hxxps://kfccms[.]americanarest[.]com/admin/stockists/stores

Analysis

max time kernel
29s
max time network
26s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
18-09-2023 17:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://kfccms.americanarest.com/admin/stockists/stores

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133395308346933455"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3920	chrome.exe
3920	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3920	chrome.exe
3920	chrome.exe

Suspicious use of AdjustPrivilegeToken 56 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3920 wrote to memory of 2276	3920	chrome.exe	81
PID 3920 wrote to memory of 2276	3920	chrome.exe	81
PID 3920 wrote to memory of 4940	3920	chrome.exe	84
PID 3920 wrote to memory of 4940	3920	chrome.exe	84
PID 3920 wrote to memory of 4940	3920	chrome.exe	84
PID 3920 wrote to memory of 4940	3920	chrome.exe	84
PID 3920 wrote to memory of 4940	3920	chrome.exe	84
PID 3920 wrote to memory of 4940	3920	chrome.exe	84
PID 3920 wrote to memory of 4940	3920	chrome.exe	84
PID 3920 wrote to memory of 4940	3920	chrome.exe	84
PID 3920 wrote to memory of 4940	3920	chrome.exe	84
PID 3920 wrote to memory of 4940	3920	chrome.exe	84
PID 3920 wrote to memory of 4940	3920	chrome.exe	84
PID 3920 wrote to memory of 4940	3920	chrome.exe	84
PID 3920 wrote to memory of 4940	3920	chrome.exe	84
PID 3920 wrote to memory of 4940	3920	chrome.exe	84
PID 3920 wrote to memory of 4940	3920	chrome.exe	84
PID 3920 wrote to memory of 4940	3920	chrome.exe	84
PID 3920 wrote to memory of 4940	3920	chrome.exe	84
PID 3920 wrote to memory of 4940	3920	chrome.exe	84
PID 3920 wrote to memory of 4940	3920	chrome.exe	84
PID 3920 wrote to memory of 4940	3920	chrome.exe	84
PID 3920 wrote to memory of 4940	3920	chrome.exe	84
PID 3920 wrote to memory of 4940	3920	chrome.exe	84
PID 3920 wrote to memory of 4940	3920	chrome.exe	84
PID 3920 wrote to memory of 4940	3920	chrome.exe	84
PID 3920 wrote to memory of 4940	3920	chrome.exe	84
PID 3920 wrote to memory of 4940	3920	chrome.exe	84
PID 3920 wrote to memory of 4940	3920	chrome.exe	84
PID 3920 wrote to memory of 4940	3920	chrome.exe	84
PID 3920 wrote to memory of 4940	3920	chrome.exe	84
PID 3920 wrote to memory of 4940	3920	chrome.exe	84
PID 3920 wrote to memory of 4940	3920	chrome.exe	84
PID 3920 wrote to memory of 4940	3920	chrome.exe	84
PID 3920 wrote to memory of 4940	3920	chrome.exe	84
PID 3920 wrote to memory of 4940	3920	chrome.exe	84
PID 3920 wrote to memory of 4940	3920	chrome.exe	84
PID 3920 wrote to memory of 4940	3920	chrome.exe	84
PID 3920 wrote to memory of 4940	3920	chrome.exe	84
PID 3920 wrote to memory of 4940	3920	chrome.exe	84
PID 3920 wrote to memory of 4676	3920	chrome.exe	85
PID 3920 wrote to memory of 4676	3920	chrome.exe	85
PID 3920 wrote to memory of 2648	3920	chrome.exe	86
PID 3920 wrote to memory of 2648	3920	chrome.exe	86
PID 3920 wrote to memory of 2648	3920	chrome.exe	86
PID 3920 wrote to memory of 2648	3920	chrome.exe	86
PID 3920 wrote to memory of 2648	3920	chrome.exe	86
PID 3920 wrote to memory of 2648	3920	chrome.exe	86
PID 3920 wrote to memory of 2648	3920	chrome.exe	86
PID 3920 wrote to memory of 2648	3920	chrome.exe	86
PID 3920 wrote to memory of 2648	3920	chrome.exe	86
PID 3920 wrote to memory of 2648	3920	chrome.exe	86
PID 3920 wrote to memory of 2648	3920	chrome.exe	86
PID 3920 wrote to memory of 2648	3920	chrome.exe	86
PID 3920 wrote to memory of 2648	3920	chrome.exe	86
PID 3920 wrote to memory of 2648	3920	chrome.exe	86
PID 3920 wrote to memory of 2648	3920	chrome.exe	86
PID 3920 wrote to memory of 2648	3920	chrome.exe	86
PID 3920 wrote to memory of 2648	3920	chrome.exe	86
PID 3920 wrote to memory of 2648	3920	chrome.exe	86
PID 3920 wrote to memory of 2648	3920	chrome.exe	86
PID 3920 wrote to memory of 2648	3920	chrome.exe	86
PID 3920 wrote to memory of 2648	3920	chrome.exe	86
PID 3920 wrote to memory of 2648	3920	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://kfccms.americanarest.com/admin/stockists/stores
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ffec69b9758,0x7ffec69b9768,0x7ffec69b9778
  2⤵
  PID:2276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1768 --field-trial-handle=1896,i,12762696834788273602,1912316651995695983,131072 /prefetch:2
  2⤵
  PID:4940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1896,i,12762696834788273602,1912316651995695983,131072 /prefetch:8
  2⤵
  PID:4676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2248 --field-trial-handle=1896,i,12762696834788273602,1912316651995695983,131072 /prefetch:8
  2⤵
  PID:2648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3204 --field-trial-handle=1896,i,12762696834788273602,1912316651995695983,131072 /prefetch:1
  2⤵
  PID:1784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3184 --field-trial-handle=1896,i,12762696834788273602,1912316651995695983,131072 /prefetch:1
  2⤵
  PID:1728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5024 --field-trial-handle=1896,i,12762696834788273602,1912316651995695983,131072 /prefetch:8
  2⤵
  PID:2884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4596 --field-trial-handle=1896,i,12762696834788273602,1912316651995695983,131072 /prefetch:8
  2⤵
  PID:676

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
528b9c069153e913842b56a684d312f3

SHA1
f33ea1c97ee272a051b98ddf84a61e3f1bfdd5d0

SHA256
979e88e31a6bb1ef9cc098b3146d5e6fee17e354484abe5d0bec266b389752b5

SHA512
9dc6117effacb05b847d33173b1db99243266f66b872c4322a07d88725899821d59cedac810020b379a887588eaea55ec04d3ef2fc2d43700b5401fb8c14de80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
707B

MD5
07ab4300b5d4a0755707d787318aad67

SHA1
58e950e21d64856132c1fb70805fc514dbd18fee

SHA256
39be8b493f3135d0ee32f42df709bfc19720459dad6aa835888fdf221e83eb68

SHA512
fa43af35bd145549a8a083e8626125e3e2df1d6554729eecdb6111f9b98cf4fc4bf1b5a73957b2cd2dc7332638aeb80a9f88bfde306cfcd6fcb19f634f919186

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
e45a7b11eba2c54e0d9ee043f4ff00ad

SHA1
e2feecdc7cfd2b985111c03d019498bee6f108ed

SHA256
5f6ee5abd3456f325a4d5660336fd9bd8a6a21c5e4607cda9fd14ad6638c08e1

SHA512
2c2e9465e33c04e12c9eedc41e1f5ee591ad64520a813319e1d31dbd4f5f179fc29b23aca773efe0d9f86c51b7adf795be6d8855d457586f1c0dbedee015f1fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
103KB

MD5
2fed68d2f1f72e6c6d88430657781d31

SHA1
d2fd5dff7013393c69df842cdbb654513cb43fd5

SHA256
b51ca56ea9a8211dda8c27c86c34a690cb5d48b1ffa8a20bf96047c51a663e26

SHA512
dca1d9fc4e2a7931bebfc3972152dac2278241762bff5a0d746acc4aa4ae7a04d7b2c484c16986fd8f1a00d763f32148f539c2d55b933584990f5f7d22fe8bc9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
104KB

MD5
a421bfea78bffa8747ba170ec2c564e2

SHA1
488f04621a4e5ae6deaf278c26f7c4d2da7cb3bc

SHA256
41476a9011a1bf3037f9483250b3f62de21cd87a441c86a68df033c98c3e0b3b

SHA512
bc6ba06c1c7ede22d96582db7754a9fb40c58043a7d9a40c7c67e9303242a8becb775988c326bd3cd4c69600b74c9692064113e70e743ef3ab8f137bba9e39bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit