hxxps://ww8[.]welcomeclient[.]com

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29/01/2024, 14:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://ww8.welcomeclient.com

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133510104461787399"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
228	chrome.exe
228	chrome.exe
1372	chrome.exe
1372	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
228	chrome.exe
228	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 228 wrote to memory of 5112	228	chrome.exe	84
PID 228 wrote to memory of 5112	228	chrome.exe	84
PID 228 wrote to memory of 2692	228	chrome.exe	86
PID 228 wrote to memory of 2692	228	chrome.exe	86
PID 228 wrote to memory of 2692	228	chrome.exe	86
PID 228 wrote to memory of 2692	228	chrome.exe	86
PID 228 wrote to memory of 2692	228	chrome.exe	86
PID 228 wrote to memory of 2692	228	chrome.exe	86
PID 228 wrote to memory of 2692	228	chrome.exe	86
PID 228 wrote to memory of 2692	228	chrome.exe	86
PID 228 wrote to memory of 2692	228	chrome.exe	86
PID 228 wrote to memory of 2692	228	chrome.exe	86
PID 228 wrote to memory of 2692	228	chrome.exe	86
PID 228 wrote to memory of 2692	228	chrome.exe	86
PID 228 wrote to memory of 2692	228	chrome.exe	86
PID 228 wrote to memory of 2692	228	chrome.exe	86
PID 228 wrote to memory of 2692	228	chrome.exe	86
PID 228 wrote to memory of 2692	228	chrome.exe	86
PID 228 wrote to memory of 2692	228	chrome.exe	86
PID 228 wrote to memory of 2692	228	chrome.exe	86
PID 228 wrote to memory of 2692	228	chrome.exe	86
PID 228 wrote to memory of 2692	228	chrome.exe	86
PID 228 wrote to memory of 2692	228	chrome.exe	86
PID 228 wrote to memory of 2692	228	chrome.exe	86
PID 228 wrote to memory of 2692	228	chrome.exe	86
PID 228 wrote to memory of 2692	228	chrome.exe	86
PID 228 wrote to memory of 2692	228	chrome.exe	86
PID 228 wrote to memory of 2692	228	chrome.exe	86
PID 228 wrote to memory of 2692	228	chrome.exe	86
PID 228 wrote to memory of 2692	228	chrome.exe	86
PID 228 wrote to memory of 2692	228	chrome.exe	86
PID 228 wrote to memory of 2692	228	chrome.exe	86
PID 228 wrote to memory of 2692	228	chrome.exe	86
PID 228 wrote to memory of 2692	228	chrome.exe	86
PID 228 wrote to memory of 2692	228	chrome.exe	86
PID 228 wrote to memory of 2692	228	chrome.exe	86
PID 228 wrote to memory of 2692	228	chrome.exe	86
PID 228 wrote to memory of 2692	228	chrome.exe	86
PID 228 wrote to memory of 2692	228	chrome.exe	86
PID 228 wrote to memory of 2692	228	chrome.exe	86
PID 228 wrote to memory of 3136	228	chrome.exe	87
PID 228 wrote to memory of 3136	228	chrome.exe	87
PID 228 wrote to memory of 884	228	chrome.exe	88
PID 228 wrote to memory of 884	228	chrome.exe	88
PID 228 wrote to memory of 884	228	chrome.exe	88
PID 228 wrote to memory of 884	228	chrome.exe	88
PID 228 wrote to memory of 884	228	chrome.exe	88
PID 228 wrote to memory of 884	228	chrome.exe	88
PID 228 wrote to memory of 884	228	chrome.exe	88
PID 228 wrote to memory of 884	228	chrome.exe	88
PID 228 wrote to memory of 884	228	chrome.exe	88
PID 228 wrote to memory of 884	228	chrome.exe	88
PID 228 wrote to memory of 884	228	chrome.exe	88
PID 228 wrote to memory of 884	228	chrome.exe	88
PID 228 wrote to memory of 884	228	chrome.exe	88
PID 228 wrote to memory of 884	228	chrome.exe	88
PID 228 wrote to memory of 884	228	chrome.exe	88
PID 228 wrote to memory of 884	228	chrome.exe	88
PID 228 wrote to memory of 884	228	chrome.exe	88
PID 228 wrote to memory of 884	228	chrome.exe	88
PID 228 wrote to memory of 884	228	chrome.exe	88
PID 228 wrote to memory of 884	228	chrome.exe	88
PID 228 wrote to memory of 884	228	chrome.exe	88
PID 228 wrote to memory of 884	228	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://ww8.welcomeclient.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb5ade9758,0x7ffb5ade9768,0x7ffb5ade9778
  2⤵
  PID:5112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1776 --field-trial-handle=1752,i,12182798206402164378,1976025808847332416,131072 /prefetch:2
  2⤵
  PID:2692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1752,i,12182798206402164378,1976025808847332416,131072 /prefetch:8
  2⤵
  PID:3136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2244 --field-trial-handle=1752,i,12182798206402164378,1976025808847332416,131072 /prefetch:8
  2⤵
  PID:884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3088 --field-trial-handle=1752,i,12182798206402164378,1976025808847332416,131072 /prefetch:1
  2⤵
  PID:3884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3096 --field-trial-handle=1752,i,12182798206402164378,1976025808847332416,131072 /prefetch:1
  2⤵
  PID:4216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5316 --field-trial-handle=1752,i,12182798206402164378,1976025808847332416,131072 /prefetch:8
  2⤵
  PID:3328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 --field-trial-handle=1752,i,12182798206402164378,1976025808847332416,131072 /prefetch:8
  2⤵
  PID:2296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5352 --field-trial-handle=1752,i,12182798206402164378,1976025808847332416,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1372

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
64444934a0ed4276ee4eb61ad2924029

SHA1
f2693e9bc8e75632d75b6dd59aee47ce0471c171

SHA256
e35b2e0bf2c6fd45755dc1410d96f82505c4da49210b4c6934b9f94fdd7002e0

SHA512
96e68aa179d31d954bc8a01d47ddafdfbdd6e144b3c56168e60f11389ebfe7c2e6b56d2331f0c5235a5f6bcb90c40d27e9a4d133ca51cfcd40ba3c5f1c65cade

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
1f71c76a07fd716180f93f67365a870e

SHA1
98d71098ba204dd592a829c73fb1a1d6df034d1c

SHA256
d2589c94508c184caf259ad284ca28483c068c62f2088d6b97e89296c8909b0f

SHA512
5eefc5a3a966e2eaf7c8e98afeab23de3e9be248b503f3265dcffdac182388462428dc73a2903472005a3a3b5bc75cad4a9c12a4a375ef3bc22b74c8c2c05758

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
ef5d0bc75f4fe00b4a84dfadc391ba09

SHA1
f57cc6db311ed4972895116ddb7508d3002e8633

SHA256
ca8c7687eb0b0da1213f663ab17701fe05a1110f5472f0000d5d4eb7d807164e

SHA512
3507b4c0e73927c5907564e96c179ccf58982e2ed2f2e6bb5fd1f64b975001a65415b02d88e3c3a040b1421f2c9a005ada10743cd30a78dda687a47089ad4339

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
836B

MD5
79a6f12ffb2b885e7a51924a4f6d5665

SHA1
f30c12af80ef4d2ccc79d05210317a48ecfceeb7

SHA256
60bcfcd464ea0067c27263278dea1d414c8959026174fbbf45447f5d63f3e38f

SHA512
e36d9180708a535654d8dbf303370cd651d6f497cee1b3d4f9284827a509663cf2427b6f85d8bb4eaba3e1b0601af09e0dee9b3128d85b62099db61684cd4b69

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
536B

MD5
2beb16b1424a9eb67b1fdf7d56cfd74b

SHA1
73971ea118823725d691dee9adc9c138e8533f33

SHA256
53b1eb78d30c5dc3148dde64f88d671c653154c4da729e29d6ef2e288e2f546b

SHA512
36dd1199377d7692bdf8811a98e9cf1f27f27e7cc138f8a6bf357902c80eb49304edeec71e6c522dcd2ae9a8f91608e4bae4d492049f721915b7136f991ac761

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
bff8ab463e8f9ea3854e7355462e46d9

SHA1
8cefbb59f45290b1e2ab6015c43ec89c72f0a262

SHA256
3819e335705606bdfd1d57c5bec5549c7e195c3be5cd2a98afe741379b0a1971

SHA512
a9cf1127dfea451bafa8de3635a32bafde137d9b479c07b5a951d0781d2bd7c4764f7663d42d5ce77e80b8d236c620fc20db2466534fc0efed7ec519cbe676e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
4a0ea5e48f8937e87f37394d6ebf0f16

SHA1
45988958af993ee5f121df496695fc25d6e62b69

SHA256
4d91aa8a4d01cf68ef62c8f0415204e99adcc53545b022b5bc0c3f694fdc064e

SHA512
d3b54f743e46f7f565d3bf8504ccf33934fc138c4ca16f3980f19c7b4284bc0dceacca363550e9abcd0a92728079a1769a9faa6572575f666fb95333cd8fc707

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
430f0fcfa8553ec77b5cb5e4f386e867

SHA1
966d820b1e89cd66cdf585c602e548be66ea6d5f

SHA256
a3fe1a74fcd692e442453f8fbdd2366b631becdc9754e9dc8e9fe1cd7537d610

SHA512
77d93d7c0a2b1d38e8ef8a9b5c562990975821ec8d5067ca266fbe813a80aa3a71d6417bfd3301198f3858bfd84f063c3fd603ac9448ab9c8b7fd7d21852efdc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
e329943b075d5cf3c4ab17e9cfe7c339

SHA1
0594ee4162b0d9716f8f1b778c761081592b4fd5

SHA256
52b828f65bfa04415c5fdfcc890cbe53dc03510a5fb27ec200263e372a459547

SHA512
cd931c4365e13af82a9450e00bb4eae63d7fa39d3caaf42dbfc7fbb39b218077379ded9b4a7055d035891c1b21d2f5e99196aa19980ba2c93b336f0b235f68d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit