hxxps://cdn[.]mobius[.]cloud/third-party/locked/MathEditor/1381409/MathEditor/[.][.]/[.][.]/[.][.]/[.][.]/740fc47/mathjax-config/0[.]0[.]0/MathJaxConfig[.]js&delayStartupUntil=configured

Analysis

max time kernel
119s
max time network
96s
platform
windows10-1703_x64
resource
win10-20231020-en
resource tags

arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
submitted
15/11/2023, 20:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.mobius.cloud/third-party/locked/MathEditor/1381409/MathEditor/../../../../740fc47/mathjax-config/0.0.0/MathJaxConfig.js&delayStartupUntil=configured

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133445549234772161"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
368	chrome.exe
368	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
368	chrome.exe
368	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 368 wrote to memory of 2336	368	chrome.exe	71
PID 368 wrote to memory of 2336	368	chrome.exe	71
PID 368 wrote to memory of 660	368	chrome.exe	75
PID 368 wrote to memory of 660	368	chrome.exe	75
PID 368 wrote to memory of 660	368	chrome.exe	75
PID 368 wrote to memory of 660	368	chrome.exe	75
PID 368 wrote to memory of 660	368	chrome.exe	75
PID 368 wrote to memory of 660	368	chrome.exe	75
PID 368 wrote to memory of 660	368	chrome.exe	75
PID 368 wrote to memory of 660	368	chrome.exe	75
PID 368 wrote to memory of 660	368	chrome.exe	75
PID 368 wrote to memory of 660	368	chrome.exe	75
PID 368 wrote to memory of 660	368	chrome.exe	75
PID 368 wrote to memory of 660	368	chrome.exe	75
PID 368 wrote to memory of 660	368	chrome.exe	75
PID 368 wrote to memory of 660	368	chrome.exe	75
PID 368 wrote to memory of 660	368	chrome.exe	75
PID 368 wrote to memory of 660	368	chrome.exe	75
PID 368 wrote to memory of 660	368	chrome.exe	75
PID 368 wrote to memory of 660	368	chrome.exe	75
PID 368 wrote to memory of 660	368	chrome.exe	75
PID 368 wrote to memory of 660	368	chrome.exe	75
PID 368 wrote to memory of 660	368	chrome.exe	75
PID 368 wrote to memory of 660	368	chrome.exe	75
PID 368 wrote to memory of 660	368	chrome.exe	75
PID 368 wrote to memory of 660	368	chrome.exe	75
PID 368 wrote to memory of 660	368	chrome.exe	75
PID 368 wrote to memory of 660	368	chrome.exe	75
PID 368 wrote to memory of 660	368	chrome.exe	75
PID 368 wrote to memory of 660	368	chrome.exe	75
PID 368 wrote to memory of 660	368	chrome.exe	75
PID 368 wrote to memory of 660	368	chrome.exe	75
PID 368 wrote to memory of 660	368	chrome.exe	75
PID 368 wrote to memory of 660	368	chrome.exe	75
PID 368 wrote to memory of 660	368	chrome.exe	75
PID 368 wrote to memory of 660	368	chrome.exe	75
PID 368 wrote to memory of 660	368	chrome.exe	75
PID 368 wrote to memory of 660	368	chrome.exe	75
PID 368 wrote to memory of 660	368	chrome.exe	75
PID 368 wrote to memory of 660	368	chrome.exe	75
PID 368 wrote to memory of 648	368	chrome.exe	73
PID 368 wrote to memory of 648	368	chrome.exe	73
PID 368 wrote to memory of 772	368	chrome.exe	74
PID 368 wrote to memory of 772	368	chrome.exe	74
PID 368 wrote to memory of 772	368	chrome.exe	74
PID 368 wrote to memory of 772	368	chrome.exe	74
PID 368 wrote to memory of 772	368	chrome.exe	74
PID 368 wrote to memory of 772	368	chrome.exe	74
PID 368 wrote to memory of 772	368	chrome.exe	74
PID 368 wrote to memory of 772	368	chrome.exe	74
PID 368 wrote to memory of 772	368	chrome.exe	74
PID 368 wrote to memory of 772	368	chrome.exe	74
PID 368 wrote to memory of 772	368	chrome.exe	74
PID 368 wrote to memory of 772	368	chrome.exe	74
PID 368 wrote to memory of 772	368	chrome.exe	74
PID 368 wrote to memory of 772	368	chrome.exe	74
PID 368 wrote to memory of 772	368	chrome.exe	74
PID 368 wrote to memory of 772	368	chrome.exe	74
PID 368 wrote to memory of 772	368	chrome.exe	74
PID 368 wrote to memory of 772	368	chrome.exe	74
PID 368 wrote to memory of 772	368	chrome.exe	74
PID 368 wrote to memory of 772	368	chrome.exe	74
PID 368 wrote to memory of 772	368	chrome.exe	74
PID 368 wrote to memory of 772	368	chrome.exe	74

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://cdn.mobius.cloud/third-party/locked/MathEditor/1381409/MathEditor/../../../../740fc47/mathjax-config/0.0.0/MathJaxConfig.js&delayStartupUntil=configured
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffdf04f9758,0x7ffdf04f9768,0x7ffdf04f9778
  2⤵
  PID:2336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1860 --field-trial-handle=1712,i,13077943567939081707,6137477535868022386,131072 /prefetch:8
  2⤵
  PID:648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2108 --field-trial-handle=1712,i,13077943567939081707,6137477535868022386,131072 /prefetch:8
  2⤵
  PID:772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1712,i,13077943567939081707,6137477535868022386,131072 /prefetch:2
  2⤵
  PID:660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2976 --field-trial-handle=1712,i,13077943567939081707,6137477535868022386,131072 /prefetch:1
  2⤵
  PID:4148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2956 --field-trial-handle=1712,i,13077943567939081707,6137477535868022386,131072 /prefetch:1
  2⤵
  PID:3556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4628 --field-trial-handle=1712,i,13077943567939081707,6137477535868022386,131072 /prefetch:8
  2⤵
  PID:4604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4624 --field-trial-handle=1712,i,13077943567939081707,6137477535868022386,131072 /prefetch:8
  2⤵
  PID:4136

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
1a5ed72a9f8c486d04cc183bb165d000

SHA1
62761f45c80b6c7e231456b34eaa10938615058c

SHA256
d9313bf64229175df42f3c932688446e8c8a3de38fe87a242399cd86c04f0ef7

SHA512
a94ffd92dff25ae487e384011a3f2a1eccee4a7b33bf8da988b75b87b971883dd8ba044d596c221123daa81fc9359d3c7ead96949e3033f9c45af2c763a45d31

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
35fe8c691b242402c6f3d289a68b7143

SHA1
d2565caac4acdade70e270b5fd4088f2ae9f2d02

SHA256
586e78e4c3b0f2506bb69fe1217314cf80933747a173d191ca2137cfdf0e281a

SHA512
b061d07cbdd3265c5d26e0f31b59c0b5b2203d36bb5fa5c149d95de739647f6b88af0a5dc2c387ebdd71a0fc8ea0d7ec2d4897eba627b9fea977eb5125462d29

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
ef8d2b5308b1f8b918ef7e9e6bc02a39

SHA1
8505313eb6b285bbfbadbcd5eb7eab306ee0e9a3

SHA256
c535e3feea8d0cc6e5b1c008c383f9d59be249bce4201e54a7a5cbdebeb6f504

SHA512
278fdda9dd0c1f09a3466386eee8862c5e39eee6f3d7f46bcf3a407e1d3dad3fc5241e5cc43f896a0e883c49d1dcea991454ba4b2ebfc4c8404e421ec0d158c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
4da032529dbf8139372d8dcd8b1669f9

SHA1
06ef0e896dc5e1cb137e830586364ac4be91cb5e

SHA256
314e14248040c03e856833aeb2a5a17c89868e4a07b3e69efc1f474582b6daa4

SHA512
e06df2f4deaa2a386846a47505e74268cac201f21964ad86b6641cb645fca53978dd9a66c3c707efcc0c132a4bb872c9d142e48ba09d4a27db3e3a330134d965

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
106KB

MD5
5ca16b010e8a73d30f7f703f2679aef2

SHA1
e5f31bb5e28a07702977262a11026fe8cf39c9c2

SHA256
8cb279bef767a79f4cf7cfc7ae13f426ae8f9a145ef2bc858933528208c7a180

SHA512
16491d87b3c041e92cfa1fda89b3cc245980cd87ed4bb6e52e937eb237aaaf1b4e2cb8f90d98d30210a288764436c1a0d8c9fc22a7451ef7c55df2851a499872

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit