hxxp://wcazgm[.]eydaa[.]com/adww@yahoo[.]com

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2023 14:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://wcazgm.eydaa.com/[email protected]

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133407314554465421"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5076	chrome.exe
5076	chrome.exe
5052	chrome.exe
5052	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5076 wrote to memory of 4788	5076	chrome.exe	74
PID 5076 wrote to memory of 4788	5076	chrome.exe	74
PID 5076 wrote to memory of 1260	5076	chrome.exe	87
PID 5076 wrote to memory of 1260	5076	chrome.exe	87
PID 5076 wrote to memory of 1260	5076	chrome.exe	87
PID 5076 wrote to memory of 1260	5076	chrome.exe	87
PID 5076 wrote to memory of 1260	5076	chrome.exe	87
PID 5076 wrote to memory of 1260	5076	chrome.exe	87
PID 5076 wrote to memory of 1260	5076	chrome.exe	87
PID 5076 wrote to memory of 1260	5076	chrome.exe	87
PID 5076 wrote to memory of 1260	5076	chrome.exe	87
PID 5076 wrote to memory of 1260	5076	chrome.exe	87
PID 5076 wrote to memory of 1260	5076	chrome.exe	87
PID 5076 wrote to memory of 1260	5076	chrome.exe	87
PID 5076 wrote to memory of 1260	5076	chrome.exe	87
PID 5076 wrote to memory of 1260	5076	chrome.exe	87
PID 5076 wrote to memory of 1260	5076	chrome.exe	87
PID 5076 wrote to memory of 1260	5076	chrome.exe	87
PID 5076 wrote to memory of 1260	5076	chrome.exe	87
PID 5076 wrote to memory of 1260	5076	chrome.exe	87
PID 5076 wrote to memory of 1260	5076	chrome.exe	87
PID 5076 wrote to memory of 1260	5076	chrome.exe	87
PID 5076 wrote to memory of 1260	5076	chrome.exe	87
PID 5076 wrote to memory of 1260	5076	chrome.exe	87
PID 5076 wrote to memory of 1260	5076	chrome.exe	87
PID 5076 wrote to memory of 1260	5076	chrome.exe	87
PID 5076 wrote to memory of 1260	5076	chrome.exe	87
PID 5076 wrote to memory of 1260	5076	chrome.exe	87
PID 5076 wrote to memory of 1260	5076	chrome.exe	87
PID 5076 wrote to memory of 1260	5076	chrome.exe	87
PID 5076 wrote to memory of 1260	5076	chrome.exe	87
PID 5076 wrote to memory of 1260	5076	chrome.exe	87
PID 5076 wrote to memory of 1260	5076	chrome.exe	87
PID 5076 wrote to memory of 1260	5076	chrome.exe	87
PID 5076 wrote to memory of 1260	5076	chrome.exe	87
PID 5076 wrote to memory of 1260	5076	chrome.exe	87
PID 5076 wrote to memory of 1260	5076	chrome.exe	87
PID 5076 wrote to memory of 1260	5076	chrome.exe	87
PID 5076 wrote to memory of 1260	5076	chrome.exe	87
PID 5076 wrote to memory of 1260	5076	chrome.exe	87
PID 5076 wrote to memory of 3000	5076	chrome.exe	88
PID 5076 wrote to memory of 3000	5076	chrome.exe	88
PID 5076 wrote to memory of 812	5076	chrome.exe	89
PID 5076 wrote to memory of 812	5076	chrome.exe	89
PID 5076 wrote to memory of 812	5076	chrome.exe	89
PID 5076 wrote to memory of 812	5076	chrome.exe	89
PID 5076 wrote to memory of 812	5076	chrome.exe	89
PID 5076 wrote to memory of 812	5076	chrome.exe	89
PID 5076 wrote to memory of 812	5076	chrome.exe	89
PID 5076 wrote to memory of 812	5076	chrome.exe	89
PID 5076 wrote to memory of 812	5076	chrome.exe	89
PID 5076 wrote to memory of 812	5076	chrome.exe	89
PID 5076 wrote to memory of 812	5076	chrome.exe	89
PID 5076 wrote to memory of 812	5076	chrome.exe	89
PID 5076 wrote to memory of 812	5076	chrome.exe	89
PID 5076 wrote to memory of 812	5076	chrome.exe	89
PID 5076 wrote to memory of 812	5076	chrome.exe	89
PID 5076 wrote to memory of 812	5076	chrome.exe	89
PID 5076 wrote to memory of 812	5076	chrome.exe	89
PID 5076 wrote to memory of 812	5076	chrome.exe	89
PID 5076 wrote to memory of 812	5076	chrome.exe	89
PID 5076 wrote to memory of 812	5076	chrome.exe	89
PID 5076 wrote to memory of 812	5076	chrome.exe	89
PID 5076 wrote to memory of 812	5076	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://wcazgm.eydaa.com/[email protected]
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbed419758,0x7ffbed419768,0x7ffbed419778
  2⤵
  PID:4788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1660 --field-trial-handle=1908,i,13388942236181595141,15765157013503963386,131072 /prefetch:2
  2⤵
  PID:1260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1908,i,13388942236181595141,15765157013503963386,131072 /prefetch:8
  2⤵
  PID:3000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2208 --field-trial-handle=1908,i,13388942236181595141,15765157013503963386,131072 /prefetch:8
  2⤵
  PID:812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2944 --field-trial-handle=1908,i,13388942236181595141,15765157013503963386,131072 /prefetch:1
  2⤵
  PID:1468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2948 --field-trial-handle=1908,i,13388942236181595141,15765157013503963386,131072 /prefetch:1
  2⤵
  PID:1912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4544 --field-trial-handle=1908,i,13388942236181595141,15765157013503963386,131072 /prefetch:1
  2⤵
  PID:1664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3332 --field-trial-handle=1908,i,13388942236181595141,15765157013503963386,131072 /prefetch:1
  2⤵
  PID:4760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4808 --field-trial-handle=1908,i,13388942236181595141,15765157013503963386,131072 /prefetch:1
  2⤵
  PID:1968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 --field-trial-handle=1908,i,13388942236181595141,15765157013503963386,131072 /prefetch:8
  2⤵
  PID:1756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 --field-trial-handle=1908,i,13388942236181595141,15765157013503963386,131072 /prefetch:8
  2⤵
  PID:4132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3680 --field-trial-handle=1908,i,13388942236181595141,15765157013503963386,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5052

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
be8469abcf215f7aa159f15abae2b3d4

SHA1
1ec1d01b16cfc66f7db826529b7fb1d49824a0c2

SHA256
14954ebcaa710b9892c3b5ffaed7e366be79abaa2f94d705ea3c4c8da47696af

SHA512
beff31074c41223479bace6023ae900d536d6f5f8d4c02e2fb666c748e1223fb167a0949a71fc0f465a75dd6eb296a1a09b0d001c4bec950ca1bbb5e206f69a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
3fd2b2e9a327e7c35e0e58da54ab8a92

SHA1
eca7d8d7397923de24db877098d958d7f7a3af96

SHA256
ccce76a647407917a0b8fdc34beba333abc452d5f9e320aece928edd78136553

SHA512
bd1754ebf284023303187013ff34f91b61bb092210e683878f41fc18e731219a3917ec00c3d697e2af2d54503441c468b4b2e0524a8714e4f557a8473a23fe9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
aa9ffd4c3f7a042a55b167353a0e1acc

SHA1
30b9d4892d2e8a0293ccb7d82c8b60a9519c5886

SHA256
c2397236f8925a2a19b48ec8726b9261ce011ae58f7e35ecc914a94baeb94699

SHA512
efeb981cb48977fe49f68507b9b84151b0f8ff650a266df388c1a69bb74d5dfddd05e45688eeeffab66b1df14a1a6dc9e33ec50eb79dca29552db1c158d80d5e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
bcb722d76a6b78c390d03b6073570bf7

SHA1
8f2a4ddf980ad15f3aa731518bda7b8868cefa27

SHA256
8b22d78f57bdb6c022e0b1e5dd56c6322f576c994689cd6b7577b9ce9dda78be

SHA512
4c20e9d9f30640bbee0b906d9490efc97afd5fec9a27216c8f00e8dfae233f5d39b753c067dd53c9d3ce75d4107dc95d60e2db16d1b81b18d958a90e572778f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
2b32ec860b726cf7197b5b4d58955da6

SHA1
64fa663d56ece43bfa97edc8606d1a45e0b5bcd2

SHA256
d4f094494aaea0dbc4c317f2eef9e7fb88ba265eaf65324e472310a17baf3b29

SHA512
fdec1becef190c240a53de339340d145c1ef04eb7ce464971cb394f605adee81285429c671b94beb1dad8cbd01a33f6c5a642d92a79ba683f24c72b5566ea6fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit