hxxp://esimat[.]com

Analysis

max time kernel
300s
max time network
266s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
24/11/2023, 16:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

http://esimat.com

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133453157892362696"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3104	chrome.exe
3104	chrome.exe
4700	chrome.exe
4700	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3104 wrote to memory of 5088	3104	chrome.exe	83
PID 3104 wrote to memory of 5088	3104	chrome.exe	83
PID 3104 wrote to memory of 4632	3104	chrome.exe	87
PID 3104 wrote to memory of 4632	3104	chrome.exe	87
PID 3104 wrote to memory of 4632	3104	chrome.exe	87
PID 3104 wrote to memory of 4632	3104	chrome.exe	87
PID 3104 wrote to memory of 4632	3104	chrome.exe	87
PID 3104 wrote to memory of 4632	3104	chrome.exe	87
PID 3104 wrote to memory of 4632	3104	chrome.exe	87
PID 3104 wrote to memory of 4632	3104	chrome.exe	87
PID 3104 wrote to memory of 4632	3104	chrome.exe	87
PID 3104 wrote to memory of 4632	3104	chrome.exe	87
PID 3104 wrote to memory of 4632	3104	chrome.exe	87
PID 3104 wrote to memory of 4632	3104	chrome.exe	87
PID 3104 wrote to memory of 4632	3104	chrome.exe	87
PID 3104 wrote to memory of 4632	3104	chrome.exe	87
PID 3104 wrote to memory of 4632	3104	chrome.exe	87
PID 3104 wrote to memory of 4632	3104	chrome.exe	87
PID 3104 wrote to memory of 4632	3104	chrome.exe	87
PID 3104 wrote to memory of 4632	3104	chrome.exe	87
PID 3104 wrote to memory of 4632	3104	chrome.exe	87
PID 3104 wrote to memory of 4632	3104	chrome.exe	87
PID 3104 wrote to memory of 4632	3104	chrome.exe	87
PID 3104 wrote to memory of 4632	3104	chrome.exe	87
PID 3104 wrote to memory of 4632	3104	chrome.exe	87
PID 3104 wrote to memory of 4632	3104	chrome.exe	87
PID 3104 wrote to memory of 4632	3104	chrome.exe	87
PID 3104 wrote to memory of 4632	3104	chrome.exe	87
PID 3104 wrote to memory of 4632	3104	chrome.exe	87
PID 3104 wrote to memory of 4632	3104	chrome.exe	87
PID 3104 wrote to memory of 4632	3104	chrome.exe	87
PID 3104 wrote to memory of 4632	3104	chrome.exe	87
PID 3104 wrote to memory of 4632	3104	chrome.exe	87
PID 3104 wrote to memory of 4632	3104	chrome.exe	87
PID 3104 wrote to memory of 4632	3104	chrome.exe	87
PID 3104 wrote to memory of 4632	3104	chrome.exe	87
PID 3104 wrote to memory of 4632	3104	chrome.exe	87
PID 3104 wrote to memory of 4632	3104	chrome.exe	87
PID 3104 wrote to memory of 4632	3104	chrome.exe	87
PID 3104 wrote to memory of 4632	3104	chrome.exe	87
PID 3104 wrote to memory of 3588	3104	chrome.exe	88
PID 3104 wrote to memory of 3588	3104	chrome.exe	88
PID 3104 wrote to memory of 872	3104	chrome.exe	89
PID 3104 wrote to memory of 872	3104	chrome.exe	89
PID 3104 wrote to memory of 872	3104	chrome.exe	89
PID 3104 wrote to memory of 872	3104	chrome.exe	89
PID 3104 wrote to memory of 872	3104	chrome.exe	89
PID 3104 wrote to memory of 872	3104	chrome.exe	89
PID 3104 wrote to memory of 872	3104	chrome.exe	89
PID 3104 wrote to memory of 872	3104	chrome.exe	89
PID 3104 wrote to memory of 872	3104	chrome.exe	89
PID 3104 wrote to memory of 872	3104	chrome.exe	89
PID 3104 wrote to memory of 872	3104	chrome.exe	89
PID 3104 wrote to memory of 872	3104	chrome.exe	89
PID 3104 wrote to memory of 872	3104	chrome.exe	89
PID 3104 wrote to memory of 872	3104	chrome.exe	89
PID 3104 wrote to memory of 872	3104	chrome.exe	89
PID 3104 wrote to memory of 872	3104	chrome.exe	89
PID 3104 wrote to memory of 872	3104	chrome.exe	89
PID 3104 wrote to memory of 872	3104	chrome.exe	89
PID 3104 wrote to memory of 872	3104	chrome.exe	89
PID 3104 wrote to memory of 872	3104	chrome.exe	89
PID 3104 wrote to memory of 872	3104	chrome.exe	89
PID 3104 wrote to memory of 872	3104	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://esimat.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa17849758,0x7ffa17849768,0x7ffa17849778
  2⤵
  PID:5088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1708 --field-trial-handle=1876,i,2910729777078850683,5118048598988752556,131072 /prefetch:2
  2⤵
  PID:4632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 --field-trial-handle=1876,i,2910729777078850683,5118048598988752556,131072 /prefetch:8
  2⤵
  PID:3588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2172 --field-trial-handle=1876,i,2910729777078850683,5118048598988752556,131072 /prefetch:8
  2⤵
  PID:872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3080 --field-trial-handle=1876,i,2910729777078850683,5118048598988752556,131072 /prefetch:1
  2⤵
  PID:4548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3152 --field-trial-handle=1876,i,2910729777078850683,5118048598988752556,131072 /prefetch:1
  2⤵
  PID:4012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4072 --field-trial-handle=1876,i,2910729777078850683,5118048598988752556,131072 /prefetch:1
  2⤵
  PID:5008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4552 --field-trial-handle=1876,i,2910729777078850683,5118048598988752556,131072 /prefetch:8
  2⤵
  PID:1664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4680 --field-trial-handle=1876,i,2910729777078850683,5118048598988752556,131072 /prefetch:8
  2⤵
  PID:1908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5004 --field-trial-handle=1876,i,2910729777078850683,5118048598988752556,131072 /prefetch:8
  2⤵
  PID:4700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3732 --field-trial-handle=1876,i,2910729777078850683,5118048598988752556,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4700

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
cebf7b9fc9bb9fbfa76e9052bb43dad5

SHA1
b777d0006f7026534de4bb3b04f28f9cfaac9cf6

SHA256
ce325ae22adaabf1efe6fa6aba6bbc17841439c523e21fc63550db06461c9640

SHA512
62413fc07c81392be6daf993eeba70c6e6435ef25f7ee26e9c9144daac388efc568ee1ab712e6a3c9861aac461ebd445e6b6eea5f92a4cd679a997ca5d2c8e13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
836B

MD5
d434789b3ef589fdf546027ede270d2c

SHA1
fbceafe5b0081cfc6470e9851ff22995c52989b0

SHA256
0454a53d6ec675da99dd57f19c7ccb6a92594a50798a5749f4bd9ba4a9a87ba0

SHA512
89437f96498c91513321bd0afce3db8272ee3f9bcff3b7eae9a844e05f39c97506d0f4166d664209e0695b2c858ca5ecc5bff723450f431a7051f470b47438ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
fbf5741a12f881ad7f46fd17688d4285

SHA1
183a86b3ca0cde3b8f0edb3ec83ced6653483399

SHA256
695c42d041656b355cc7692e5a14d12f635ac355b1e8ab58946c3abf928cebd0

SHA512
fa3ed9d101fc554789f31ba4f6dd5b6233befb620af7c1d1b2206b9df3a357f3d01602e333e13c3e1b3723ba01a87e162a4f565b20a526f65b6f3ee3a42157e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
02b4ddab10a67e56c1fe746949ddb40a

SHA1
e0cddcc72e363de15babb1d14f6421da6852313d

SHA256
37354e99a0cc5e2dc5dd5cf9340392378b6f49a02eb29715fe98e3def7f9df4f

SHA512
1ac7d6406c868e4fff2381e376f0fd3804d815e0eb47677ae2fd4ead05efc89f71de28debcc9652a8d9cd6e9d49298bec995a7809bbe788ef6d3b3c174c9ed33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e7013fa80092786646bc7153844d86f3

SHA1
4b7e5e3c685797473d4491eae8215888f952dc0f

SHA256
a67ba63de826e0793b98a7d330cf9dd82e29db60bd4529d8f356167509efa96d

SHA512
07f179b55f4c9ae4f0be93fbb4f64f06fd13a5ff3441d55e119cea538fe73523824d45dccc126a9aad88639990ed4893f74d471693e1265caf56ed51ea367b04

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
109KB

MD5
0bd612d369f5b2ef4e8a5799f2792a97

SHA1
bc8a5f22d4e9018e32af920b4e4105b3ecdc7baf

SHA256
1de59b64b5b56e46d0c27da37ce06ddacea20516c1860710a147e42dc4c499bc

SHA512
769e918d39d6582ade7d56bf471d8473ccfb12a2c25fd4c0b5af4841da98897ab3a5258a7c3bbca12949af0faa462b956e7762a7223e6fd11b526cd437cdcf28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit