hxxps://rcargaahora[.]online/

Analysis

max time kernel
71s
max time network
73s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
13/11/2023, 12:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://rcargaahora.online/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133443533377496233"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1968	chrome.exe
1968	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1968	chrome.exe
1968	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeCreatePagefilePrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeCreatePagefilePrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeCreatePagefilePrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeCreatePagefilePrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeCreatePagefilePrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeCreatePagefilePrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeCreatePagefilePrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeCreatePagefilePrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeCreatePagefilePrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeCreatePagefilePrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeCreatePagefilePrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeCreatePagefilePrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeCreatePagefilePrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeCreatePagefilePrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeCreatePagefilePrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeCreatePagefilePrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeCreatePagefilePrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeCreatePagefilePrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeCreatePagefilePrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeCreatePagefilePrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeCreatePagefilePrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeCreatePagefilePrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeCreatePagefilePrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeCreatePagefilePrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeCreatePagefilePrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeCreatePagefilePrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeCreatePagefilePrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeCreatePagefilePrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeCreatePagefilePrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeCreatePagefilePrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeCreatePagefilePrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeCreatePagefilePrivilege	1968	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 4860	1968	chrome.exe	70
PID 1968 wrote to memory of 4860	1968	chrome.exe	70
PID 1968 wrote to memory of 2532	1968	chrome.exe	88
PID 1968 wrote to memory of 2532	1968	chrome.exe	88
PID 1968 wrote to memory of 2532	1968	chrome.exe	88
PID 1968 wrote to memory of 2532	1968	chrome.exe	88
PID 1968 wrote to memory of 2532	1968	chrome.exe	88
PID 1968 wrote to memory of 2532	1968	chrome.exe	88
PID 1968 wrote to memory of 2532	1968	chrome.exe	88
PID 1968 wrote to memory of 2532	1968	chrome.exe	88
PID 1968 wrote to memory of 2532	1968	chrome.exe	88
PID 1968 wrote to memory of 2532	1968	chrome.exe	88
PID 1968 wrote to memory of 2532	1968	chrome.exe	88
PID 1968 wrote to memory of 2532	1968	chrome.exe	88
PID 1968 wrote to memory of 2532	1968	chrome.exe	88
PID 1968 wrote to memory of 2532	1968	chrome.exe	88
PID 1968 wrote to memory of 2532	1968	chrome.exe	88
PID 1968 wrote to memory of 2532	1968	chrome.exe	88
PID 1968 wrote to memory of 2532	1968	chrome.exe	88
PID 1968 wrote to memory of 2532	1968	chrome.exe	88
PID 1968 wrote to memory of 2532	1968	chrome.exe	88
PID 1968 wrote to memory of 2532	1968	chrome.exe	88
PID 1968 wrote to memory of 2532	1968	chrome.exe	88
PID 1968 wrote to memory of 2532	1968	chrome.exe	88
PID 1968 wrote to memory of 2532	1968	chrome.exe	88
PID 1968 wrote to memory of 2532	1968	chrome.exe	88
PID 1968 wrote to memory of 2532	1968	chrome.exe	88
PID 1968 wrote to memory of 2532	1968	chrome.exe	88
PID 1968 wrote to memory of 2532	1968	chrome.exe	88
PID 1968 wrote to memory of 2532	1968	chrome.exe	88
PID 1968 wrote to memory of 2532	1968	chrome.exe	88
PID 1968 wrote to memory of 2532	1968	chrome.exe	88
PID 1968 wrote to memory of 2532	1968	chrome.exe	88
PID 1968 wrote to memory of 2532	1968	chrome.exe	88
PID 1968 wrote to memory of 2532	1968	chrome.exe	88
PID 1968 wrote to memory of 2532	1968	chrome.exe	88
PID 1968 wrote to memory of 2532	1968	chrome.exe	88
PID 1968 wrote to memory of 2532	1968	chrome.exe	88
PID 1968 wrote to memory of 2532	1968	chrome.exe	88
PID 1968 wrote to memory of 2532	1968	chrome.exe	88
PID 1968 wrote to memory of 4244	1968	chrome.exe	90
PID 1968 wrote to memory of 4244	1968	chrome.exe	90
PID 1968 wrote to memory of 5232	1968	chrome.exe	89
PID 1968 wrote to memory of 5232	1968	chrome.exe	89
PID 1968 wrote to memory of 5232	1968	chrome.exe	89
PID 1968 wrote to memory of 5232	1968	chrome.exe	89
PID 1968 wrote to memory of 5232	1968	chrome.exe	89
PID 1968 wrote to memory of 5232	1968	chrome.exe	89
PID 1968 wrote to memory of 5232	1968	chrome.exe	89
PID 1968 wrote to memory of 5232	1968	chrome.exe	89
PID 1968 wrote to memory of 5232	1968	chrome.exe	89
PID 1968 wrote to memory of 5232	1968	chrome.exe	89
PID 1968 wrote to memory of 5232	1968	chrome.exe	89
PID 1968 wrote to memory of 5232	1968	chrome.exe	89
PID 1968 wrote to memory of 5232	1968	chrome.exe	89
PID 1968 wrote to memory of 5232	1968	chrome.exe	89
PID 1968 wrote to memory of 5232	1968	chrome.exe	89
PID 1968 wrote to memory of 5232	1968	chrome.exe	89
PID 1968 wrote to memory of 5232	1968	chrome.exe	89
PID 1968 wrote to memory of 5232	1968	chrome.exe	89
PID 1968 wrote to memory of 5232	1968	chrome.exe	89
PID 1968 wrote to memory of 5232	1968	chrome.exe	89
PID 1968 wrote to memory of 5232	1968	chrome.exe	89
PID 1968 wrote to memory of 5232	1968	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://rcargaahora.online/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb4b429758,0x7ffb4b429768,0x7ffb4b429778
  2⤵
  PID:4860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1760 --field-trial-handle=1872,i,7149696406443728518,17336953996057982516,131072 /prefetch:2
  2⤵
  PID:2532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2176 --field-trial-handle=1872,i,7149696406443728518,17336953996057982516,131072 /prefetch:8
  2⤵
  PID:5232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1872,i,7149696406443728518,17336953996057982516,131072 /prefetch:8
  2⤵
  PID:4244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2960 --field-trial-handle=1872,i,7149696406443728518,17336953996057982516,131072 /prefetch:1
  2⤵
  PID:1976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2952 --field-trial-handle=1872,i,7149696406443728518,17336953996057982516,131072 /prefetch:1
  2⤵
  PID:1244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5084 --field-trial-handle=1872,i,7149696406443728518,17336953996057982516,131072 /prefetch:8
  2⤵
  PID:3152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4556 --field-trial-handle=1872,i,7149696406443728518,17336953996057982516,131072 /prefetch:8
  2⤵
  PID:3164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4936 --field-trial-handle=1872,i,7149696406443728518,17336953996057982516,131072 /prefetch:8
  2⤵
  PID:412

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
1c6a1880b810d48591b0f3d2c40fa259

SHA1
5499856fe4144c1acb5a7875364645f8f762e3e2

SHA256
9a4430aead325efe6a43b1d01226336dd0b70131fc50eeac1ddde221fda0fca6

SHA512
abbb3457986f2ec0b3f4cd64e5f51ebfcd0bd55c613144589bdc297f9f16f801554fb73d4818e65535c20c93b757cb1678a302139ae3bc6d10a1ebe5c928a1e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
28193bcb51431faeca9a63858c58fae1

SHA1
8b58ff5bee37db8dab39652de5924a9e0fb0986f

SHA256
4b2ad4f9244c81d8fd736c5144a2deb6298fe6cb411fa95daacbc58559bb8131

SHA512
77e09b48fcf7874488e1dd714dc07ea982adaacbc3683e842f4c43cf585875c663859431d3d47dbb8ea4fab0a0947f4977dd3d9d6a631791901191874fd104d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
20e19977f1a1e7b7db70cbe4617f3940

SHA1
d6422ffe68e2a73147557e791ed25e1041b9a3bf

SHA256
460f8face6548a40c76c15e9f9f38756508b554f9ed4c2d1cda4a11e9207b0b4

SHA512
9e5142f83ead688e1641c334b7ef3a9b4788e45bf4dcb6ee715d2ba51ff5a9d72f4f336ddb854c6611f0f16764084d92de8a7aa4fb69d25a06cbe453d4faead4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
78494487da1c33ccdce32d19c99b1f7a

SHA1
0acf8a2c7257ddc6f716316f74d8accfb5a123a3

SHA256
bdcbe6c5e7e98acea17947c519b150b2ac1c11720d653a955286a8e80f654e5e

SHA512
59c02f7a698c78560385905999206f45f3a55e1ed223bd7eb2b270539129569335d13d9954c3c31a4ecebc8170c41917c8abcfe279c516705515d4610e4b516b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
8f2be82af3c9b2be11fbc1aa2e648fdb

SHA1
de1384bc9f847558a66a4f2f141d5195e45be6fa

SHA256
0740e19bb6857dd2a1c5c450ebea1bb54994fd0a429b68891334dc7d123a7d33

SHA512
832a8e8c579a5a651c74213b23c042ddbea96ebe20060758dfe9dda14630db9deb3f804d0c397290e9b2147789471e098ea86c40f933a5ceb5ca0dd9151a6cac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
13ff73c34fa8e246d6a82ce1f65c2232

SHA1
aa7e8b1662974fdd44f9f7e300c29f75864bace3

SHA256
ebad0e3336a640baa23d4c004a9fbb14d5745a2f3261c5b936cd08474925d3af

SHA512
6ba1896afc63c986cc2ed53580349a1069561be1edd8fec939c1fa7ea14fdfae3e694e8ade8b66fe7751556f5401ca4bc190d2f276e0df81672dca05d9306ccf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
109KB

MD5
9e5f2b35cb5ad9de762a08c83c4ec1f2

SHA1
11bbf3ee7c67fdada30eff3d1cba340963cf8024

SHA256
67c075332da3af9f675b7d9e7da22096335d635a14102148651747062ade64c4

SHA512
4f4dac8c9566436a0d302182bdbc3c2e9b2260328bea60afd69ba1e7b336934a2a1b643aabaae44468829b656b1d338fe690fdae3cbecb851e8b5efa05022085

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
103KB

MD5
93f282ac67c400f6488dd4dfbd3d7461

SHA1
80894693ac7d15830092ef04840a91e23cc90f00

SHA256
4a8a8fafbb0eba4ae9f21ccdf428afbcc031e94a77572762e4d7f49f3cb711b6

SHA512
9b862957d372407a79e5358eefc54226fbd1911c32a148f5a9f800d30372929e96e615fa6a982782618d2fb10ee4c84ae0c44b163ad4731c511f3edc0458356b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5851a5.TMP

Filesize
101KB

MD5
274efecff4523737c3e978b7275907a0

SHA1
2b8f594f240cefbb164807f3dd0a1c7e4a8d19a2

SHA256
4ffd4435008443c9e1e91fc4acdb334fa865fe5e701a7f0de497215874732a73

SHA512
5131d5831765cdec35aeb06b2b8f814c2bd30911d1bd8e53f903fd6ba115919d778d62bd50b4ee5f37dc1b19e29ff0df9bc2b6d294cdcf88e30c925864e29082

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit