hxxps://github[.]com/Endermanch/MalwareDatabase

Analysis

max time kernel
162s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
05-01-2024 18:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133489539483939409"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3744	chrome.exe
3744	chrome.exe
2768	chrome.exe
2768	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3744	chrome.exe
3744	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3744 wrote to memory of 2908	3744	chrome.exe	14
PID 3744 wrote to memory of 2908	3744	chrome.exe	14
PID 3744 wrote to memory of 4052	3744	chrome.exe	33
PID 3744 wrote to memory of 4052	3744	chrome.exe	33
PID 3744 wrote to memory of 4052	3744	chrome.exe	33
PID 3744 wrote to memory of 4052	3744	chrome.exe	33
PID 3744 wrote to memory of 4052	3744	chrome.exe	33
PID 3744 wrote to memory of 4052	3744	chrome.exe	33
PID 3744 wrote to memory of 4052	3744	chrome.exe	33
PID 3744 wrote to memory of 4052	3744	chrome.exe	33
PID 3744 wrote to memory of 4052	3744	chrome.exe	33
PID 3744 wrote to memory of 4052	3744	chrome.exe	33
PID 3744 wrote to memory of 4052	3744	chrome.exe	33
PID 3744 wrote to memory of 4052	3744	chrome.exe	33
PID 3744 wrote to memory of 4052	3744	chrome.exe	33
PID 3744 wrote to memory of 4052	3744	chrome.exe	33
PID 3744 wrote to memory of 4052	3744	chrome.exe	33
PID 3744 wrote to memory of 4052	3744	chrome.exe	33
PID 3744 wrote to memory of 4052	3744	chrome.exe	33
PID 3744 wrote to memory of 4052	3744	chrome.exe	33
PID 3744 wrote to memory of 4052	3744	chrome.exe	33
PID 3744 wrote to memory of 4052	3744	chrome.exe	33
PID 3744 wrote to memory of 4052	3744	chrome.exe	33
PID 3744 wrote to memory of 4052	3744	chrome.exe	33
PID 3744 wrote to memory of 4052	3744	chrome.exe	33
PID 3744 wrote to memory of 4052	3744	chrome.exe	33
PID 3744 wrote to memory of 4052	3744	chrome.exe	33
PID 3744 wrote to memory of 4052	3744	chrome.exe	33
PID 3744 wrote to memory of 4052	3744	chrome.exe	33
PID 3744 wrote to memory of 4052	3744	chrome.exe	33
PID 3744 wrote to memory of 4052	3744	chrome.exe	33
PID 3744 wrote to memory of 4052	3744	chrome.exe	33
PID 3744 wrote to memory of 4052	3744	chrome.exe	33
PID 3744 wrote to memory of 4052	3744	chrome.exe	33
PID 3744 wrote to memory of 4052	3744	chrome.exe	33
PID 3744 wrote to memory of 4052	3744	chrome.exe	33
PID 3744 wrote to memory of 4052	3744	chrome.exe	33
PID 3744 wrote to memory of 4052	3744	chrome.exe	33
PID 3744 wrote to memory of 4052	3744	chrome.exe	33
PID 3744 wrote to memory of 4052	3744	chrome.exe	33
PID 3744 wrote to memory of 1464	3744	chrome.exe	29
PID 3744 wrote to memory of 1464	3744	chrome.exe	29
PID 3744 wrote to memory of 564	3744	chrome.exe	28
PID 3744 wrote to memory of 564	3744	chrome.exe	28
PID 3744 wrote to memory of 564	3744	chrome.exe	28
PID 3744 wrote to memory of 564	3744	chrome.exe	28
PID 3744 wrote to memory of 564	3744	chrome.exe	28
PID 3744 wrote to memory of 564	3744	chrome.exe	28
PID 3744 wrote to memory of 564	3744	chrome.exe	28
PID 3744 wrote to memory of 564	3744	chrome.exe	28
PID 3744 wrote to memory of 564	3744	chrome.exe	28
PID 3744 wrote to memory of 564	3744	chrome.exe	28
PID 3744 wrote to memory of 564	3744	chrome.exe	28
PID 3744 wrote to memory of 564	3744	chrome.exe	28
PID 3744 wrote to memory of 564	3744	chrome.exe	28
PID 3744 wrote to memory of 564	3744	chrome.exe	28
PID 3744 wrote to memory of 564	3744	chrome.exe	28
PID 3744 wrote to memory of 564	3744	chrome.exe	28
PID 3744 wrote to memory of 564	3744	chrome.exe	28
PID 3744 wrote to memory of 564	3744	chrome.exe	28
PID 3744 wrote to memory of 564	3744	chrome.exe	28
PID 3744 wrote to memory of 564	3744	chrome.exe	28
PID 3744 wrote to memory of 564	3744	chrome.exe	28
PID 3744 wrote to memory of 564	3744	chrome.exe	28

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0x74,0x108,0x7ffe43aa9758,0x7ffe43aa9768,0x7ffe43aa9778
1⤵
PID:2908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Endermanch/MalwareDatabase
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2236 --field-trial-handle=1888,i,16045207314651004907,3178270296068340200,131072 /prefetch:8
  2⤵
  PID:564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1888,i,16045207314651004907,3178270296068340200,131072 /prefetch:8
  2⤵
  PID:1464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3020 --field-trial-handle=1888,i,16045207314651004907,3178270296068340200,131072 /prefetch:1
  2⤵
  PID:2812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3028 --field-trial-handle=1888,i,16045207314651004907,3178270296068340200,131072 /prefetch:1
  2⤵
  PID:4152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1716 --field-trial-handle=1888,i,16045207314651004907,3178270296068340200,131072 /prefetch:2
  2⤵
  PID:4052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5024 --field-trial-handle=1888,i,16045207314651004907,3178270296068340200,131072 /prefetch:8
  2⤵
  PID:2352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4712 --field-trial-handle=1888,i,16045207314651004907,3178270296068340200,131072 /prefetch:8
  2⤵
  PID:3732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2752 --field-trial-handle=1888,i,16045207314651004907,3178270296068340200,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2768

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
69c1b9ad9950db6dbc6d330a98832a31

SHA1
4ff85ce7bf1521e0f3e9b7b33285a8d20eb9c6b0

SHA256
29e512ee95c625b24b27d429fbb0794b42164d187b589aa5e3989c8f94fa5e57

SHA512
75f92ee789c91e506cb4a77ab3a99839a4c1b1933a45cf8a09a9f609b63a969e8a73456ec6b18feaff753805ca9d0a91e14d53d522532f980c059bbcd4b2ce63

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
43ca2bcef3c6afdf5927e47c4b560d6b

SHA1
7a12e2064d7068f9ad56e85b5af3ccf5e129edd3

SHA256
f163a09d85e671c2f5c244c8266da2a90f3ee70f4bf3c77faa5234e3f78ef7f7

SHA512
ec717467e9d9caf4e2b6411ff6588ded5244a634f442569e85c6cf62ee08d6548c3be1ab19bb8457cec8138ae5c13a42e13b6d2bd5c1ee566906365712cbf886

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
3c9e9f06992ce7f9afca9f038cd9c4fc

SHA1
7f2e35e83b348f7530b64f71db41a8ad621b838f

SHA256
2b06c5ce0a255cfc4616cd558b1f17be45bdebf48350ffadcd97b065cfac4f1a

SHA512
43848977f11166890a4d3046fc38ea9f8c4a07788e4f83b511ea3aab73ab7e007beac15d74e4ff9a799daad3ef0cbb990b553f369950bddf9a690ca7b3f29561

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b9d7a4285074acc4a1b9c59ae43bb703

SHA1
6829dcd206572fe84112d88652550a8a6e23b6fb

SHA256
ceb22e320448f2e5a403dc6a1f2ada9893f6298a76bf59032be0793788ccff3c

SHA512
7c3f9c737a4952d6d40673e4e976017965171d3ab1aafd1d93875ae2bed1182215768747898fd6ae2b38fc5bf040693bfb01100aa65561d857a62bb45b05ef4d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
681d02942b07ad886b67a33fa369843c

SHA1
f9c7aceee3222e3e6cd955fde1df5fed7d651484

SHA256
fd8c48369dc403b86c59fd3c07f7e2bd402cbd96d14999b77c41f5123f4c5327

SHA512
67a927a3e7a775797d643f4ecf39799e74808cd6cfc838d59da315dcd5c59b57b228a8ca0ca128a4dc4f2341813dbe0183bad2c61989f85f7f92159a3bdbb1fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
92KB

MD5
f5023acbedb49c5ee0a469e901b633c3

SHA1
3d1b480a2c2d86af27f3eccbcda16ae84d271e37

SHA256
d29b86101d4d7ea6c9873b5d7ec9cefece314354f7c28b0dc22bd9835337ef71

SHA512
94dc34ba915409b7d077e6e9b133126d684037558b74a71a98321302f5c852d82f48a84c17766ee1324dd174685fe5801daa4b3934e189dad0d068c5e56f612a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit