hxxp://static[.]flibusta[.]site

Resubmissions

02/01/2024, 10:35

240102-mmrrbahcb9 1

02/01/2024, 10:26

240102-mgtcyseeej 1

Analysis

max time kernel
183s
max time network
182s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
02/01/2024, 10:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://static.flibusta.site

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133486648946521598"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3024	chrome.exe
3024	chrome.exe
3240	chrome.exe
3240	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 3548	3024	chrome.exe	78
PID 3024 wrote to memory of 3548	3024	chrome.exe	78
PID 3024 wrote to memory of 3684	3024	chrome.exe	89
PID 3024 wrote to memory of 3684	3024	chrome.exe	89
PID 3024 wrote to memory of 3684	3024	chrome.exe	89
PID 3024 wrote to memory of 3684	3024	chrome.exe	89
PID 3024 wrote to memory of 3684	3024	chrome.exe	89
PID 3024 wrote to memory of 3684	3024	chrome.exe	89
PID 3024 wrote to memory of 3684	3024	chrome.exe	89
PID 3024 wrote to memory of 3684	3024	chrome.exe	89
PID 3024 wrote to memory of 3684	3024	chrome.exe	89
PID 3024 wrote to memory of 3684	3024	chrome.exe	89
PID 3024 wrote to memory of 3684	3024	chrome.exe	89
PID 3024 wrote to memory of 3684	3024	chrome.exe	89
PID 3024 wrote to memory of 3684	3024	chrome.exe	89
PID 3024 wrote to memory of 3684	3024	chrome.exe	89
PID 3024 wrote to memory of 3684	3024	chrome.exe	89
PID 3024 wrote to memory of 3684	3024	chrome.exe	89
PID 3024 wrote to memory of 3684	3024	chrome.exe	89
PID 3024 wrote to memory of 3684	3024	chrome.exe	89
PID 3024 wrote to memory of 3684	3024	chrome.exe	89
PID 3024 wrote to memory of 3684	3024	chrome.exe	89
PID 3024 wrote to memory of 3684	3024	chrome.exe	89
PID 3024 wrote to memory of 3684	3024	chrome.exe	89
PID 3024 wrote to memory of 3684	3024	chrome.exe	89
PID 3024 wrote to memory of 3684	3024	chrome.exe	89
PID 3024 wrote to memory of 3684	3024	chrome.exe	89
PID 3024 wrote to memory of 3684	3024	chrome.exe	89
PID 3024 wrote to memory of 3684	3024	chrome.exe	89
PID 3024 wrote to memory of 3684	3024	chrome.exe	89
PID 3024 wrote to memory of 3684	3024	chrome.exe	89
PID 3024 wrote to memory of 3684	3024	chrome.exe	89
PID 3024 wrote to memory of 3684	3024	chrome.exe	89
PID 3024 wrote to memory of 3684	3024	chrome.exe	89
PID 3024 wrote to memory of 3684	3024	chrome.exe	89
PID 3024 wrote to memory of 3684	3024	chrome.exe	89
PID 3024 wrote to memory of 3684	3024	chrome.exe	89
PID 3024 wrote to memory of 3684	3024	chrome.exe	89
PID 3024 wrote to memory of 3684	3024	chrome.exe	89
PID 3024 wrote to memory of 3684	3024	chrome.exe	89
PID 3024 wrote to memory of 4480	3024	chrome.exe	90
PID 3024 wrote to memory of 4480	3024	chrome.exe	90
PID 3024 wrote to memory of 1132	3024	chrome.exe	91
PID 3024 wrote to memory of 1132	3024	chrome.exe	91
PID 3024 wrote to memory of 1132	3024	chrome.exe	91
PID 3024 wrote to memory of 1132	3024	chrome.exe	91
PID 3024 wrote to memory of 1132	3024	chrome.exe	91
PID 3024 wrote to memory of 1132	3024	chrome.exe	91
PID 3024 wrote to memory of 1132	3024	chrome.exe	91
PID 3024 wrote to memory of 1132	3024	chrome.exe	91
PID 3024 wrote to memory of 1132	3024	chrome.exe	91
PID 3024 wrote to memory of 1132	3024	chrome.exe	91
PID 3024 wrote to memory of 1132	3024	chrome.exe	91
PID 3024 wrote to memory of 1132	3024	chrome.exe	91
PID 3024 wrote to memory of 1132	3024	chrome.exe	91
PID 3024 wrote to memory of 1132	3024	chrome.exe	91
PID 3024 wrote to memory of 1132	3024	chrome.exe	91
PID 3024 wrote to memory of 1132	3024	chrome.exe	91
PID 3024 wrote to memory of 1132	3024	chrome.exe	91
PID 3024 wrote to memory of 1132	3024	chrome.exe	91
PID 3024 wrote to memory of 1132	3024	chrome.exe	91
PID 3024 wrote to memory of 1132	3024	chrome.exe	91
PID 3024 wrote to memory of 1132	3024	chrome.exe	91
PID 3024 wrote to memory of 1132	3024	chrome.exe	91

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://static.flibusta.site
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa5f829758,0x7ffa5f829768,0x7ffa5f829778
  2⤵
  PID:3548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1752 --field-trial-handle=1892,i,14804608609916954221,14517382443113415123,131072 /prefetch:2
  2⤵
  PID:3684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1768 --field-trial-handle=1892,i,14804608609916954221,14517382443113415123,131072 /prefetch:8
  2⤵
  PID:4480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1892,i,14804608609916954221,14517382443113415123,131072 /prefetch:8
  2⤵
  PID:1132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2996 --field-trial-handle=1892,i,14804608609916954221,14517382443113415123,131072 /prefetch:1
  2⤵
  PID:3268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2988 --field-trial-handle=1892,i,14804608609916954221,14517382443113415123,131072 /prefetch:1
  2⤵
  PID:4612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5048 --field-trial-handle=1892,i,14804608609916954221,14517382443113415123,131072 /prefetch:8
  2⤵
  PID:1752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 --field-trial-handle=1892,i,14804608609916954221,14517382443113415123,131072 /prefetch:8
  2⤵
  PID:1444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=5212 --field-trial-handle=1892,i,14804608609916954221,14517382443113415123,131072 /prefetch:1
  2⤵
  PID:1928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2688 --field-trial-handle=1892,i,14804608609916954221,14517382443113415123,131072 /prefetch:8
  2⤵
  PID:3000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5132 --field-trial-handle=1892,i,14804608609916954221,14517382443113415123,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3240

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
89310a85b67a4c6f108ab77121238de6

SHA1
a819bf6e972792f6b601e4e4181974498ee137d7

SHA256
66342075c3e319825153a0224fcc64b975feaf33f80413d93fbf6e47b93f876e

SHA512
63d01b50b588ae410a0f3b3792546d4bcfb9540a604012e9f2d793112844aea7ae849dfd72a17f972b3870a875edd20b6afacc7a125a6c4bd0334f6b4db1764f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
5f3430519956a27bfab480891a60c439

SHA1
ee782cb5ee1499a769b89bec449ad261f2431877

SHA256
cae071334b22f30d53d6dd5b9dfcc6f79dd7824dcff8ae031c3d384db7bfcbbe

SHA512
b9788d3d57674544012f9ac1995a62bbe98675f670b626c1daaf8df6267ac082b86be3b4ed495564bc35b2eeeda7fc98de4ac29270a051b4163c610c93bcd4b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
707B

MD5
4e18810641a1f7f7dbfbb063c263033b

SHA1
fc10906607b79d6880b7932383e17dbf8c4716b7

SHA256
f2f0f529e81e85d1856a87af16b50df69e1467e884b4acb9750f37e019872438

SHA512
a31a4b27e5ed84fb9b4295ae68192523f386f281dd1db7a526f7a5c21d3c2e7acb2d8f041117cab243ec202a769a53fbe9574371271609c753a1269f1ec77043

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f9478bf7cf19594bd43dead1c9139682

SHA1
71f45d88bafb75fa517dd79faa58acef79a299a4

SHA256
cc549169de7be97b5a1ee52c2196ddd5a9775a21f5cbabb77abcca745f454c5a

SHA512
12a433608f4bc63787b7cfcd3abe38e3d3febc2a65d0e3c94e3b71f96b26c947c7daeeb421c9af610c4db91041b6eb7d96a43f7a327096a001e6b629a8d8a41c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
86908c4600df79b198b9e87954e90971

SHA1
3902aef8fa993dfcef3c08c34bedfc94204cdb50

SHA256
b3aefd328e46ba88088d6895a1715b0505d931abb7015a4b4ff0e6bd6a9b57cb

SHA512
35b9c4294b18cf6be3c64f272f43aaaae885508116186cad20a9abd19226f7d64acac3060b0a760741f456275065df6499da602b1c49c76216d418d4a3d77cd5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
b96098332953a0fab906d98f7c8d2220

SHA1
824d9ad2cbf5808a495b26fced33b998a29ad0fc

SHA256
747843f25f37392af433f235329b400517dd4e741b27912ab04f8a4c97a70c16

SHA512
9d2426a3293fefd3fc288059e9d8c2c17ec2e42a5fc025c9b6a495ac89b36a51722a464ed7ddc4d4843b3a4dffa18d21bcffec67dec58dba1d64700ec15bc2b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit