hxxp://dekmantel[.]com

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
09/01/2024, 11:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://dekmantel.com

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133492752270099330"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4820	chrome.exe
4820	chrome.exe
760	chrome.exe
760	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4820 wrote to memory of 1208	4820	chrome.exe	87
PID 4820 wrote to memory of 1208	4820	chrome.exe	87
PID 4820 wrote to memory of 2812	4820	chrome.exe	89
PID 4820 wrote to memory of 2812	4820	chrome.exe	89
PID 4820 wrote to memory of 2812	4820	chrome.exe	89
PID 4820 wrote to memory of 2812	4820	chrome.exe	89
PID 4820 wrote to memory of 2812	4820	chrome.exe	89
PID 4820 wrote to memory of 2812	4820	chrome.exe	89
PID 4820 wrote to memory of 2812	4820	chrome.exe	89
PID 4820 wrote to memory of 2812	4820	chrome.exe	89
PID 4820 wrote to memory of 2812	4820	chrome.exe	89
PID 4820 wrote to memory of 2812	4820	chrome.exe	89
PID 4820 wrote to memory of 2812	4820	chrome.exe	89
PID 4820 wrote to memory of 2812	4820	chrome.exe	89
PID 4820 wrote to memory of 2812	4820	chrome.exe	89
PID 4820 wrote to memory of 2812	4820	chrome.exe	89
PID 4820 wrote to memory of 2812	4820	chrome.exe	89
PID 4820 wrote to memory of 2812	4820	chrome.exe	89
PID 4820 wrote to memory of 2812	4820	chrome.exe	89
PID 4820 wrote to memory of 2812	4820	chrome.exe	89
PID 4820 wrote to memory of 2812	4820	chrome.exe	89
PID 4820 wrote to memory of 2812	4820	chrome.exe	89
PID 4820 wrote to memory of 2812	4820	chrome.exe	89
PID 4820 wrote to memory of 2812	4820	chrome.exe	89
PID 4820 wrote to memory of 2812	4820	chrome.exe	89
PID 4820 wrote to memory of 2812	4820	chrome.exe	89
PID 4820 wrote to memory of 2812	4820	chrome.exe	89
PID 4820 wrote to memory of 2812	4820	chrome.exe	89
PID 4820 wrote to memory of 2812	4820	chrome.exe	89
PID 4820 wrote to memory of 2812	4820	chrome.exe	89
PID 4820 wrote to memory of 2812	4820	chrome.exe	89
PID 4820 wrote to memory of 2812	4820	chrome.exe	89
PID 4820 wrote to memory of 2812	4820	chrome.exe	89
PID 4820 wrote to memory of 2812	4820	chrome.exe	89
PID 4820 wrote to memory of 2812	4820	chrome.exe	89
PID 4820 wrote to memory of 2812	4820	chrome.exe	89
PID 4820 wrote to memory of 2812	4820	chrome.exe	89
PID 4820 wrote to memory of 2812	4820	chrome.exe	89
PID 4820 wrote to memory of 2812	4820	chrome.exe	89
PID 4820 wrote to memory of 2812	4820	chrome.exe	89
PID 4820 wrote to memory of 1176	4820	chrome.exe	90
PID 4820 wrote to memory of 1176	4820	chrome.exe	90
PID 4820 wrote to memory of 2856	4820	chrome.exe	91
PID 4820 wrote to memory of 2856	4820	chrome.exe	91
PID 4820 wrote to memory of 2856	4820	chrome.exe	91
PID 4820 wrote to memory of 2856	4820	chrome.exe	91
PID 4820 wrote to memory of 2856	4820	chrome.exe	91
PID 4820 wrote to memory of 2856	4820	chrome.exe	91
PID 4820 wrote to memory of 2856	4820	chrome.exe	91
PID 4820 wrote to memory of 2856	4820	chrome.exe	91
PID 4820 wrote to memory of 2856	4820	chrome.exe	91
PID 4820 wrote to memory of 2856	4820	chrome.exe	91
PID 4820 wrote to memory of 2856	4820	chrome.exe	91
PID 4820 wrote to memory of 2856	4820	chrome.exe	91
PID 4820 wrote to memory of 2856	4820	chrome.exe	91
PID 4820 wrote to memory of 2856	4820	chrome.exe	91
PID 4820 wrote to memory of 2856	4820	chrome.exe	91
PID 4820 wrote to memory of 2856	4820	chrome.exe	91
PID 4820 wrote to memory of 2856	4820	chrome.exe	91
PID 4820 wrote to memory of 2856	4820	chrome.exe	91
PID 4820 wrote to memory of 2856	4820	chrome.exe	91
PID 4820 wrote to memory of 2856	4820	chrome.exe	91
PID 4820 wrote to memory of 2856	4820	chrome.exe	91
PID 4820 wrote to memory of 2856	4820	chrome.exe	91

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://dekmantel.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8e1c79758,0x7ff8e1c79768,0x7ff8e1c79778
  2⤵
  PID:1208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1792 --field-trial-handle=1848,i,16782485350996260904,11630492270851450540,131072 /prefetch:2
  2⤵
  PID:2812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1848,i,16782485350996260904,11630492270851450540,131072 /prefetch:8
  2⤵
  PID:1176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 --field-trial-handle=1848,i,16782485350996260904,11630492270851450540,131072 /prefetch:8
  2⤵
  PID:2856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2840 --field-trial-handle=1848,i,16782485350996260904,11630492270851450540,131072 /prefetch:1
  2⤵
  PID:3176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2832 --field-trial-handle=1848,i,16782485350996260904,11630492270851450540,131072 /prefetch:1
  2⤵
  PID:1064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4860 --field-trial-handle=1848,i,16782485350996260904,11630492270851450540,131072 /prefetch:1
  2⤵
  PID:2152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5288 --field-trial-handle=1848,i,16782485350996260904,11630492270851450540,131072 /prefetch:8
  2⤵
  PID:3904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 --field-trial-handle=1848,i,16782485350996260904,11630492270851450540,131072 /prefetch:8
  2⤵
  PID:3816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4656 --field-trial-handle=1848,i,16782485350996260904,11630492270851450540,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:760

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
2cbd57428719061dd55c9adc493a62da

SHA1
0a8fcbf1c878f4d8bb6ec6707dddd3ee9f2f6936

SHA256
2f836a5c2336604d3fdb2c2b19eaafd40f85c664034187af4f5fc2129b24c824

SHA512
363d0c7ef4def894b5717e909331e80ea995651a28f1796c3a743c9430414a34ff750154ee70f54ceba6651d4772f8a1ed50d8907285a706959240d4187dca44

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
ab15f9b554c78670d633569a69c3d40a

SHA1
5f01c5c72caf353b8b9c124119b4d02bba40d1b1

SHA256
d31360516b89e2816dfe8978e4dfa9e94663e5be9d7a98ec8176a08f1588954e

SHA512
15b7fb0efd6b5f7654acbfc95a8fd9007477ae1ebfc6f17ab480940342fbce900881c3164ae4e0d552a5c5f8baba5a0f924d905d2bd08a9cd0c3f8ecae0ebe03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
54706439709e14f7ec9183da9516b5c8

SHA1
ceb5f3b37b6a088ce5b81458159a117bed9eab5c

SHA256
287ce226d2fbd86b8141240067bfb60462fb3697800f71365d674b064ad29fca

SHA512
c6decaf4d81affafdd5735d1ef16a1ce4f7f19dd16afadc7c4affa3e523668cc40eddf5d52fb78481f8c589cbe8171281b76a8e10fd4217a23a47ecf270ed5b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e1c9b6e21dcce1a35a409e574419689d

SHA1
ceade3f5e9d510c1b9c9b72cecfd2183c569fd0d

SHA256
84886dc097d9bccf369dfe1710ce5dc0216f905e5447d0ffa15e60c29b023fe0

SHA512
4716c2dbea4e10c8feca254972a537eeba28ad77515c443d0b79b97d76185c012e28e6bdfe372413be0a1a1fa82f8b1de4804df2776e416651d38f44459f2daf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
994f9b2656648ff0bc37d0de04844773

SHA1
77cd358d677b2d4347875404364057d3978fcc62

SHA256
1773824ea9ef01c2aad1894968aa50658ef58650116c6327097dc0839036ca82

SHA512
d069248fa98282a94c389cfa47a33b71d7c65fb7d9d1fc15650df2105dea0cc5250b35424eb8b953c8957f7b87542358d1ce4b9fcb55fb08403a55e36ee531b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit