572	chrome.exe	86
PID 3572 wrote to memory of 4680	3572	chrome.exe	86
PID 3572 wrote to memory of 4680	3572	chrome.exe	86
PID 3572 wrote to memory of 724	3572	chrome.exe	87
PID 3572 wrote to memory of 724	3572	chrome.exe	87
PID 3572 wrote to memory of 2588	3572	chrome.exe	88
PID 3572 wrote to memory of 2588	3572	chrome.exe	88
PID 3572 wrote to memory of 2588	3572	chrome.exe	88
PID 3572 wrote to memory of 2588	3572	chrome.exe	88
PID 3572 wrote to memory of 2588	3572	chrome.exe	88
PID 3572 wrote to memory of 2588	3572	chrome.exe	88
PID 3572 wrote to memory of 2588	3572	chrome.exe	88
PID 3572 wrote to memory of 2588	3572	chrome.exe	88
PID 3572 wrote to memory of 2588	3572	chrome.exe	88
PID 3572 wrote to memory of 2588	3572	chrome.exe	88
PID 3572 wrote to memory of 2588	3572	chrome.exe	88
PID 3572 wrote to memory of 2588	3572	chrome.exe	88
PID 3572 wrote to memory of 2588	3572	chrome.exe	88
PID 3572 wrote to memory of 2588	3572	chrome.exe	88
PID 3572 wrote to memory of 2588	3572	chrome.exe	88
PID 3572 wrote to memory of 2588	3572	chrome.exe	88
PID 3572 wrote to memory of 2588	3572	chrome.exe	88
PID 3572 wrote to memory of 2588	3572	chrome.exe	88
PID 3572 wrote to memory of 2588	3572	chrome.exe	88
PID 3572 wrote to memory of 2588	3572	chrome.exe	88
PID 3572 wrote to memory of 2588	3572	chrome.exe	88
PID 3572 wrote to memory of 2588	3572	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://citadelle-cerf.online
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff871c09758,0x7ff871c09768,0x7ff871c09778
  2⤵
  PID:4424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 --field-trial-handle=1868,i,4969131705180532491,3393338750376594383,131072 /prefetch:2
  2⤵
  PID:4680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 --field-trial-handle=1868,i,4969131705180532491,3393338750376594383,131072 /prefetch:8
  2⤵
  PID:724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2184 --field-trial-handle=1868,i,4969131705180532491,3393338750376594383,131072 /prefetch:8
  2⤵
  PID:2588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2824 --field-trial-handle=1868,i,4969131705180532491,3393338750376594383,131072 /prefetch:1
  2⤵
  PID:4540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2832 --field-trial-handle=1868,i,4969131705180532491,3393338750376594383,131072 /prefetch:1
  2⤵
  PID:1552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4904 --field-trial-handle=1868,i,4969131705180532491,3393338750376594383,131072 /prefetch:1
  2⤵
  PID:5040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4852 --field-trial-handle=1868,i,4969131705180532491,3393338750376594383,131072 /prefetch:8
  2⤵
  PID:960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 --field-trial-handle=1868,i,4969131705180532491,3393338750376594383,131072 /prefetch:8
  2⤵
  PID:4580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5216 --field-trial-handle=1868,i,4969131705180532491,3393338750376594383,131072 /prefetch:1
  2⤵
  PID:3924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4732 --field-trial-handle=1868,i,4969131705180532491,3393338750376594383,131072 /prefetch:1
  2⤵
  PID:1280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=1820 --field-trial-handle=1868,i,4969131705180532491,3393338750376594383,131072 /prefetch:1
  2⤵
  PID:3436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5276 --field-trial-handle=1868,i,4969131705180532491,3393338750376594383,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3096

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1632

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
d5c7979294074c7d9c3aff7f5399fda1

SHA1
1c7edeec99e487167e3cac4832a87ab92d7d83ad

SHA256
04ce26b5a9e36ec0da04a67f2fe068fe858b275010521a19f3d177382aaa084f

SHA512
546c507ec8076c68b02cd14ca941fc3c7cbfecb53b112ca7d2aaa08117992ef5e63e4bc28b103e3abbd3f8481d046f5a80bc415d5acb876bcd84278c1487698e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
7b1827f4a5cb114382f42b4466366148

SHA1
9735722b943747ac462a87b9f412220626dd0944

SHA256
2846c448d5b1238cab542585f195d7cc9be4a3571312706afa3dec39eccfe97e

SHA512
d3a18ffe47ba463d3ca033eeee7798a4cba2037ed05f00105ff4651e8e9df1b8a7c322b3a5fe4db29a40af0d403be43fcffdb9cf1df060f124e9c8db8adc7230

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7d43ff77289356c7a8bcdc33da950427

SHA1
22eb4afcfedb10109e1d4bd4d010595baa0cd1ed

SHA256
0fecd4a9180dec87899ff58a99c66c0273a690e18cefb3561d2b845dd92dabc8

SHA512
632b26d2bfb11c69530a0567a3812e93e1991dba112fd8fcc76750e598151750d1352237c51b5e02f6a17464b9529fdcd9456f6a0c1f9ab5dfb354ebe348d3d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
5fe36030ddaf300b3b6844cd253ac9f7

SHA1
0b94a7fa2708b8635aa1136a24d26457b5ae0cc0

SHA256
198e4a9a68daae3d523cca287266a6737d45fe4c576e40a782ddee9cc8ade40e

SHA512
6a5b4bdf6a257e83db5e62d3bb1be4001b4df4efc8283ce3262abc025fa0a0bbe5a2101968325144e3453c8a89b0fea75ce669e79f7e06a8bb035dd6ef2657b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
37af03fd75bb70da81d5f3dae41d8b3b

SHA1
415731428f66bd0b41062bef1bfa7aea54c569a2

SHA256
ee53540d174acb02baa0a6fe572f2ec4a8a00312a6eeacbab14e9dfe8e2dec7d

SHA512
bc92658588b91e31adca392c4f36713404bcb1870c2eac9eb0d98a2adc7d5699bbc937c53698d0ab3bfa7dcb40a77893bc2262ee494e5f46cf567b834b605630

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
9fd72c9056557bf9188e6822b400fc22

SHA1
0e89d59d4d391acbaf006116586e0e4eefbb32d3

SHA256
12495ef1d1fe37b8b8dd54fb4c8ac515e411e8802e7979360069952590c34c34

SHA512
5daa606cd2d2f7071b6770a5cac89a994082381715dcdfd3d1efde45cabef2871256bae23c5b912bd2dab39669379119d54282756ebb4f68aabdd887cc2a905f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit