hxxp://sajiloworks[.]com

Analysis

max time kernel
1812s
max time network
1712s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 17:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

http://sajiloworks.com

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133485166730577484"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2672	chrome.exe
2672	chrome.exe
1500	chrome.exe
1500	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeCreatePagefilePrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeCreatePagefilePrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeCreatePagefilePrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeCreatePagefilePrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeCreatePagefilePrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeCreatePagefilePrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeCreatePagefilePrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeCreatePagefilePrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeCreatePagefilePrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeCreatePagefilePrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeCreatePagefilePrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeCreatePagefilePrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeCreatePagefilePrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeCreatePagefilePrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeCreatePagefilePrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeCreatePagefilePrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeCreatePagefilePrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeCreatePagefilePrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeCreatePagefilePrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeCreatePagefilePrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeCreatePagefilePrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeCreatePagefilePrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeCreatePagefilePrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeCreatePagefilePrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeCreatePagefilePrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeCreatePagefilePrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeCreatePagefilePrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeCreatePagefilePrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeCreatePagefilePrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeCreatePagefilePrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeCreatePagefilePrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeCreatePagefilePrivilege	2672	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 3032	2672	chrome.exe	89
PID 2672 wrote to memory of 3032	2672	chrome.exe	89
PID 2672 wrote to memory of 5108	2672	chrome.exe	91
PID 2672 wrote to memory of 5108	2672	chrome.exe	91
PID 2672 wrote to memory of 5108	2672	chrome.exe	91
PID 2672 wrote to memory of 5108	2672	chrome.exe	91
PID 2672 wrote to memory of 5108	2672	chrome.exe	91
PID 2672 wrote to memory of 5108	2672	chrome.exe	91
PID 2672 wrote to memory of 5108	2672	chrome.exe	91
PID 2672 wrote to memory of 5108	2672	chrome.exe	91
PID 2672 wrote to memory of 5108	2672	chrome.exe	91
PID 2672 wrote to memory of 5108	2672	chrome.exe	91
PID 2672 wrote to memory of 5108	2672	chrome.exe	91
PID 2672 wrote to memory of 5108	2672	chrome.exe	91
PID 2672 wrote to memory of 5108	2672	chrome.exe	91
PID 2672 wrote to memory of 5108	2672	chrome.exe	91
PID 2672 wrote to memory of 5108	2672	chrome.exe	91
PID 2672 wrote to memory of 5108	2672	chrome.exe	91
PID 2672 wrote to memory of 5108	2672	chrome.exe	91
PID 2672 wrote to memory of 5108	2672	chrome.exe	91
PID 2672 wrote to memory of 5108	2672	chrome.exe	91
PID 2672 wrote to memory of 5108	2672	chrome.exe	91
PID 2672 wrote to memory of 5108	2672	chrome.exe	91
PID 2672 wrote to memory of 5108	2672	chrome.exe	91
PID 2672 wrote to memory of 5108	2672	chrome.exe	91
PID 2672 wrote to memory of 5108	2672	chrome.exe	91
PID 2672 wrote to memory of 5108	2672	chrome.exe	91
PID 2672 wrote to memory of 5108	2672	chrome.exe	91
PID 2672 wrote to memory of 5108	2672	chrome.exe	91
PID 2672 wrote to memory of 5108	2672	chrome.exe	91
PID 2672 wrote to memory of 5108	2672	chrome.exe	91
PID 2672 wrote to memory of 5108	2672	chrome.exe	91
PID 2672 wrote to memory of 5108	2672	chrome.exe	91
PID 2672 wrote to memory of 5108	2672	chrome.exe	91
PID 2672 wrote to memory of 5108	2672	chrome.exe	91
PID 2672 wrote to memory of 5108	2672	chrome.exe	91
PID 2672 wrote to memory of 5108	2672	chrome.exe	91
PID 2672 wrote to memory of 5108	2672	chrome.exe	91
PID 2672 wrote to memory of 5108	2672	chrome.exe	91
PID 2672 wrote to memory of 5108	2672	chrome.exe	91
PID 2672 wrote to memory of 4344	2672	chrome.exe	93
PID 2672 wrote to memory of 4344	2672	chrome.exe	93
PID 2672 wrote to memory of 2404	2672	chrome.exe	92
PID 2672 wrote to memory of 2404	2672	chrome.exe	92
PID 2672 wrote to memory of 2404	2672	chrome.exe	92
PID 2672 wrote to memory of 2404	2672	chrome.exe	92
PID 2672 wrote to memory of 2404	2672	chrome.exe	92
PID 2672 wrote to memory of 2404	2672	chrome.exe	92
PID 2672 wrote to memory of 2404	2672	chrome.exe	92
PID 2672 wrote to memory of 2404	2672	chrome.exe	92
PID 2672 wrote to memory of 2404	2672	chrome.exe	92
PID 2672 wrote to memory of 2404	2672	chrome.exe	92
PID 2672 wrote to memory of 2404	2672	chrome.exe	92
PID 2672 wrote to memory of 2404	2672	chrome.exe	92
PID 2672 wrote to memory of 2404	2672	chrome.exe	92
PID 2672 wrote to memory of 2404	2672	chrome.exe	92
PID 2672 wrote to memory of 2404	2672	chrome.exe	92
PID 2672 wrote to memory of 2404	2672	chrome.exe	92
PID 2672 wrote to memory of 2404	2672	chrome.exe	92
PID 2672 wrote to memory of 2404	2672	chrome.exe	92
PID 2672 wrote to memory of 2404	2672	chrome.exe	92
PID 2672 wrote to memory of 2404	2672	chrome.exe	92
PID 2672 wrote to memory of 2404	2672	chrome.exe	92
PID 2672 wrote to memory of 2404	2672	chrome.exe	92

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://sajiloworks.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ffcb7e99758,0x7ffcb7e99768,0x7ffcb7e99778
  2⤵
  PID:3032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1792 --field-trial-handle=1876,i,2212478888756375007,8223164531280965910,131072 /prefetch:2
  2⤵
  PID:5108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1876,i,2212478888756375007,8223164531280965910,131072 /prefetch:8
  2⤵
  PID:2404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1876,i,2212478888756375007,8223164531280965910,131072 /prefetch:8
  2⤵
  PID:4344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3128 --field-trial-handle=1876,i,2212478888756375007,8223164531280965910,131072 /prefetch:1
  2⤵
  PID:4080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3120 --field-trial-handle=1876,i,2212478888756375007,8223164531280965910,131072 /prefetch:1
  2⤵
  PID:2176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4896 --field-trial-handle=1876,i,2212478888756375007,8223164531280965910,131072 /prefetch:1
  2⤵
  PID:2560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 --field-trial-handle=1876,i,2212478888756375007,8223164531280965910,131072 /prefetch:8
  2⤵
  PID:4700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 --field-trial-handle=1876,i,2212478888756375007,8223164531280965910,131072 /prefetch:8
  2⤵
  PID:3700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3956 --field-trial-handle=1876,i,2212478888756375007,8223164531280965910,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1500

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\64df247b-1753-4236-81a6-a5a3a6602903.tmp

Filesize
5KB

MD5
958b4f36c41e37ec9038cf074278389e

SHA1
abcc086eaa197af23e51319db232e4f2efb8789d

SHA256
bf0f30f3b121913d7782e3b4dcf65f4234db83e327cb17fb44382ded55614255

SHA512
5dd50630eae782c6a6181962e9f1e17a4aa2c449f9325c05919a49d128ab4b5eb4e7158b35d2b54fef3f9a5e18aaa2fb2ba502065b7c8f978b3c61436684f72c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
bff090c745f3e577a627a5af60ef83e0

SHA1
2275c7959923f9a8f542e1333c403e63379c13d2

SHA256
ef5b1308088d698a66028efc87b08cf157d81c77d514d4ec0d75e0711846931a

SHA512
1950ce7960ede928a041d47e0b4c58e9ad64bf48dea41e2b1d35922c27bf611e410fcc0b494d090509ea07747d31f5952c11c4ae42e1ae2968b66619351067f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
537B

MD5
bde8943f98035db333b623fc455368eb

SHA1
4884f33d8559a88f59bc1acb1b7a1a6d1d31ab8d

SHA256
d9cf654f3a07e1ed968849903e11252a84c70017ab26d1043bc1902d182da80d

SHA512
70792b851370496ac31718043ec0530073e3e87ca24f038516b4a29aeebdd65d8b6b7530726fdfaf934617913d0c384b3d24c306e936d10e015d6b19e98b1fc1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
4915f524d6b0970b892217729230e252

SHA1
6ef67a0af249b2074a85b8826145bc75b2201f8b

SHA256
c4424fecc77f088fc0a8bc6bd80f48ba01ea997802fe025f926da53d93b0a48c

SHA512
4ea9fd8ac516db8fe37a3533033ff71a6bde6a278a0750557c08b34bd0f61ef395e6cc4e1b2ef5b6a2755dcfe5ce93f0f07290d0e6b0cd1aafde3d5ef813b27b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
906830bc9d8d1809596df0482ab9356c

SHA1
4996bf058eb874a4376e7be38c36fe20e96ac4e4

SHA256
6fc1c43d67349265418b0ca3df6aa6973b84028e3f55c628272e11b9c38e8e9f

SHA512
1d0d8fe67460469aeb2555df744488e4c30a37709b06fe6119cc15bc3b546237f749a76a6d83e2e9bc70d0444aff334eb2df03cda67fa47baf955cfcb04bc522

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
20755d80a46cb4a2b6cc362d36f7a08f

SHA1
b741cf2eae47ecb4a4786b26cb436996f20f8551

SHA256
cd90a9c5a6e653899b52c80a86ef99797e2833c81be5be0369a113e23b5da4df

SHA512
db0d6f369f761dd41329644564e3fd774d56c1b10f4c3c708d0bf7792b0aea7d319144b2487677945246b938b59e8c5af8803197642381d66d23f7e51a71f5f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\d0b2a8b0-fdfa-45c1-9e4e-f2a88e37929c.tmp

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit