hxxp://btcbulkwest[.]com

Analysis

max time kernel
49s
max time network
52s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
19/08/2023, 23:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://btcbulkwest.com

Score

1^/10

Malware Config

Signatures

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133369601962047485"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5020	chrome.exe
5020	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5020 wrote to memory of 4368	5020	chrome.exe	70
PID 5020 wrote to memory of 4368	5020	chrome.exe	70
PID 5020 wrote to memory of 4516	5020	chrome.exe	72
PID 5020 wrote to memory of 4516	5020	chrome.exe	72
PID 5020 wrote to memory of 4516	5020	chrome.exe	72
PID 5020 wrote to memory of 4516	5020	chrome.exe	72
PID 5020 wrote to memory of 4516	5020	chrome.exe	72
PID 5020 wrote to memory of 4516	5020	chrome.exe	72
PID 5020 wrote to memory of 4516	5020	chrome.exe	72
PID 5020 wrote to memory of 4516	5020	chrome.exe	72
PID 5020 wrote to memory of 4516	5020	chrome.exe	72
PID 5020 wrote to memory of 4516	5020	chrome.exe	72
PID 5020 wrote to memory of 4516	5020	chrome.exe	72
PID 5020 wrote to memory of 4516	5020	chrome.exe	72
PID 5020 wrote to memory of 4516	5020	chrome.exe	72
PID 5020 wrote to memory of 4516	5020	chrome.exe	72
PID 5020 wrote to memory of 4516	5020	chrome.exe	72
PID 5020 wrote to memory of 4516	5020	chrome.exe	72
PID 5020 wrote to memory of 4516	5020	chrome.exe	72
PID 5020 wrote to memory of 4516	5020	chrome.exe	72
PID 5020 wrote to memory of 4516	5020	chrome.exe	72
PID 5020 wrote to memory of 4516	5020	chrome.exe	72
PID 5020 wrote to memory of 4516	5020	chrome.exe	72
PID 5020 wrote to memory of 4516	5020	chrome.exe	72
PID 5020 wrote to memory of 4516	5020	chrome.exe	72
PID 5020 wrote to memory of 4516	5020	chrome.exe	72
PID 5020 wrote to memory of 4516	5020	chrome.exe	72
PID 5020 wrote to memory of 4516	5020	chrome.exe	72
PID 5020 wrote to memory of 4516	5020	chrome.exe	72
PID 5020 wrote to memory of 4516	5020	chrome.exe	72
PID 5020 wrote to memory of 4516	5020	chrome.exe	72
PID 5020 wrote to memory of 4516	5020	chrome.exe	72
PID 5020 wrote to memory of 4516	5020	chrome.exe	72
PID 5020 wrote to memory of 4516	5020	chrome.exe	72
PID 5020 wrote to memory of 4516	5020	chrome.exe	72
PID 5020 wrote to memory of 4516	5020	chrome.exe	72
PID 5020 wrote to memory of 4516	5020	chrome.exe	72
PID 5020 wrote to memory of 4516	5020	chrome.exe	72
PID 5020 wrote to memory of 4516	5020	chrome.exe	72
PID 5020 wrote to memory of 4516	5020	chrome.exe	72
PID 5020 wrote to memory of 4024	5020	chrome.exe	74
PID 5020 wrote to memory of 4024	5020	chrome.exe	74
PID 5020 wrote to memory of 5080	5020	chrome.exe	73
PID 5020 wrote to memory of 5080	5020	chrome.exe	73
PID 5020 wrote to memory of 5080	5020	chrome.exe	73
PID 5020 wrote to memory of 5080	5020	chrome.exe	73
PID 5020 wrote to memory of 5080	5020	chrome.exe	73
PID 5020 wrote to memory of 5080	5020	chrome.exe	73
PID 5020 wrote to memory of 5080	5020	chrome.exe	73
PID 5020 wrote to memory of 5080	5020	chrome.exe	73
PID 5020 wrote to memory of 5080	5020	chrome.exe	73
PID 5020 wrote to memory of 5080	5020	chrome.exe	73
PID 5020 wrote to memory of 5080	5020	chrome.exe	73
PID 5020 wrote to memory of 5080	5020	chrome.exe	73
PID 5020 wrote to memory of 5080	5020	chrome.exe	73
PID 5020 wrote to memory of 5080	5020	chrome.exe	73
PID 5020 wrote to memory of 5080	5020	chrome.exe	73
PID 5020 wrote to memory of 5080	5020	chrome.exe	73
PID 5020 wrote to memory of 5080	5020	chrome.exe	73
PID 5020 wrote to memory of 5080	5020	chrome.exe	73
PID 5020 wrote to memory of 5080	5020	chrome.exe	73
PID 5020 wrote to memory of 5080	5020	chrome.exe	73
PID 5020 wrote to memory of 5080	5020	chrome.exe	73
PID 5020 wrote to memory of 5080	5020	chrome.exe	73

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://btcbulkwest.com
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffd79369758,0x7ffd79369768,0x7ffd79369778
  2⤵
  PID:4368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1520 --field-trial-handle=1784,i,9527680530020918608,11702810803887928614,131072 /prefetch:2
  2⤵
  PID:4516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2028 --field-trial-handle=1784,i,9527680530020918608,11702810803887928614,131072 /prefetch:8
  2⤵
  PID:5080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2012 --field-trial-handle=1784,i,9527680530020918608,11702810803887928614,131072 /prefetch:8
  2⤵
  PID:4024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2680 --field-trial-handle=1784,i,9527680530020918608,11702810803887928614,131072 /prefetch:1
  2⤵
  PID:3520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2672 --field-trial-handle=1784,i,9527680530020918608,11702810803887928614,131072 /prefetch:1
  2⤵
  PID:4408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3856 --field-trial-handle=1784,i,9527680530020918608,11702810803887928614,131072 /prefetch:1
  2⤵
  PID:4128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5052 --field-trial-handle=1784,i,9527680530020918608,11702810803887928614,131072 /prefetch:8
  2⤵
  PID:3928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5052 --field-trial-handle=1784,i,9527680530020918608,11702810803887928614,131072 /prefetch:8
  2⤵
  PID:396

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4972

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
576B

MD5
77b94530aead5d58b12d365bd8cb9b36

SHA1
90bc3fe67a1317e6e2cfd223b03647923ced0580

SHA256
afac7981f73b88dc481d79bb10064c247a2923c8d4dd7aed404dc099052ace73

SHA512
8d8f23bca5ec06369eb68140d0f64f51e4db705556cbbf09be499fae9c1273477133c984d158484d4d6b7dd3875287d2e6799546ceb5358c0980a2bd8a2aacec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
7ccee29d42bdada11c77dfe76890a671

SHA1
58c4349ab887f36b85d894d4a98b407e5f71a987

SHA256
b456fdefa9eb6ec685b1eeaabfe697ed5a8797a7f733b87d48bd195d22d16b00

SHA512
9993f541960133621a9e06621a16c357d758a12e0f6f555f346a4dbb8abbe32394022033ccd3df17916ee7566be98a3847da7cd2ed2b771ac6d728c899484430

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
cfcbf817e7131488845662c916a02749

SHA1
bf71400bba078f7b3ae4d06066eef021e4ed5e77

SHA256
4d26c59e5fe920f3e636e62246e35e7cb3d23ff35270c3bf19710933a4372c8a

SHA512
ce2b71b9aa23a5cddb3bde51f11b2d0c3622b17a856eb3d88b8146b1f75f85b69ae9c26b4497089fb56799db3684ffcfebb08a62c7036553a911bf6e53cf9e95

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
6238549a5525690423e11a15d97bd4c3

SHA1
158dc5e66e5d7bf18311ce9a4049b322bc5b5ee0

SHA256
6c64d58b9b6f91d79740d2d497bda3998d9c4052a6799ea7a98c7391c8a09218

SHA512
b84ca9b37d252085c9e8703027125c1593ccebba89a14262197f62054c5a36bcce7b6a497924f024f47dbbb27439aa38680d1370442fefc939bc91909d20269b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
a8bbecbecd2b76db04bb1aebfb9deac9

SHA1
ece83855a3633f4d8acb6d4b893ccd4ab0fa26fc

SHA256
d4fa92261d993bdee09fe543e957f335385f61f217ed738a6a0a4bac506488eb

SHA512
ba7b97256295bd62eeb20b007b1632efbc3bbaaa8087e8d0abdfefea32e29142e09939459651b1141fc82ed1c79d30110ab1b5307f3e6ccea2b07ec79a49b7ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit