hxxps://t[.]sidekickopen51[.]com/ctc/zn+23284/c236g04/jkm2-6qcw6n1vhy6lz3mwvlwj8x6c_whym5kkr_gxnk_w93wljm2bgb6lw3sljdx96mfvzn6krrptbhhhrw7lj4d86f7v6gw3jywmn7hmrrxvs3gvl2qytkmw3rqm7w31rwpxn5wwkczsy-fmw8ry_jw1_5t1gv8zfbh48rnztw4vbrrh89zq5mw1z80yl7p9-j8w8vtv-n6_2h7hw6rdnth8-qjh1w3csccz6tyqckn7p0zwhmbq4vw5xsbvh833qw4w3rjzt36x4_b_w5n94wl3v1lwymff09vw8rswf3t6fvw04

Analysis

max time kernel
179s
max time network
176s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
17/11/2023, 22:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://t.sidekickopen51.com/ctc/zn+23284/c236g04/jkm2-6qcw6n1vhy6lz3mwvlwj8x6c_whym5kkr_gxnk_w93wljm2bgb6lw3sljdx96mfvzn6krrptbhhhrw7lj4d86f7v6gw3jywmn7hmrrxvs3gvl2qytkmw3rqm7w31rwpxn5wwkczsy-fmw8ry_jw1_5t1gv8zfbh48rnztw4vbrrh89zq5mw1z80yl7p9-j8w8vtv-n6_2h7hw6rdnth8-qjh1w3csccz6tyqckn7p0zwhmbq4vw5xsbvh833qw4w3rjzt36x4_b_w5n94wl3v1lwymff09vw8rswf3t6fvw04

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133447358800464307"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4400	chrome.exe
4400	chrome.exe
4684	chrome.exe
4684	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4400	chrome.exe
4400	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4400 wrote to memory of 776	4400	chrome.exe	34
PID 4400 wrote to memory of 776	4400	chrome.exe	34
PID 4400 wrote to memory of 4996	4400	chrome.exe	89
PID 4400 wrote to memory of 4996	4400	chrome.exe	89
PID 4400 wrote to memory of 4996	4400	chrome.exe	89
PID 4400 wrote to memory of 4996	4400	chrome.exe	89
PID 4400 wrote to memory of 4996	4400	chrome.exe	89
PID 4400 wrote to memory of 4996	4400	chrome.exe	89
PID 4400 wrote to memory of 4996	4400	chrome.exe	89
PID 4400 wrote to memory of 4996	4400	chrome.exe	89
PID 4400 wrote to memory of 4996	4400	chrome.exe	89
PID 4400 wrote to memory of 4996	4400	chrome.exe	89
PID 4400 wrote to memory of 4996	4400	chrome.exe	89
PID 4400 wrote to memory of 4996	4400	chrome.exe	89
PID 4400 wrote to memory of 4996	4400	chrome.exe	89
PID 4400 wrote to memory of 4996	4400	chrome.exe	89
PID 4400 wrote to memory of 4996	4400	chrome.exe	89
PID 4400 wrote to memory of 4996	4400	chrome.exe	89
PID 4400 wrote to memory of 4996	4400	chrome.exe	89
PID 4400 wrote to memory of 4996	4400	chrome.exe	89
PID 4400 wrote to memory of 4996	4400	chrome.exe	89
PID 4400 wrote to memory of 4996	4400	chrome.exe	89
PID 4400 wrote to memory of 4996	4400	chrome.exe	89
PID 4400 wrote to memory of 4996	4400	chrome.exe	89
PID 4400 wrote to memory of 4996	4400	chrome.exe	89
PID 4400 wrote to memory of 4996	4400	chrome.exe	89
PID 4400 wrote to memory of 4996	4400	chrome.exe	89
PID 4400 wrote to memory of 4996	4400	chrome.exe	89
PID 4400 wrote to memory of 4996	4400	chrome.exe	89
PID 4400 wrote to memory of 4996	4400	chrome.exe	89
PID 4400 wrote to memory of 4996	4400	chrome.exe	89
PID 4400 wrote to memory of 4996	4400	chrome.exe	89
PID 4400 wrote to memory of 4996	4400	chrome.exe	89
PID 4400 wrote to memory of 4996	4400	chrome.exe	89
PID 4400 wrote to memory of 4996	4400	chrome.exe	89
PID 4400 wrote to memory of 4996	4400	chrome.exe	89
PID 4400 wrote to memory of 4996	4400	chrome.exe	89
PID 4400 wrote to memory of 4996	4400	chrome.exe	89
PID 4400 wrote to memory of 4996	4400	chrome.exe	89
PID 4400 wrote to memory of 4996	4400	chrome.exe	89
PID 4400 wrote to memory of 3576	4400	chrome.exe	91
PID 4400 wrote to memory of 3576	4400	chrome.exe	91
PID 4400 wrote to memory of 2224	4400	chrome.exe	90
PID 4400 wrote to memory of 2224	4400	chrome.exe	90
PID 4400 wrote to memory of 2224	4400	chrome.exe	90
PID 4400 wrote to memory of 2224	4400	chrome.exe	90
PID 4400 wrote to memory of 2224	4400	chrome.exe	90
PID 4400 wrote to memory of 2224	4400	chrome.exe	90
PID 4400 wrote to memory of 2224	4400	chrome.exe	90
PID 4400 wrote to memory of 2224	4400	chrome.exe	90
PID 4400 wrote to memory of 2224	4400	chrome.exe	90
PID 4400 wrote to memory of 2224	4400	chrome.exe	90
PID 4400 wrote to memory of 2224	4400	chrome.exe	90
PID 4400 wrote to memory of 2224	4400	chrome.exe	90
PID 4400 wrote to memory of 2224	4400	chrome.exe	90
PID 4400 wrote to memory of 2224	4400	chrome.exe	90
PID 4400 wrote to memory of 2224	4400	chrome.exe	90
PID 4400 wrote to memory of 2224	4400	chrome.exe	90
PID 4400 wrote to memory of 2224	4400	chrome.exe	90
PID 4400 wrote to memory of 2224	4400	chrome.exe	90
PID 4400 wrote to memory of 2224	4400	chrome.exe	90
PID 4400 wrote to memory of 2224	4400	chrome.exe	90
PID 4400 wrote to memory of 2224	4400	chrome.exe	90
PID 4400 wrote to memory of 2224	4400	chrome.exe	90

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://t.sidekickopen51.com/ctc/zn+23284/c236g04/jkm2-6qcw6n1vhy6lz3mwvlwj8x6c_whym5kkr_gxnk_w93wljm2bgb6lw3sljdx96mfvzn6krrptbhhhrw7lj4d86f7v6gw3jywmn7hmrrxvs3gvl2qytkmw3rqm7w31rwpxn5wwkczsy-fmw8ry_jw1_5t1gv8zfbh48rnztw4vbrrh89zq5mw1z80yl7p9-j8w8vtv-n6_2h7hw6rdnth8-qjh1w3csccz6tyqckn7p0zwhmbq4vw5xsbvh833qw4w3rjzt36x4_b_w5n94wl3v1lwymff09vw8rswf3t6fvw04
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff98b1a9758,0x7ff98b1a9768,0x7ff98b1a9778
  2⤵
  PID:776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1736 --field-trial-handle=1884,i,2509467176790285410,15091654422405695575,131072 /prefetch:2
  2⤵
  PID:4996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1884,i,2509467176790285410,15091654422405695575,131072 /prefetch:8
  2⤵
  PID:2224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1884,i,2509467176790285410,15091654422405695575,131072 /prefetch:8
  2⤵
  PID:3576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3044 --field-trial-handle=1884,i,2509467176790285410,15091654422405695575,131072 /prefetch:1
  2⤵
  PID:3020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3036 --field-trial-handle=1884,i,2509467176790285410,15091654422405695575,131072 /prefetch:1
  2⤵
  PID:4900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4868 --field-trial-handle=1884,i,2509467176790285410,15091654422405695575,131072 /prefetch:8
  2⤵
  PID:4052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4900 --field-trial-handle=1884,i,2509467176790285410,15091654422405695575,131072 /prefetch:8
  2⤵
  PID:4952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1704 --field-trial-handle=1884,i,2509467176790285410,15091654422405695575,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4684

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
ebdf2883de55cdb2fcaf1bdefff75cf1

SHA1
397d362cf5bd87e5096e87347ef45ab8c93e9c0e

SHA256
1f3a7dd0a7918277a33523457e5e099f0a0a8c35b72de45495ae3d79539daafc

SHA512
65e3a634b9407d76860a77be372952da6c2d52abea46813e30077a52444c5c9d32d26a402f92f6bd0d40d21ca6eb4bf6328a44789472d6b38ac7a57e75d27860

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\baf06038-cf80-4531-b163-0b29c70cf134.tmp

Filesize
6KB

MD5
54ab4eab33ffeb5efd4ac9b6a9852a5e

SHA1
f729b64b2ca286dbabdc227d4eb5d7a1af79217a

SHA256
e42f334f803a91b9e5a84c0f28cb630797ad91a78f7e29ea355eba123b072647

SHA512
d8ca1720b283adacdd532474cc015cbb7683ed2b17727baf8c4096eee60b2cb6442a88fe789466dd2ffb41ceedfb95e6953af918359557875260667a93d9c3c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
109KB

MD5
056c1b8fdf47d7c4833abe9aae2dc656

SHA1
a0d3c53dfe10c5c4d256ef54b9e8947df6fbcf3f

SHA256
ac590c628a2ea828f6d87085ffae65821aa72b514b2069edf78b217278667fed

SHA512
f800342c300418c8099a6cac9abaecf8aa25304a5f5778d24c183641c527f43cde8cf239d78ba09293fcad165eecd9c561d7db89a8b51c5a66f5ce35125d66f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit