hxxp://caramelbbw[.]com

Analysis

max time kernel
1801s
max time network
1690s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
04-09-2023 04:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://caramelbbw.com

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133382758291214647"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4832	chrome.exe
4832	chrome.exe
3608	chrome.exe
3608	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4832 wrote to memory of 2944	4832	chrome.exe	15
PID 4832 wrote to memory of 2944	4832	chrome.exe	15
PID 4832 wrote to memory of 4020	4832	chrome.exe	87
PID 4832 wrote to memory of 4020	4832	chrome.exe	87
PID 4832 wrote to memory of 4020	4832	chrome.exe	87
PID 4832 wrote to memory of 4020	4832	chrome.exe	87
PID 4832 wrote to memory of 4020	4832	chrome.exe	87
PID 4832 wrote to memory of 4020	4832	chrome.exe	87
PID 4832 wrote to memory of 4020	4832	chrome.exe	87
PID 4832 wrote to memory of 4020	4832	chrome.exe	87
PID 4832 wrote to memory of 4020	4832	chrome.exe	87
PID 4832 wrote to memory of 4020	4832	chrome.exe	87
PID 4832 wrote to memory of 4020	4832	chrome.exe	87
PID 4832 wrote to memory of 4020	4832	chrome.exe	87
PID 4832 wrote to memory of 4020	4832	chrome.exe	87
PID 4832 wrote to memory of 4020	4832	chrome.exe	87
PID 4832 wrote to memory of 4020	4832	chrome.exe	87
PID 4832 wrote to memory of 4020	4832	chrome.exe	87
PID 4832 wrote to memory of 4020	4832	chrome.exe	87
PID 4832 wrote to memory of 4020	4832	chrome.exe	87
PID 4832 wrote to memory of 4020	4832	chrome.exe	87
PID 4832 wrote to memory of 4020	4832	chrome.exe	87
PID 4832 wrote to memory of 4020	4832	chrome.exe	87
PID 4832 wrote to memory of 4020	4832	chrome.exe	87
PID 4832 wrote to memory of 4020	4832	chrome.exe	87
PID 4832 wrote to memory of 4020	4832	chrome.exe	87
PID 4832 wrote to memory of 4020	4832	chrome.exe	87
PID 4832 wrote to memory of 4020	4832	chrome.exe	87
PID 4832 wrote to memory of 4020	4832	chrome.exe	87
PID 4832 wrote to memory of 4020	4832	chrome.exe	87
PID 4832 wrote to memory of 4020	4832	chrome.exe	87
PID 4832 wrote to memory of 4020	4832	chrome.exe	87
PID 4832 wrote to memory of 4020	4832	chrome.exe	87
PID 4832 wrote to memory of 4020	4832	chrome.exe	87
PID 4832 wrote to memory of 4020	4832	chrome.exe	87
PID 4832 wrote to memory of 4020	4832	chrome.exe	87
PID 4832 wrote to memory of 4020	4832	chrome.exe	87
PID 4832 wrote to memory of 4020	4832	chrome.exe	87
PID 4832 wrote to memory of 4020	4832	chrome.exe	87
PID 4832 wrote to memory of 4020	4832	chrome.exe	87
PID 4832 wrote to memory of 4112	4832	chrome.exe	88
PID 4832 wrote to memory of 4112	4832	chrome.exe	88
PID 4832 wrote to memory of 1504	4832	chrome.exe	89
PID 4832 wrote to memory of 1504	4832	chrome.exe	89
PID 4832 wrote to memory of 1504	4832	chrome.exe	89
PID 4832 wrote to memory of 1504	4832	chrome.exe	89
PID 4832 wrote to memory of 1504	4832	chrome.exe	89
PID 4832 wrote to memory of 1504	4832	chrome.exe	89
PID 4832 wrote to memory of 1504	4832	chrome.exe	89
PID 4832 wrote to memory of 1504	4832	chrome.exe	89
PID 4832 wrote to memory of 1504	4832	chrome.exe	89
PID 4832 wrote to memory of 1504	4832	chrome.exe	89
PID 4832 wrote to memory of 1504	4832	chrome.exe	89
PID 4832 wrote to memory of 1504	4832	chrome.exe	89
PID 4832 wrote to memory of 1504	4832	chrome.exe	89
PID 4832 wrote to memory of 1504	4832	chrome.exe	89
PID 4832 wrote to memory of 1504	4832	chrome.exe	89
PID 4832 wrote to memory of 1504	4832	chrome.exe	89
PID 4832 wrote to memory of 1504	4832	chrome.exe	89
PID 4832 wrote to memory of 1504	4832	chrome.exe	89
PID 4832 wrote to memory of 1504	4832	chrome.exe	89
PID 4832 wrote to memory of 1504	4832	chrome.exe	89
PID 4832 wrote to memory of 1504	4832	chrome.exe	89
PID 4832 wrote to memory of 1504	4832	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://caramelbbw.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd949a9758,0x7ffd949a9768,0x7ffd949a9778
  2⤵
  PID:2944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1724 --field-trial-handle=1912,i,15110770505449373684,80695872078218819,131072 /prefetch:2
  2⤵
  PID:4020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1920 --field-trial-handle=1912,i,15110770505449373684,80695872078218819,131072 /prefetch:8
  2⤵
  PID:4112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2112 --field-trial-handle=1912,i,15110770505449373684,80695872078218819,131072 /prefetch:8
  2⤵
  PID:1504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2860 --field-trial-handle=1912,i,15110770505449373684,80695872078218819,131072 /prefetch:1
  2⤵
  PID:3768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2868 --field-trial-handle=1912,i,15110770505449373684,80695872078218819,131072 /prefetch:1
  2⤵
  PID:3264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3712 --field-trial-handle=1912,i,15110770505449373684,80695872078218819,131072 /prefetch:1
  2⤵
  PID:4844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5080 --field-trial-handle=1912,i,15110770505449373684,80695872078218819,131072 /prefetch:8
  2⤵
  PID:3356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5080 --field-trial-handle=1912,i,15110770505449373684,80695872078218819,131072 /prefetch:8
  2⤵
  PID:4632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1592 --field-trial-handle=1912,i,15110770505449373684,80695872078218819,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3608

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
ad441789e6a03ae2ad9f8ad935395615

SHA1
a5fc910c389ad3e047a93e6d68b7cbcc397472c7

SHA256
cf7caaafa6a927a7c71dfa8af1ba7e7620c119cc57bfb5835dab0ba2f0a1b466

SHA512
fd7ed87181ed66a93c0be278d31797a5c99ba369b698c100dc7a886a27566df0a04456118708352c51667060f42415caaad1dd9d4097f21f337d25a258665907

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
bbe7014f4f49ab04ba823e50bf129725

SHA1
b04d89d99bbbd6e41d2f59adf8ea6a5ff13151e9

SHA256
19296d09d3050726bd38fab50ad4463d15b0c0802c0605122413da284b66887b

SHA512
4b33191616d46c5e0b4ba19402da3160848e317f567c4bfff15294e8ae5fc6e0e5bd3b02be2645448371fec2139edd730b05013b7cd854c8a341b80201c0f85c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
8a72b96d039d3800f450985656dc2e0d

SHA1
027d6b6aed75e533fc8e269614ddd0ec9d909035

SHA256
2b53fb67cb7b45939b0b0594d95e97a0acc16a9ccf0a01f0137f254b6a38087c

SHA512
1db402b957ec9e954f38a7bb1070cb643d59df935cac978f09e0a8f8f843de89193f3feddcebd0269d330a4ee0da98bcfbbcc7a637d27b2fc766554439c12c43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
97KB

MD5
9870cc1210de1364029c8730d313d838

SHA1
8019bf42370dc8fc1640b87751c60a71187602e3

SHA256
45bf3c13adb7ba7b6e7674547c7d59f1c8ada3e9d875fd0ac33bc602ba231a4d

SHA512
3650cfa1b6488c955d84e4c8298ea85d4e4e0cb5ed742beab7b58d05a89f213012886dcd8aae6f5e8d9143ff4860eb3a823ac28840affea15438e91556ca0ee9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit