hxxps://klu[.]mx/landing/fx/

Analysis

max time kernel
161s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
17/11/2023, 13:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://klu.mx/landing/fx/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133446996569022613"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4860	chrome.exe
4860	chrome.exe
3560	chrome.exe
3560	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4860 wrote to memory of 380	4860	chrome.exe	86
PID 4860 wrote to memory of 380	4860	chrome.exe	86
PID 4860 wrote to memory of 5080	4860	chrome.exe	88
PID 4860 wrote to memory of 5080	4860	chrome.exe	88
PID 4860 wrote to memory of 5080	4860	chrome.exe	88
PID 4860 wrote to memory of 5080	4860	chrome.exe	88
PID 4860 wrote to memory of 5080	4860	chrome.exe	88
PID 4860 wrote to memory of 5080	4860	chrome.exe	88
PID 4860 wrote to memory of 5080	4860	chrome.exe	88
PID 4860 wrote to memory of 5080	4860	chrome.exe	88
PID 4860 wrote to memory of 5080	4860	chrome.exe	88
PID 4860 wrote to memory of 5080	4860	chrome.exe	88
PID 4860 wrote to memory of 5080	4860	chrome.exe	88
PID 4860 wrote to memory of 5080	4860	chrome.exe	88
PID 4860 wrote to memory of 5080	4860	chrome.exe	88
PID 4860 wrote to memory of 5080	4860	chrome.exe	88
PID 4860 wrote to memory of 5080	4860	chrome.exe	88
PID 4860 wrote to memory of 5080	4860	chrome.exe	88
PID 4860 wrote to memory of 5080	4860	chrome.exe	88
PID 4860 wrote to memory of 5080	4860	chrome.exe	88
PID 4860 wrote to memory of 5080	4860	chrome.exe	88
PID 4860 wrote to memory of 5080	4860	chrome.exe	88
PID 4860 wrote to memory of 5080	4860	chrome.exe	88
PID 4860 wrote to memory of 5080	4860	chrome.exe	88
PID 4860 wrote to memory of 5080	4860	chrome.exe	88
PID 4860 wrote to memory of 5080	4860	chrome.exe	88
PID 4860 wrote to memory of 5080	4860	chrome.exe	88
PID 4860 wrote to memory of 5080	4860	chrome.exe	88
PID 4860 wrote to memory of 5080	4860	chrome.exe	88
PID 4860 wrote to memory of 5080	4860	chrome.exe	88
PID 4860 wrote to memory of 5080	4860	chrome.exe	88
PID 4860 wrote to memory of 5080	4860	chrome.exe	88
PID 4860 wrote to memory of 5080	4860	chrome.exe	88
PID 4860 wrote to memory of 5080	4860	chrome.exe	88
PID 4860 wrote to memory of 5080	4860	chrome.exe	88
PID 4860 wrote to memory of 5080	4860	chrome.exe	88
PID 4860 wrote to memory of 5080	4860	chrome.exe	88
PID 4860 wrote to memory of 5080	4860	chrome.exe	88
PID 4860 wrote to memory of 5080	4860	chrome.exe	88
PID 4860 wrote to memory of 5080	4860	chrome.exe	88
PID 4860 wrote to memory of 696	4860	chrome.exe	89
PID 4860 wrote to memory of 696	4860	chrome.exe	89
PID 4860 wrote to memory of 640	4860	chrome.exe	90
PID 4860 wrote to memory of 640	4860	chrome.exe	90
PID 4860 wrote to memory of 640	4860	chrome.exe	90
PID 4860 wrote to memory of 640	4860	chrome.exe	90
PID 4860 wrote to memory of 640	4860	chrome.exe	90
PID 4860 wrote to memory of 640	4860	chrome.exe	90
PID 4860 wrote to memory of 640	4860	chrome.exe	90
PID 4860 wrote to memory of 640	4860	chrome.exe	90
PID 4860 wrote to memory of 640	4860	chrome.exe	90
PID 4860 wrote to memory of 640	4860	chrome.exe	90
PID 4860 wrote to memory of 640	4860	chrome.exe	90
PID 4860 wrote to memory of 640	4860	chrome.exe	90
PID 4860 wrote to memory of 640	4860	chrome.exe	90
PID 4860 wrote to memory of 640	4860	chrome.exe	90
PID 4860 wrote to memory of 640	4860	chrome.exe	90
PID 4860 wrote to memory of 640	4860	chrome.exe	90
PID 4860 wrote to memory of 640	4860	chrome.exe	90
PID 4860 wrote to memory of 640	4860	chrome.exe	90
PID 4860 wrote to memory of 640	4860	chrome.exe	90
PID 4860 wrote to memory of 640	4860	chrome.exe	90
PID 4860 wrote to memory of 640	4860	chrome.exe	90
PID 4860 wrote to memory of 640	4860	chrome.exe	90

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://klu.mx/landing/fx/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9212f9758,0x7ff9212f9768,0x7ff9212f9778
  2⤵
  PID:380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1740 --field-trial-handle=1880,i,11206802153241692497,5584792255321613749,131072 /prefetch:2
  2⤵
  PID:5080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1880,i,11206802153241692497,5584792255321613749,131072 /prefetch:8
  2⤵
  PID:696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2244 --field-trial-handle=1880,i,11206802153241692497,5584792255321613749,131072 /prefetch:8
  2⤵
  PID:640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3316 --field-trial-handle=1880,i,11206802153241692497,5584792255321613749,131072 /prefetch:1
  2⤵
  PID:3736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3192 --field-trial-handle=1880,i,11206802153241692497,5584792255321613749,131072 /prefetch:1
  2⤵
  PID:3240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=5016 --field-trial-handle=1880,i,11206802153241692497,5584792255321613749,131072 /prefetch:1
  2⤵
  PID:2568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5568 --field-trial-handle=1880,i,11206802153241692497,5584792255321613749,131072 /prefetch:8
  2⤵
  PID:5044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 --field-trial-handle=1880,i,11206802153241692497,5584792255321613749,131072 /prefetch:8
  2⤵
  PID:1616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3840 --field-trial-handle=1880,i,11206802153241692497,5584792255321613749,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3560

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000d

Filesize
186KB

MD5
9f61d7b1098e9a21920cf7abd68ca471

SHA1
c2a75ba9d5e426f34290ebda3e7b3874a4c26a50

SHA256
2c209fbd64803b50d0275cfd977c57965ee91410ecf0cafa70d9f249d6357c71

SHA512
3d4f945783809a88e717f583f8805da1786770d024897c8a21d758325bcd4743ff48e32a275fe2f04236248393e580d40ae5caf5d3258054ea94d20b65b2c029

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
d2d9bd6e0aef467000023cb0c96663ed

SHA1
336d570522ecd93d99c183b8f4ede1a6b3f181e5

SHA256
0f028f0b47fa320a688f8c34c53f01ae3585fc9ba430afdeac2b34cca6cc0f52

SHA512
a5f4d1a867e189f2c3d1386c44f58b97ef5ebda97af3cb16f71e6e260ac34b0e60605999dab2b485f020919256af7e79f9d0a0435cfaaea952dd0507008f7cb3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
522c7aaa0fe3e54cd0e062b1782ab86b

SHA1
5607a53317499b6a126400d1201c4052cf9c8d1c

SHA256
4a4b794527e5647a43470310bfa7246f880d8a9813980a920993811a3c9b2475

SHA512
ca580333101a737d959f2f80b2186aa5c5d6548f227e03921d5ae95291d7cf2ca85b0f42f4648041c4da5204d7b00446878ba792a8af6ed7cb4754611b72a2c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
706B

MD5
ac49f8e8461d4cbdcd42bce6fdc8c6ec

SHA1
dc225c458528946ca0d98e15db203833f61dbfab

SHA256
5425cbfed9aa786931a34202b1228fe84b13a217ba249cd162247ab4d950fc8b

SHA512
779d7730d9062bda45ed9130630b31fe39e8711be706f93c1cc91820510ca06276878fced72d16a82d54c302af863ef9d04b5c6c662dd884444433c00b4cf288

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e3132f9edcf9974176c4fa70175a82e3

SHA1
18de795a980a9dc52885da8fd654c0eb066ffeb7

SHA256
a808bb90acbc19b2707c5563e451ac45e27c58094b3daf5db96ea2da16720c20

SHA512
70d27258d941d9417b0fec15f8224de7ab7fef25cbe5340682aac73a14d1fe949f41c80828dd7dae0b94f6fbffb1ff6c3b3a3c34fa7e231fe9c87642da0b458f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
215KB

MD5
993635e170b7110ee3b8f96cf5da089d

SHA1
099c72479e73002307c3865202b56a4af63d5157

SHA256
715d5f5c26a3b7fbb81e1979bff0dfe1c30b687d4930ec65e7a78b5f10eb8885

SHA512
40ca5f1a7e74c1465840bda41f5cc908c35fa81b09dbb5ac24d7466a21395c9cdb16078559a6aca94fca439de1f306894501aeb363cf9fee835199de4761b8f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit