hxxp://madamesomtam[.]nl

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2023, 09:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://madamesomtam.nl

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3220	chrome.exe
3220	chrome.exe
3988	chrome.exe
3988	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3220	chrome.exe
3220	chrome.exe
3220	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3220	chrome.exe
Token: SeCreatePagefilePrivilege	3220	chrome.exe
Token: SeShutdownPrivilege	3220	chrome.exe
Token: SeCreatePagefilePrivilege	3220	chrome.exe
Token: SeShutdownPrivilege	3220	chrome.exe
Token: SeCreatePagefilePrivilege	3220	chrome.exe
Token: SeShutdownPrivilege	3220	chrome.exe
Token: SeCreatePagefilePrivilege	3220	chrome.exe
Token: SeShutdownPrivilege	3220	chrome.exe
Token: SeCreatePagefilePrivilege	3220	chrome.exe
Token: SeShutdownPrivilege	3220	chrome.exe
Token: SeCreatePagefilePrivilege	3220	chrome.exe
Token: SeShutdownPrivilege	3220	chrome.exe
Token: SeCreatePagefilePrivilege	3220	chrome.exe
Token: SeShutdownPrivilege	3220	chrome.exe
Token: SeCreatePagefilePrivilege	3220	chrome.exe
Token: SeShutdownPrivilege	3220	chrome.exe
Token: SeCreatePagefilePrivilege	3220	chrome.exe
Token: SeShutdownPrivilege	3220	chrome.exe
Token: SeCreatePagefilePrivilege	3220	chrome.exe
Token: SeShutdownPrivilege	3220	chrome.exe
Token: SeCreatePagefilePrivilege	3220	chrome.exe
Token: SeShutdownPrivilege	3220	chrome.exe
Token: SeCreatePagefilePrivilege	3220	chrome.exe
Token: SeShutdownPrivilege	3220	chrome.exe
Token: SeCreatePagefilePrivilege	3220	chrome.exe
Token: SeShutdownPrivilege	3220	chrome.exe
Token: SeCreatePagefilePrivilege	3220	chrome.exe
Token: SeShutdownPrivilege	3220	chrome.exe
Token: SeCreatePagefilePrivilege	3220	chrome.exe
Token: SeShutdownPrivilege	3220	chrome.exe
Token: SeCreatePagefilePrivilege	3220	chrome.exe
Token: SeShutdownPrivilege	3220	chrome.exe
Token: SeCreatePagefilePrivilege	3220	chrome.exe
Token: SeShutdownPrivilege	3220	chrome.exe
Token: SeCreatePagefilePrivilege	3220	chrome.exe
Token: SeShutdownPrivilege	3220	chrome.exe
Token: SeCreatePagefilePrivilege	3220	chrome.exe
Token: SeShutdownPrivilege	3220	chrome.exe
Token: SeCreatePagefilePrivilege	3220	chrome.exe
Token: SeShutdownPrivilege	3220	chrome.exe
Token: SeCreatePagefilePrivilege	3220	chrome.exe
Token: SeShutdownPrivilege	3220	chrome.exe
Token: SeCreatePagefilePrivilege	3220	chrome.exe
Token: SeShutdownPrivilege	3220	chrome.exe
Token: SeCreatePagefilePrivilege	3220	chrome.exe
Token: SeShutdownPrivilege	3220	chrome.exe
Token: SeCreatePagefilePrivilege	3220	chrome.exe
Token: SeShutdownPrivilege	3220	chrome.exe
Token: SeCreatePagefilePrivilege	3220	chrome.exe
Token: SeShutdownPrivilege	3220	chrome.exe
Token: SeCreatePagefilePrivilege	3220	chrome.exe
Token: SeShutdownPrivilege	3220	chrome.exe
Token: SeCreatePagefilePrivilege	3220	chrome.exe
Token: SeShutdownPrivilege	3220	chrome.exe
Token: SeCreatePagefilePrivilege	3220	chrome.exe
Token: SeShutdownPrivilege	3220	chrome.exe
Token: SeCreatePagefilePrivilege	3220	chrome.exe
Token: SeShutdownPrivilege	3220	chrome.exe
Token: SeCreatePagefilePrivilege	3220	chrome.exe
Token: SeShutdownPrivilege	3220	chrome.exe
Token: SeCreatePagefilePrivilege	3220	chrome.exe
Token: SeShutdownPrivilege	3220	chrome.exe
Token: SeCreatePagefilePrivilege	3220	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3220	chrome.exe
3220	chrome.exe
3220	chrome.exe
3220	chrome.exe
3220	chrome.exe
3220	chrome.exe
3220	chrome.exe
3220	chrome.exe
3220	chrome.exe
3220	chrome.exe
3220	chrome.exe
3220	chrome.exe
3220	chrome.exe
3220	chrome.exe
3220	chrome.exe
3220	chrome.exe
3220	chrome.exe
3220	chrome.exe
3220	chrome.exe
3220	chrome.exe
3220	chrome.exe
3220	chrome.exe
3220	chrome.exe
3220	chrome.exe
3220	chrome.exe
3220	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3220	chrome.exe
3220	chrome.exe
3220	chrome.exe
3220	chrome.exe
3220	chrome.exe
3220	chrome.exe
3220	chrome.exe
3220	chrome.exe
3220	chrome.exe
3220	chrome.exe
3220	chrome.exe
3220	chrome.exe
3220	chrome.exe
3220	chrome.exe
3220	chrome.exe
3220	chrome.exe
3220	chrome.exe
3220	chrome.exe
3220	chrome.exe
3220	chrome.exe
3220	chrome.exe
3220	chrome.exe
3220	chrome.exe
3220	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3220 wrote to memory of 1852	3220	chrome.exe	78
PID 3220 wrote to memory of 1852	3220	chrome.exe	78
PID 3220 wrote to memory of 4588	3220	chrome.exe	80
PID 3220 wrote to memory of 4588	3220	chrome.exe	80
PID 3220 wrote to memory of 4588	3220	chrome.exe	80
PID 3220 wrote to memory of 4588	3220	chrome.exe	80
PID 3220 wrote to memory of 4588	3220	chrome.exe	80
PID 3220 wrote to memory of 4588	3220	chrome.exe	80
PID 3220 wrote to memory of 4588	3220	chrome.exe	80
PID 3220 wrote to memory of 4588	3220	chrome.exe	80
PID 3220 wrote to memory of 4588	3220	chrome.exe	80
PID 3220 wrote to memory of 4588	3220	chrome.exe	80
PID 3220 wrote to memory of 4588	3220	chrome.exe	80
PID 3220 wrote to memory of 4588	3220	chrome.exe	80
PID 3220 wrote to memory of 4588	3220	chrome.exe	80
PID 3220 wrote to memory of 4588	3220	chrome.exe	80
PID 3220 wrote to memory of 4588	3220	chrome.exe	80
PID 3220 wrote to memory of 4588	3220	chrome.exe	80
PID 3220 wrote to memory of 4588	3220	chrome.exe	80
PID 3220 wrote to memory of 4588	3220	chrome.exe	80
PID 3220 wrote to memory of 4588	3220	chrome.exe	80
PID 3220 wrote to memory of 4588	3220	chrome.exe	80
PID 3220 wrote to memory of 4588	3220	chrome.exe	80
PID 3220 wrote to memory of 4588	3220	chrome.exe	80
PID 3220 wrote to memory of 4588	3220	chrome.exe	80
PID 3220 wrote to memory of 4588	3220	chrome.exe	80
PID 3220 wrote to memory of 4588	3220	chrome.exe	80
PID 3220 wrote to memory of 4588	3220	chrome.exe	80
PID 3220 wrote to memory of 4588	3220	chrome.exe	80
PID 3220 wrote to memory of 4588	3220	chrome.exe	80
PID 3220 wrote to memory of 4588	3220	chrome.exe	80
PID 3220 wrote to memory of 4588	3220	chrome.exe	80
PID 3220 wrote to memory of 4588	3220	chrome.exe	80
PID 3220 wrote to memory of 4588	3220	chrome.exe	80
PID 3220 wrote to memory of 4588	3220	chrome.exe	80
PID 3220 wrote to memory of 4588	3220	chrome.exe	80
PID 3220 wrote to memory of 4588	3220	chrome.exe	80
PID 3220 wrote to memory of 4588	3220	chrome.exe	80
PID 3220 wrote to memory of 4588	3220	chrome.exe	80
PID 3220 wrote to memory of 4588	3220	chrome.exe	80
PID 3220 wrote to memory of 5016	3220	chrome.exe	82
PID 3220 wrote to memory of 5016	3220	chrome.exe	82
PID 3220 wrote to memory of 1540	3220	chrome.exe	81
PID 3220 wrote to memory of 1540	3220	chrome.exe	81
PID 3220 wrote to memory of 1540	3220	chrome.exe	81
PID 3220 wrote to memory of 1540	3220	chrome.exe	81
PID 3220 wrote to memory of 1540	3220	chrome.exe	81
PID 3220 wrote to memory of 1540	3220	chrome.exe	81
PID 3220 wrote to memory of 1540	3220	chrome.exe	81
PID 3220 wrote to memory of 1540	3220	chrome.exe	81
PID 3220 wrote to memory of 1540	3220	chrome.exe	81
PID 3220 wrote to memory of 1540	3220	chrome.exe	81
PID 3220 wrote to memory of 1540	3220	chrome.exe	81
PID 3220 wrote to memory of 1540	3220	chrome.exe	81
PID 3220 wrote to memory of 1540	3220	chrome.exe	81
PID 3220 wrote to memory of 1540	3220	chrome.exe	81
PID 3220 wrote to memory of 1540	3220	chrome.exe	81
PID 3220 wrote to memory of 1540	3220	chrome.exe	81
PID 3220 wrote to memory of 1540	3220	chrome.exe	81
PID 3220 wrote to memory of 1540	3220	chrome.exe	81
PID 3220 wrote to memory of 1540	3220	chrome.exe	81
PID 3220 wrote to memory of 1540	3220	chrome.exe	81
PID 3220 wrote to memory of 1540	3220	chrome.exe	81
PID 3220 wrote to memory of 1540	3220	chrome.exe	81

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://madamesomtam.nl
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffff9f9758,0x7fffff9f9768,0x7fffff9f9778
  2⤵
  PID:1852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1756 --field-trial-handle=1868,i,18368676472810636169,12653019238662955164,131072 /prefetch:2
  2⤵
  PID:4588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2196 --field-trial-handle=1868,i,18368676472810636169,12653019238662955164,131072 /prefetch:8
  2⤵
  PID:1540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=1868,i,18368676472810636169,12653019238662955164,131072 /prefetch:8
  2⤵
  PID:5016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2736 --field-trial-handle=1868,i,18368676472810636169,12653019238662955164,131072 /prefetch:1
  2⤵
  PID:212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2744 --field-trial-handle=1868,i,18368676472810636169,12653019238662955164,131072 /prefetch:1
  2⤵
  PID:224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4620 --field-trial-handle=1868,i,18368676472810636169,12653019238662955164,131072 /prefetch:1
  2⤵
  PID:2236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4884 --field-trial-handle=1868,i,18368676472810636169,12653019238662955164,131072 /prefetch:8
  2⤵
  PID:1328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4960 --field-trial-handle=1868,i,18368676472810636169,12653019238662955164,131072 /prefetch:8
  2⤵
  PID:860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3024 --field-trial-handle=1868,i,18368676472810636169,12653019238662955164,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3988

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
792B

MD5
65441a36c890b2714e74231ac62ec616

SHA1
ce1fb2abe37f31b82beb32855f8c5028127f329d

SHA256
e16a2c17e280b4ce26d8ef83107727b094ff5f2903a4d29103d87cea313e8090

SHA512
a6d3f3c2ac0e99d741b373a5a84832227edb8c0f74ce33aef45a7c5751b915bc848ee91c46d2f80b73a40fdf1b2062e9f176bc7dcc20191374966759c64d50a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
1472a2ebbb7cfb4e4ca612ba06ea74bf

SHA1
b5c71bcd00f14bfd0a81591230433aa71ae8ea11

SHA256
2426fc723dd867ddc130ed9b2d689ffeedd0829c0ea8b662bf7a927f59062549

SHA512
b7543bc48532cea05ab6487d5934fa5a6818f392ca5789f9a988844e00167169776f6b21eed7bcb4dfcf4461aa11608f593f0fa874ec7316476c7885f102976a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
871B

MD5
51898a80d52554de1660b0876f301f57

SHA1
f7264ed53082595155842658e50cf1dc04da14f8

SHA256
698055903f533d2b4167cbbae689d1c6b3265561a1dd5ad8259d9b97ac2b58c8

SHA512
d23335e83d3813560be69a1c67ddb8d1e46b6b827d18f49056a7bf8314f3bf1ba81d4f48d7ba18679438813ee0bb759878d82691eb24005f3f451f270083c375

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
3f588b9dc5c2b8cff844e5e981ca70c5

SHA1
babaeb7ff788fed60358a4b6525f74d39be11402

SHA256
fc6223e6000e6a558a7c0b903b449ec5cfbf1f7a15a504697213b5c7e1359cb8

SHA512
747a7f31802942b6530dab8c740536137764d33dddab74f1db17f379cc03a9d2f1a59edd14dcaee410afcc651dd6b2f18f1311dab5d1ad35628a77fc1338cc0b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
a84081a50c0185c8d1e23e7e5402f6e1

SHA1
5c0209ab4e675cef484fe7c1af6d7077a9874fa9

SHA256
7bf93c2e864e3ac85677fb8a4332df45c01ef6ba74dc65a2e4931321052360ec

SHA512
d0673c9921b9d11aff84478961df17cfa5fc581f59b871fca99e47f2c0de581f2a5114958c879dcd1b099f4af002ef9b0c8c91104f32e8874ea3f1ef043197c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
178f4c4846e8d2fbf5a14543c342aff2

SHA1
5dd8e1fdfb8cc45814d82f9adb16db3e91a55a9a

SHA256
75707bb22e43b08eef57de8f4ebae2a9354e6c3a445fcc54a0e1b3727b7af1f6

SHA512
88f986c2f05debde70fcb2c576049b1fb111e63f963b1bc9c079390090bf20a015910660b99929a7747531f5b676bbfab3ec7fb4a9ae669ebea1d5f1d9db11dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
97KB

MD5
5e0b6c29ab113dad4dbdc3784fe273d6

SHA1
6e7f2e611e16973fdb1c70fdab42acd5818b5551

SHA256
9361c0b6a841274186789876534361d0ca4e75eb0fec7820aed7b99149e18469

SHA512
d54a844823279b2253283e43f8f8829ac313d25b90692591ae1123711bb564cf0bd126cb3f62179ee997124a3f44d6d2001442d0e168c9ae461d8073322c03d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit