hxxps://campaigns[.]ecellar1[.]com/ct[.]cfm?i=HIcHu2zvG-muZNWXuhsvMtx

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
08/08/2023, 18:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://campaigns.ecellar1.com/ct.cfm?i=HIcHu2zvG-muZNWXuhsvMtx

Score

1^/10

Malware Config

Signatures

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133359936917922863"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2596	chrome.exe
2596	chrome.exe
4848	chrome.exe
4848	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2596	chrome.exe
2596	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 5056	2596	chrome.exe	82
PID 2596 wrote to memory of 5056	2596	chrome.exe	82
PID 2596 wrote to memory of 4612	2596	chrome.exe	84
PID 2596 wrote to memory of 4612	2596	chrome.exe	84
PID 2596 wrote to memory of 4612	2596	chrome.exe	84
PID 2596 wrote to memory of 4612	2596	chrome.exe	84
PID 2596 wrote to memory of 4612	2596	chrome.exe	84
PID 2596 wrote to memory of 4612	2596	chrome.exe	84
PID 2596 wrote to memory of 4612	2596	chrome.exe	84
PID 2596 wrote to memory of 4612	2596	chrome.exe	84
PID 2596 wrote to memory of 4612	2596	chrome.exe	84
PID 2596 wrote to memory of 4612	2596	chrome.exe	84
PID 2596 wrote to memory of 4612	2596	chrome.exe	84
PID 2596 wrote to memory of 4612	2596	chrome.exe	84
PID 2596 wrote to memory of 4612	2596	chrome.exe	84
PID 2596 wrote to memory of 4612	2596	chrome.exe	84
PID 2596 wrote to memory of 4612	2596	chrome.exe	84
PID 2596 wrote to memory of 4612	2596	chrome.exe	84
PID 2596 wrote to memory of 4612	2596	chrome.exe	84
PID 2596 wrote to memory of 4612	2596	chrome.exe	84
PID 2596 wrote to memory of 4612	2596	chrome.exe	84
PID 2596 wrote to memory of 4612	2596	chrome.exe	84
PID 2596 wrote to memory of 4612	2596	chrome.exe	84
PID 2596 wrote to memory of 4612	2596	chrome.exe	84
PID 2596 wrote to memory of 4612	2596	chrome.exe	84
PID 2596 wrote to memory of 4612	2596	chrome.exe	84
PID 2596 wrote to memory of 4612	2596	chrome.exe	84
PID 2596 wrote to memory of 4612	2596	chrome.exe	84
PID 2596 wrote to memory of 4612	2596	chrome.exe	84
PID 2596 wrote to memory of 4612	2596	chrome.exe	84
PID 2596 wrote to memory of 4612	2596	chrome.exe	84
PID 2596 wrote to memory of 4612	2596	chrome.exe	84
PID 2596 wrote to memory of 4612	2596	chrome.exe	84
PID 2596 wrote to memory of 4612	2596	chrome.exe	84
PID 2596 wrote to memory of 4612	2596	chrome.exe	84
PID 2596 wrote to memory of 4612	2596	chrome.exe	84
PID 2596 wrote to memory of 4612	2596	chrome.exe	84
PID 2596 wrote to memory of 4612	2596	chrome.exe	84
PID 2596 wrote to memory of 4612	2596	chrome.exe	84
PID 2596 wrote to memory of 4612	2596	chrome.exe	84
PID 2596 wrote to memory of 3876	2596	chrome.exe	85
PID 2596 wrote to memory of 3876	2596	chrome.exe	85
PID 2596 wrote to memory of 1120	2596	chrome.exe	86
PID 2596 wrote to memory of 1120	2596	chrome.exe	86
PID 2596 wrote to memory of 1120	2596	chrome.exe	86
PID 2596 wrote to memory of 1120	2596	chrome.exe	86
PID 2596 wrote to memory of 1120	2596	chrome.exe	86
PID 2596 wrote to memory of 1120	2596	chrome.exe	86
PID 2596 wrote to memory of 1120	2596	chrome.exe	86
PID 2596 wrote to memory of 1120	2596	chrome.exe	86
PID 2596 wrote to memory of 1120	2596	chrome.exe	86
PID 2596 wrote to memory of 1120	2596	chrome.exe	86
PID 2596 wrote to memory of 1120	2596	chrome.exe	86
PID 2596 wrote to memory of 1120	2596	chrome.exe	86
PID 2596 wrote to memory of 1120	2596	chrome.exe	86
PID 2596 wrote to memory of 1120	2596	chrome.exe	86
PID 2596 wrote to memory of 1120	2596	chrome.exe	86
PID 2596 wrote to memory of 1120	2596	chrome.exe	86
PID 2596 wrote to memory of 1120	2596	chrome.exe	86
PID 2596 wrote to memory of 1120	2596	chrome.exe	86
PID 2596 wrote to memory of 1120	2596	chrome.exe	86
PID 2596 wrote to memory of 1120	2596	chrome.exe	86
PID 2596 wrote to memory of 1120	2596	chrome.exe	86
PID 2596 wrote to memory of 1120	2596	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://campaigns.ecellar1.com/ct.cfm?i=HIcHu2zvG-muZNWXuhsvMtx
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffefa159758,0x7ffefa159768,0x7ffefa159778
  2⤵
  PID:5056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1724 --field-trial-handle=1716,i,1776380047608339144,15637228298298850398,131072 /prefetch:2
  2⤵
  PID:4612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2000 --field-trial-handle=1716,i,1776380047608339144,15637228298298850398,131072 /prefetch:8
  2⤵
  PID:3876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2200 --field-trial-handle=1716,i,1776380047608339144,15637228298298850398,131072 /prefetch:8
  2⤵
  PID:1120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3048 --field-trial-handle=1716,i,1776380047608339144,15637228298298850398,131072 /prefetch:1
  2⤵
  PID:2496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3060 --field-trial-handle=1716,i,1776380047608339144,15637228298298850398,131072 /prefetch:1
  2⤵
  PID:1632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5044 --field-trial-handle=1716,i,1776380047608339144,15637228298298850398,131072 /prefetch:8
  2⤵
  PID:208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5036 --field-trial-handle=1716,i,1776380047608339144,15637228298298850398,131072 /prefetch:8
  2⤵
  PID:1432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4648 --field-trial-handle=1716,i,1776380047608339144,15637228298298850398,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4848

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5076

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
d88935d32196fffbf550b2cc21ead149

SHA1
90151bd5f4a66bdf9a30dd1d02ca51cbc1c28cb5

SHA256
159d6d2ad64f0c398ff2fefeb3e6ecbcec4a57e9dcb2032c83d9391d634eeb73

SHA512
8e74dcce480b79fe0d0f30c8d684b18f6d90817296c7160c423885983a191704918ceff022e07a921a11b64afe39346db84ee6a79e3563045399a4b78b26d422

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
43c916669e4f31dbb9e30b8fbae6dce0

SHA1
88d77654f4aea2ea0cd8d809afaa8a401c235061

SHA256
5e1b5ce11cacacc3f687c546167b29cb01b7f98fda783e8917d40599bb04a459

SHA512
183f697104657063e6350d21ff8235e0fcab7309c4db11d1553c76f98493221869f636bc91eb96c0f0794c7bcd68976c60cc7c623cfe5f29aa82af4019df68af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f0b79bb4841141ab1390453d1a62543a

SHA1
91295f84856f6c7cb8e89a456e9983d8a83bcbd5

SHA256
92d0b604d1ea9387425f74bf36318f17536f0336d6e0a303ede4b1b00eff453e

SHA512
4e486fc69acc0b0ddb0b395589d7ecc0f3005342bf40afb8c56b414f9784241b2a6136521da093f9f081f81daf098894700b5b6e11b735c9eeaca47069e16ce4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
6a3b9f179851a55ab354ad9a0772b532

SHA1
7a7f2d787d5df535778f7a5f841864e6cc825980

SHA256
9334716cf4295e4fd4749963e7bb27be84021cfb98481866a69199dcfb292b73

SHA512
eaf9561dc4513e09c38fb1e794d3ed22330e84b17777aeae49da73101f939734b3c3487763b1007b93990213ab32d777a20666c0e7b118f170bf02898676901d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
ee7b8d845e63ce6357e823a2d41f819e

SHA1
5de9d917525ab908d74fedc93bdcc71f42a5c30b

SHA256
54b10a5721f3fbb0622dfad85be438eb76088f3ee1ffa36a1d5c55e5c31b053f

SHA512
6fb0ae5071cd5b1aaf2ca43d1d078af6efee4bd737ec58216df31b5ed842685390b0b827160aaf20cd67573f0e26964c635d63885c6e75cb7c9f4191af472532

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit