hxxp://busyywl[.]com

General

Target

http://busyywl.com

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133507264046321265"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

4176 chrome.exe
4176 chrome.exe
1252 chrome.exe
1252 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

4176 chrome.exe
4176 chrome.exe
4176 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4176 wrote to memory of 1040	4176	chrome.exe	chrome.exe
PID 4176 wrote to memory of 1040	4176	chrome.exe	chrome.exe
PID 4176 wrote to memory of 3148	4176	chrome.exe	chrome.exe
PID 4176 wrote to memory of 3148	4176	chrome.exe	chrome.exe
PID 4176 wrote to memory of 3148	4176	chrome.exe	chrome.exe
PID 4176 wrote to memory of 3148	4176	chrome.exe	chrome.exe
PID 4176 wrote to memory of 3148	4176	chrome.exe	chrome.exe
PID 4176 wrote to memory of 3148	4176	chrome.exe	chrome.exe
PID 4176 wrote to memory of 3148	4176	chrome.exe	chrome.exe
PID 4176 wrote to memory of 3148	4176	chrome.exe	chrome.exe
PID 4176 wrote to memory of 3148	4176	chrome.exe	chrome.exe
PID 4176 wrote to memory of 3148	4176	chrome.exe	chrome.exe
PID 4176 wrote to memory of 3148	4176	chrome.exe	chrome.exe
PID 4176 wrote to memory of 3148	4176	chrome.exe	chrome.exe
PID 4176 wrote to memory of 3148	4176	chrome.exe	chrome.exe
PID 4176 wrote to memory of 3148	4176	chrome.exe	chrome.exe
PID 4176 wrote to memory of 3148	4176	chrome.exe	chrome.exe
PID 4176 wrote to memory of 3148	4176	chrome.exe	chrome.exe
PID 4176 wrote to memory of 3148	4176	chrome.exe	chrome.exe
PID 4176 wrote to memory of 3148	4176	chrome.exe	chrome.exe
PID 4176 wrote to memory of 3148	4176	chrome.exe	chrome.exe
PID 4176 wrote to memory of 3148	4176	chrome.exe	chrome.exe
PID 4176 wrote to memory of 3148	4176	chrome.exe	chrome.exe
PID 4176 wrote to memory of 3148	4176	chrome.exe	chrome.exe
PID 4176 wrote to memory of 3148	4176	chrome.exe	chrome.exe
PID 4176 wrote to memory of 3148	4176	chrome.exe	chrome.exe
PID 4176 wrote to memory of 3148	4176	chrome.exe	chrome.exe
PID 4176 wrote to memory of 3148	4176	chrome.exe	chrome.exe
PID 4176 wrote to memory of 3148	4176	chrome.exe	chrome.exe
PID 4176 wrote to memory of 3148	4176	chrome.exe	chrome.exe
PID 4176 wrote to memory of 3148	4176	chrome.exe	chrome.exe
PID 4176 wrote to memory of 3148	4176	chrome.exe	chrome.exe
PID 4176 wrote to memory of 3148	4176	chrome.exe	chrome.exe
PID 4176 wrote to memory of 3148	4176	chrome.exe	chrome.exe
PID 4176 wrote to memory of 3148	4176	chrome.exe	chrome.exe
PID 4176 wrote to memory of 3148	4176	chrome.exe	chrome.exe
PID 4176 wrote to memory of 3148	4176	chrome.exe	chrome.exe
PID 4176 wrote to memory of 3148	4176	chrome.exe	chrome.exe
PID 4176 wrote to memory of 3148	4176	chrome.exe	chrome.exe
PID 4176 wrote to memory of 3148	4176	chrome.exe	chrome.exe
PID 4176 wrote to memory of 1412	4176	chrome.exe	chrome.exe
PID 4176 wrote to memory of 1412	4176	chrome.exe	chrome.exe
PID 4176 wrote to memory of 4952	4176	chrome.exe	chrome.exe
PID 4176 wrote to memory of 4952	4176	chrome.exe	chrome.exe
PID 4176 wrote to memory of 4952	4176	chrome.exe	chrome.exe
PID 4176 wrote to memory of 4952	4176	chrome.exe	chrome.exe
PID 4176 wrote to memory of 4952	4176	chrome.exe	chrome.exe
PID 4176 wrote to memory of 4952	4176	chrome.exe	chrome.exe
PID 4176 wrote to memory of 4952	4176	chrome.exe	chrome.exe
PID 4176 wrote to memory of 4952	4176	chrome.exe	chrome.exe
PID 4176 wrote to memory of 4952	4176	chrome.exe	chrome.exe
PID 4176 wrote to memory of 4952	4176	chrome.exe	chrome.exe
PID 4176 wrote to memory of 4952	4176	chrome.exe	chrome.exe
PID 4176 wrote to memory of 4952	4176	chrome.exe	chrome.exe
PID 4176 wrote to memory of 4952	4176	chrome.exe	chrome.exe
PID 4176 wrote to memory of 4952	4176	chrome.exe	chrome.exe
PID 4176 wrote to memory of 4952	4176	chrome.exe	chrome.exe
PID 4176 wrote to memory of 4952	4176	chrome.exe	chrome.exe
PID 4176 wrote to memory of 4952	4176	chrome.exe	chrome.exe
PID 4176 wrote to memory of 4952	4176	chrome.exe	chrome.exe
PID 4176 wrote to memory of 4952	4176	chrome.exe	chrome.exe
PID 4176 wrote to memory of 4952	4176	chrome.exe	chrome.exe
PID 4176 wrote to memory of 4952	4176	chrome.exe	chrome.exe
PID 4176 wrote to memory of 4952	4176	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://busyywl.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffff96b9758,0x7ffff96b9768,0x7ffff96b9778
2⤵
PID:1040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1740 --field-trial-handle=1888,i,13440278057377625425,4628145673946930460,131072 /prefetch:2
2⤵
PID:3148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2212 --field-trial-handle=1888,i,13440278057377625425,4628145673946930460,131072 /prefetch:8
2⤵
PID:4952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1888,i,13440278057377625425,4628145673946930460,131072 /prefetch:8
2⤵
PID:1412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2908 --field-trial-handle=1888,i,13440278057377625425,4628145673946930460,131072 /prefetch:1
2⤵
PID:3232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2888 --field-trial-handle=1888,i,13440278057377625425,4628145673946930460,131072 /prefetch:1
2⤵
PID:1912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4960 --field-trial-handle=1888,i,13440278057377625425,4628145673946930460,131072 /prefetch:1
2⤵
PID:1192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5116 --field-trial-handle=1888,i,13440278057377625425,4628145673946930460,131072 /prefetch:8
2⤵
PID:1360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 --field-trial-handle=1888,i,13440278057377625425,4628145673946930460,131072 /prefetch:8
2⤵
PID:1792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5096 --field-trial-handle=1888,i,13440278057377625425,4628145673946930460,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1252

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1752

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
192B

MD5
a095675dd1830f7de1704504858444aa

SHA1
c677459d80a803bf54ecb2b68f9cb6254dddc375

SHA256
7ddbf7c86584caa4ada273614980a1ac9927faecbaea5675e91ccbe88790a5e0

SHA512
edbc3246c6b01531473cb3c774c11ee0def9c4f6341c36ac5f18a2f98d5b06e8b2b125d41e947a9be154155bca7dd6c18f5736e5e1316b546d5e2ddb8ccc4c95

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
38cf7eaea280fc4047e16950da1f2363

SHA1
2a3b4d94100502d06c7fc3858e063af39b998cd3

SHA256
6fbad0a14042eb8694133c92a037eb3629a26a533450996105eb68703050c398

SHA512
c7ffe23e0f3f0bbcecf6b1d07e4a2be51a079cde316ae0855c59d203d457cfb9b505e01900bac01d07121360e6ec6354f97b1ab9906ef53fd43ae86c5f045a9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
704B

MD5
8cb895f918daa5cc0b07cf54eb513c65

SHA1
4cd3d3ee87c679e7db48a7e7501db42c7e76ca4d

SHA256
cf7640a12794572575d2b9385d7fee4ff38ab521c15c4c8fc1cf31aa551e14a9

SHA512
c6d0610b4ddc12d51e40c11243494ab82f8e79f19171196ac649c356b8a42dd7156a1e35af26b41608aefd2e7daced76fafa0cff1c24e0418668f220c6596b38

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
a63d6ae4c84a588a70a323194fc71b84

SHA1
478c49656cfbe8f962a96d6dc8e2c9c6ccbdc27b

SHA256
bfe3d10163bad7171b71de62e965cd68c54513309dfc61b85063096e9edbd40e

SHA512
c1b057cc71804eca1cfbf3c9892db43fbd83c1a0fd410aaf10f109da7b76707d4819d2a681bcd7b216b6d03aa1cfad78e14a4d12f8d5df48d48a2c52d0b62dec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
114KB

MD5
e9120f6bc3cbcf4d38da7613a93b5312

SHA1
accdcfd7ce6fdb2132244d9cbdeeaef42153b43d

SHA256
044868cb0ca521ebe399b1e046676bf167a39a36fa21c964b120dbab434681e2

SHA512
3d99b1fa3cc0a0c1514e507120bf635920bf106e0b504e7a4ddaa486564dda0aaf776d89bb21278ee9c74d7e08a4656753c7b66eb69b7021931e1165d60a46d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
\??\pipe\crashpad_4176_ICDEKJGIDZZLMLLY
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads