hxxps://velvetking[.]online/

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
28/01/2024, 21:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://velvetking.online/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133509527572960640"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
384	chrome.exe
384	chrome.exe
768	chrome.exe
768	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 384 wrote to memory of 644	384	chrome.exe	65
PID 384 wrote to memory of 644	384	chrome.exe	65
PID 384 wrote to memory of 4460	384	chrome.exe	86
PID 384 wrote to memory of 4460	384	chrome.exe	86
PID 384 wrote to memory of 4460	384	chrome.exe	86
PID 384 wrote to memory of 4460	384	chrome.exe	86
PID 384 wrote to memory of 4460	384	chrome.exe	86
PID 384 wrote to memory of 4460	384	chrome.exe	86
PID 384 wrote to memory of 4460	384	chrome.exe	86
PID 384 wrote to memory of 4460	384	chrome.exe	86
PID 384 wrote to memory of 4460	384	chrome.exe	86
PID 384 wrote to memory of 4460	384	chrome.exe	86
PID 384 wrote to memory of 4460	384	chrome.exe	86
PID 384 wrote to memory of 4460	384	chrome.exe	86
PID 384 wrote to memory of 4460	384	chrome.exe	86
PID 384 wrote to memory of 4460	384	chrome.exe	86
PID 384 wrote to memory of 4460	384	chrome.exe	86
PID 384 wrote to memory of 4460	384	chrome.exe	86
PID 384 wrote to memory of 4460	384	chrome.exe	86
PID 384 wrote to memory of 4460	384	chrome.exe	86
PID 384 wrote to memory of 4460	384	chrome.exe	86
PID 384 wrote to memory of 4460	384	chrome.exe	86
PID 384 wrote to memory of 4460	384	chrome.exe	86
PID 384 wrote to memory of 4460	384	chrome.exe	86
PID 384 wrote to memory of 4460	384	chrome.exe	86
PID 384 wrote to memory of 4460	384	chrome.exe	86
PID 384 wrote to memory of 4460	384	chrome.exe	86
PID 384 wrote to memory of 4460	384	chrome.exe	86
PID 384 wrote to memory of 4460	384	chrome.exe	86
PID 384 wrote to memory of 4460	384	chrome.exe	86
PID 384 wrote to memory of 4460	384	chrome.exe	86
PID 384 wrote to memory of 4460	384	chrome.exe	86
PID 384 wrote to memory of 4460	384	chrome.exe	86
PID 384 wrote to memory of 4460	384	chrome.exe	86
PID 384 wrote to memory of 4460	384	chrome.exe	86
PID 384 wrote to memory of 4460	384	chrome.exe	86
PID 384 wrote to memory of 4460	384	chrome.exe	86
PID 384 wrote to memory of 4460	384	chrome.exe	86
PID 384 wrote to memory of 4460	384	chrome.exe	86
PID 384 wrote to memory of 4460	384	chrome.exe	86
PID 384 wrote to memory of 224	384	chrome.exe	88
PID 384 wrote to memory of 224	384	chrome.exe	88
PID 384 wrote to memory of 2976	384	chrome.exe	87
PID 384 wrote to memory of 2976	384	chrome.exe	87
PID 384 wrote to memory of 2976	384	chrome.exe	87
PID 384 wrote to memory of 2976	384	chrome.exe	87
PID 384 wrote to memory of 2976	384	chrome.exe	87
PID 384 wrote to memory of 2976	384	chrome.exe	87
PID 384 wrote to memory of 2976	384	chrome.exe	87
PID 384 wrote to memory of 2976	384	chrome.exe	87
PID 384 wrote to memory of 2976	384	chrome.exe	87
PID 384 wrote to memory of 2976	384	chrome.exe	87
PID 384 wrote to memory of 2976	384	chrome.exe	87
PID 384 wrote to memory of 2976	384	chrome.exe	87
PID 384 wrote to memory of 2976	384	chrome.exe	87
PID 384 wrote to memory of 2976	384	chrome.exe	87
PID 384 wrote to memory of 2976	384	chrome.exe	87
PID 384 wrote to memory of 2976	384	chrome.exe	87
PID 384 wrote to memory of 2976	384	chrome.exe	87
PID 384 wrote to memory of 2976	384	chrome.exe	87
PID 384 wrote to memory of 2976	384	chrome.exe	87
PID 384 wrote to memory of 2976	384	chrome.exe	87
PID 384 wrote to memory of 2976	384	chrome.exe	87
PID 384 wrote to memory of 2976	384	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://velvetking.online/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa2c349758,0x7ffa2c349768,0x7ffa2c349778
  2⤵
  PID:644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1776 --field-trial-handle=1876,i,18379710478581880360,1420607939286421076,131072 /prefetch:2
  2⤵
  PID:4460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2188 --field-trial-handle=1876,i,18379710478581880360,1420607939286421076,131072 /prefetch:8
  2⤵
  PID:2976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1876,i,18379710478581880360,1420607939286421076,131072 /prefetch:8
  2⤵
  PID:224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3092 --field-trial-handle=1876,i,18379710478581880360,1420607939286421076,131072 /prefetch:1
  2⤵
  PID:4948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3048 --field-trial-handle=1876,i,18379710478581880360,1420607939286421076,131072 /prefetch:1
  2⤵
  PID:3188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4112 --field-trial-handle=1876,i,18379710478581880360,1420607939286421076,131072 /prefetch:1
  2⤵
  PID:2700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3408 --field-trial-handle=1876,i,18379710478581880360,1420607939286421076,131072 /prefetch:1
  2⤵
  PID:3348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 --field-trial-handle=1876,i,18379710478581880360,1420607939286421076,131072 /prefetch:8
  2⤵
  PID:852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4252 --field-trial-handle=1876,i,18379710478581880360,1420607939286421076,131072 /prefetch:8
  2⤵
  PID:1284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3916 --field-trial-handle=1876,i,18379710478581880360,1420607939286421076,131072 /prefetch:1
  2⤵
  PID:4924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=2480 --field-trial-handle=1876,i,18379710478581880360,1420607939286421076,131072 /prefetch:1
  2⤵
  PID:2240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2296 --field-trial-handle=1876,i,18379710478581880360,1420607939286421076,131072 /prefetch:1
  2⤵
  PID:4568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 --field-trial-handle=1876,i,18379710478581880360,1420607939286421076,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:768

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
824B

MD5
cd6a59a97702929a868da6a7cc67ffec

SHA1
dd30905b05462946862dd41ff4789df4583c6033

SHA256
da9496f0168a865cd678f37ab65df898af935db686e5ff5ec6611b64204ef75d

SHA512
9d6b36ade7243767f7e136b954cc01a8280e0e6d2dd78957f3961ea5635a822b56634da331fbebbab149eea724f524819c94e16e33e7227e6c03ef2e8a8c3e1b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
1493f3d3243fcad7ed97ca82d3fe94d7

SHA1
11d8cecdfffe0fa6c5b786bddd1e4ac8f72b381a

SHA256
14547575888cc0952d6fdc6d2309b3afdb381faa7205685258f7f6a5eabe9f67

SHA512
72648df2c4591cc90024d7d29741e512c04f23982ff25d381f3c7f9c73fb697df4d5f94f91414ad4bb115c6545e519aa35d8c2dbb2cb5bfc6a79f8399f87c6fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
84939bc4f5b36054c47d625f798ddc64

SHA1
8d410b085ce464b671903aa8565e87a4b248d20c

SHA256
9b0849fe69a6836b56dbbbb209be2d0f72a15bdbc98632e7155e38cb11804ec1

SHA512
8bbf53ca644e7b97089a429f9d7f17fbb2c5e723c24bff7becc180b02245a32136c1b3482068483ff2cc5d28e418d028be1ccc3c5808dce743dece5e8a5c401d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
22976a964a7286604efcefbf78464a5b

SHA1
d74566f8b2764968f0397e5961956b8c4428aded

SHA256
083f03fbf335d49c13e73189b0bffbdc3f0362886f943568c62f6bb7aa83de04

SHA512
1a5b635b66547d50d434bef76a51a0a8362e26895098bf0f4a3234e03b71d456f00ee3970c252c9789a0c1bed9b88ddea5f62c46e814db94780b429e520a1a1a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit