hxxp://www[.]wearechefs[.]com/

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
02-11-2023 08:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://www.wearechefs.com/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133433889983445867"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3512	chrome.exe
3512	chrome.exe
1800	chrome.exe
1800	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3512 wrote to memory of 3796	3512	chrome.exe	38
PID 3512 wrote to memory of 3796	3512	chrome.exe	38
PID 3512 wrote to memory of 2284	3512	chrome.exe	86
PID 3512 wrote to memory of 2284	3512	chrome.exe	86
PID 3512 wrote to memory of 2284	3512	chrome.exe	86
PID 3512 wrote to memory of 2284	3512	chrome.exe	86
PID 3512 wrote to memory of 2284	3512	chrome.exe	86
PID 3512 wrote to memory of 2284	3512	chrome.exe	86
PID 3512 wrote to memory of 2284	3512	chrome.exe	86
PID 3512 wrote to memory of 2284	3512	chrome.exe	86
PID 3512 wrote to memory of 2284	3512	chrome.exe	86
PID 3512 wrote to memory of 2284	3512	chrome.exe	86
PID 3512 wrote to memory of 2284	3512	chrome.exe	86
PID 3512 wrote to memory of 2284	3512	chrome.exe	86
PID 3512 wrote to memory of 2284	3512	chrome.exe	86
PID 3512 wrote to memory of 2284	3512	chrome.exe	86
PID 3512 wrote to memory of 2284	3512	chrome.exe	86
PID 3512 wrote to memory of 2284	3512	chrome.exe	86
PID 3512 wrote to memory of 2284	3512	chrome.exe	86
PID 3512 wrote to memory of 2284	3512	chrome.exe	86
PID 3512 wrote to memory of 2284	3512	chrome.exe	86
PID 3512 wrote to memory of 2284	3512	chrome.exe	86
PID 3512 wrote to memory of 2284	3512	chrome.exe	86
PID 3512 wrote to memory of 2284	3512	chrome.exe	86
PID 3512 wrote to memory of 2284	3512	chrome.exe	86
PID 3512 wrote to memory of 2284	3512	chrome.exe	86
PID 3512 wrote to memory of 2284	3512	chrome.exe	86
PID 3512 wrote to memory of 2284	3512	chrome.exe	86
PID 3512 wrote to memory of 2284	3512	chrome.exe	86
PID 3512 wrote to memory of 2284	3512	chrome.exe	86
PID 3512 wrote to memory of 2284	3512	chrome.exe	86
PID 3512 wrote to memory of 2284	3512	chrome.exe	86
PID 3512 wrote to memory of 2284	3512	chrome.exe	86
PID 3512 wrote to memory of 2284	3512	chrome.exe	86
PID 3512 wrote to memory of 2284	3512	chrome.exe	86
PID 3512 wrote to memory of 2284	3512	chrome.exe	86
PID 3512 wrote to memory of 2284	3512	chrome.exe	86
PID 3512 wrote to memory of 2284	3512	chrome.exe	86
PID 3512 wrote to memory of 2284	3512	chrome.exe	86
PID 3512 wrote to memory of 2284	3512	chrome.exe	86
PID 3512 wrote to memory of 5072	3512	chrome.exe	87
PID 3512 wrote to memory of 5072	3512	chrome.exe	87
PID 3512 wrote to memory of 2392	3512	chrome.exe	88
PID 3512 wrote to memory of 2392	3512	chrome.exe	88
PID 3512 wrote to memory of 2392	3512	chrome.exe	88
PID 3512 wrote to memory of 2392	3512	chrome.exe	88
PID 3512 wrote to memory of 2392	3512	chrome.exe	88
PID 3512 wrote to memory of 2392	3512	chrome.exe	88
PID 3512 wrote to memory of 2392	3512	chrome.exe	88
PID 3512 wrote to memory of 2392	3512	chrome.exe	88
PID 3512 wrote to memory of 2392	3512	chrome.exe	88
PID 3512 wrote to memory of 2392	3512	chrome.exe	88
PID 3512 wrote to memory of 2392	3512	chrome.exe	88
PID 3512 wrote to memory of 2392	3512	chrome.exe	88
PID 3512 wrote to memory of 2392	3512	chrome.exe	88
PID 3512 wrote to memory of 2392	3512	chrome.exe	88
PID 3512 wrote to memory of 2392	3512	chrome.exe	88
PID 3512 wrote to memory of 2392	3512	chrome.exe	88
PID 3512 wrote to memory of 2392	3512	chrome.exe	88
PID 3512 wrote to memory of 2392	3512	chrome.exe	88
PID 3512 wrote to memory of 2392	3512	chrome.exe	88
PID 3512 wrote to memory of 2392	3512	chrome.exe	88
PID 3512 wrote to memory of 2392	3512	chrome.exe	88
PID 3512 wrote to memory of 2392	3512	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://www.wearechefs.com/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe7ffd9758,0x7ffe7ffd9768,0x7ffe7ffd9778
  2⤵
  PID:3796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1628 --field-trial-handle=1848,i,6693001965512381852,5865870891346923606,131072 /prefetch:2
  2⤵
  PID:2284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1848,i,6693001965512381852,5865870891346923606,131072 /prefetch:8
  2⤵
  PID:5072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2188 --field-trial-handle=1848,i,6693001965512381852,5865870891346923606,131072 /prefetch:8
  2⤵
  PID:2392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2996 --field-trial-handle=1848,i,6693001965512381852,5865870891346923606,131072 /prefetch:1
  2⤵
  PID:2820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2952 --field-trial-handle=1848,i,6693001965512381852,5865870891346923606,131072 /prefetch:1
  2⤵
  PID:3416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4832 --field-trial-handle=1848,i,6693001965512381852,5865870891346923606,131072 /prefetch:8
  2⤵
  PID:4572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3936 --field-trial-handle=1848,i,6693001965512381852,5865870891346923606,131072 /prefetch:8
  2⤵
  PID:3108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=6092 --field-trial-handle=1848,i,6693001965512381852,5865870891346923606,131072 /prefetch:1
  2⤵
  PID:1424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3264 --field-trial-handle=1848,i,6693001965512381852,5865870891346923606,131072 /prefetch:1
  2⤵
  PID:4436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4688 --field-trial-handle=1848,i,6693001965512381852,5865870891346923606,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1800

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
792B

MD5
00a4a77b2e27ce9fce261c28ed66ea4f

SHA1
0666a913f965b999bbd8c8a9d4acbd56de86e738

SHA256
c02e9b5ddd8e7c4a707590cd771fc263652c0bd694f54ceaf0a15dafeabcfe9a

SHA512
7148a388e0bbd2af2ab203b14c5697f0fdd675a3cebb91e9038072c38ca392247b7c0a81ba9572e6e80f5e103e86b374dab5390f2fe408b2856c6618d69c950d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
f6d81adc82952912be8e5d173f314d2b

SHA1
8553228c9a9ec3aa14d9fd295645f95a393b2985

SHA256
20ee12055a0ae9ba106f019eb1c0a1a696a04838fcbb7b2778759571fd4a583d

SHA512
39fdbce8faf05ff76e0aae6f629691835573f60e92121841f3ab71a42040331cd1be0df2965ffcd2fdce869760a6de5ae2cb3633b93f6cf25536d55502d236f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
863B

MD5
15021c28f1c1c05714560ce2ce6a7a8d

SHA1
2eb0c8d4d5469de37a33d409f9becb2eb158ec00

SHA256
4bd036ffbc1790ca251cfd17241dbf3503b9a4cdfe7f7073bcc4bf3a5684bb57

SHA512
afa17569e1e56d4b8df74728147f9d74692bf2bbce0c18621a7346bef3799a846ff273bfe52e849773c71589441bb205132aa81b822e61295c2e788a44751883

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
4b1840b26280f17257849079f8b3c0d1

SHA1
4076dcd3f8ebdd37ee846599e5581c1642afdedc

SHA256
207cd393e70f47ed0825f046a3e852e758e0510cb46f7589afa85bd4ba8c56a9

SHA512
e485cfe23cd005f480ebfc845788937066742214037f0a822dc2b6212af9aa9e5f855f22c1939111cfb4378c0ab111ed5be6eb1c94e37d5b18700b9f0325c466

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d6cf94b7804541cca919e2231b7a9d08

SHA1
dd576686a6d9814cd522c6856c1efa8067514cf5

SHA256
c01989bfb1293a1bd57113830f1e4d9e0bb1edc9324f85202ffdf9f8a23e6c18

SHA512
e0247e62a7d8fb0c8dc2dc78e024881c3923db1bacba267474ad7a60644051047d1a664d28417750527a5ee5a3fd0af6420335f6758b872c8ae7dddb1d1831ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
8b7ac592f7756df505af8ca11d1dab04

SHA1
7f6121113b7bd4a78093765e22582d128df00ccb

SHA256
95b35b75ee93a9703b401b33248676fbce3a6dea04ddddd5feabd4fb4251933d

SHA512
6927f60a8c753ed9e9b52445a94e6c4536ca8ddd849412964163e6f7c94d83418f57cb8e16167c549e381a8a52cacedea302c4d280bf028df04ae31a19a20a05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
109KB

MD5
233c7a50a7848b32c4ef9232a70f4bef

SHA1
3007a82d91128d99ff1818b2848f1da065c6d65c

SHA256
4a6b21691c73f37fb609ca9066a8baa1f3a9914c8c2f67d3bfb027a7845025bb

SHA512
d05d0a4477c689be05e25568f881158f345a159c611e263d74abb0ac4cde7062e49e587e01a63630b4bc8128fc1a684df00f103181d263ef246a45b9766ff606

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit