hxxps://cm[.]cmbuck-oem[.]com/u?mid=65bbd9a024e07c0001598010

Analysis

max time kernel
299s
max time network
302s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11/02/2024, 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cm.cmbuck-oem.com/u?mid=65bbd9a024e07c0001598010

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133521625564022958"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1684	chrome.exe
1684	chrome.exe
1088	chrome.exe
1088	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1684	chrome.exe
1684	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeCreatePagefilePrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeCreatePagefilePrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeCreatePagefilePrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeCreatePagefilePrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeCreatePagefilePrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeCreatePagefilePrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeCreatePagefilePrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeCreatePagefilePrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeCreatePagefilePrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeCreatePagefilePrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeCreatePagefilePrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeCreatePagefilePrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeCreatePagefilePrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeCreatePagefilePrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeCreatePagefilePrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeCreatePagefilePrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeCreatePagefilePrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeCreatePagefilePrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeCreatePagefilePrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeCreatePagefilePrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeCreatePagefilePrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeCreatePagefilePrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeCreatePagefilePrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeCreatePagefilePrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeCreatePagefilePrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeCreatePagefilePrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeCreatePagefilePrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeCreatePagefilePrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeCreatePagefilePrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeCreatePagefilePrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeCreatePagefilePrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeCreatePagefilePrivilege	1684	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 3972	1684	chrome.exe	76
PID 1684 wrote to memory of 3972	1684	chrome.exe	76
PID 1684 wrote to memory of 692	1684	chrome.exe	86
PID 1684 wrote to memory of 692	1684	chrome.exe	86
PID 1684 wrote to memory of 692	1684	chrome.exe	86
PID 1684 wrote to memory of 692	1684	chrome.exe	86
PID 1684 wrote to memory of 692	1684	chrome.exe	86
PID 1684 wrote to memory of 692	1684	chrome.exe	86
PID 1684 wrote to memory of 692	1684	chrome.exe	86
PID 1684 wrote to memory of 692	1684	chrome.exe	86
PID 1684 wrote to memory of 692	1684	chrome.exe	86
PID 1684 wrote to memory of 692	1684	chrome.exe	86
PID 1684 wrote to memory of 692	1684	chrome.exe	86
PID 1684 wrote to memory of 692	1684	chrome.exe	86
PID 1684 wrote to memory of 692	1684	chrome.exe	86
PID 1684 wrote to memory of 692	1684	chrome.exe	86
PID 1684 wrote to memory of 692	1684	chrome.exe	86
PID 1684 wrote to memory of 692	1684	chrome.exe	86
PID 1684 wrote to memory of 692	1684	chrome.exe	86
PID 1684 wrote to memory of 692	1684	chrome.exe	86
PID 1684 wrote to memory of 692	1684	chrome.exe	86
PID 1684 wrote to memory of 692	1684	chrome.exe	86
PID 1684 wrote to memory of 692	1684	chrome.exe	86
PID 1684 wrote to memory of 692	1684	chrome.exe	86
PID 1684 wrote to memory of 692	1684	chrome.exe	86
PID 1684 wrote to memory of 692	1684	chrome.exe	86
PID 1684 wrote to memory of 692	1684	chrome.exe	86
PID 1684 wrote to memory of 692	1684	chrome.exe	86
PID 1684 wrote to memory of 692	1684	chrome.exe	86
PID 1684 wrote to memory of 692	1684	chrome.exe	86
PID 1684 wrote to memory of 692	1684	chrome.exe	86
PID 1684 wrote to memory of 692	1684	chrome.exe	86
PID 1684 wrote to memory of 692	1684	chrome.exe	86
PID 1684 wrote to memory of 692	1684	chrome.exe	86
PID 1684 wrote to memory of 692	1684	chrome.exe	86
PID 1684 wrote to memory of 692	1684	chrome.exe	86
PID 1684 wrote to memory of 692	1684	chrome.exe	86
PID 1684 wrote to memory of 692	1684	chrome.exe	86
PID 1684 wrote to memory of 692	1684	chrome.exe	86
PID 1684 wrote to memory of 692	1684	chrome.exe	86
PID 1684 wrote to memory of 3096	1684	chrome.exe	88
PID 1684 wrote to memory of 3096	1684	chrome.exe	88
PID 1684 wrote to memory of 4380	1684	chrome.exe	87
PID 1684 wrote to memory of 4380	1684	chrome.exe	87
PID 1684 wrote to memory of 4380	1684	chrome.exe	87
PID 1684 wrote to memory of 4380	1684	chrome.exe	87
PID 1684 wrote to memory of 4380	1684	chrome.exe	87
PID 1684 wrote to memory of 4380	1684	chrome.exe	87
PID 1684 wrote to memory of 4380	1684	chrome.exe	87
PID 1684 wrote to memory of 4380	1684	chrome.exe	87
PID 1684 wrote to memory of 4380	1684	chrome.exe	87
PID 1684 wrote to memory of 4380	1684	chrome.exe	87
PID 1684 wrote to memory of 4380	1684	chrome.exe	87
PID 1684 wrote to memory of 4380	1684	chrome.exe	87
PID 1684 wrote to memory of 4380	1684	chrome.exe	87
PID 1684 wrote to memory of 4380	1684	chrome.exe	87
PID 1684 wrote to memory of 4380	1684	chrome.exe	87
PID 1684 wrote to memory of 4380	1684	chrome.exe	87
PID 1684 wrote to memory of 4380	1684	chrome.exe	87
PID 1684 wrote to memory of 4380	1684	chrome.exe	87
PID 1684 wrote to memory of 4380	1684	chrome.exe	87
PID 1684 wrote to memory of 4380	1684	chrome.exe	87
PID 1684 wrote to memory of 4380	1684	chrome.exe	87
PID 1684 wrote to memory of 4380	1684	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://cm.cmbuck-oem.com/u?mid=65bbd9a024e07c0001598010
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd49169758,0x7ffd49169768,0x7ffd49169778
  2⤵
  PID:3972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1708 --field-trial-handle=1884,i,4502333291847804890,3964157247358805150,131072 /prefetch:2
  2⤵
  PID:692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2168 --field-trial-handle=1884,i,4502333291847804890,3964157247358805150,131072 /prefetch:8
  2⤵
  PID:4380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 --field-trial-handle=1884,i,4502333291847804890,3964157247358805150,131072 /prefetch:8
  2⤵
  PID:3096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2920 --field-trial-handle=1884,i,4502333291847804890,3964157247358805150,131072 /prefetch:1
  2⤵
  PID:2828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2912 --field-trial-handle=1884,i,4502333291847804890,3964157247358805150,131072 /prefetch:1
  2⤵
  PID:228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4836 --field-trial-handle=1884,i,4502333291847804890,3964157247358805150,131072 /prefetch:8
  2⤵
  PID:3800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3892 --field-trial-handle=1884,i,4502333291847804890,3964157247358805150,131072 /prefetch:8
  2⤵
  PID:4072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4732 --field-trial-handle=1884,i,4502333291847804890,3964157247358805150,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1088

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
c9a01ea940d5bc2c2526fc8585478e28

SHA1
dc86faa2d07bb12d33f0c0acfe7406dfbd621e44

SHA256
5c2eb6da41a296afcba9d32689a9c47125c87c3d4dfbb3a1380e142e2557c9d7

SHA512
94b486a2907bd5ae5b2947b858d39f0d859885b5efb7355c7db06caf7fc32a0d3fb9caf1eee3ff4caaa5843dc9bd71573d7f9daa212eae3b09e40e581395a450

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
822e7d619f74bb6a9594136307c1daca

SHA1
22fdf606a6c1dc5de3c195db279f526029458829

SHA256
b8c4b5589f32da301dec4df40a0752d2eafcdc3f293f76eae423f7cbef908105

SHA512
258f9e8d65378e10a5fc9c9f467e40ef49f49913d2491a923aef5fbcd3165781b5b6e9aae22b2336260f405638376ff7739951fc53692d87dd39e8328f76df70

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
5bd1bf10126c0dc7f8a66c0464cac148

SHA1
54dc1cb35d8bf77ee1fbac701050b1fe24b84fd0

SHA256
8fc59d3bfcc0802eb7563e97aa2e98252fe4ccef1a4bc79155a2dc6960f046f8

SHA512
06f2b0530e81171245d2393b7af85e5985a241581b2bde9c266c9c79e8f6c00f04f75cfc7999a89fb7618355ed4ac6fe8894801f2f1dfe7f2a9ae72fcdad8950

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
707B

MD5
31ce6e4a09a59f6400f7403aa9f55631

SHA1
20903ba25f5845f4478e5648f7918634e5e8537a

SHA256
66078d14b4f13be121b9efc47012d4fcd864fdc73f8fc6bef8243ac2c0e5ce61

SHA512
6e290719c815d2584b98633bda7b0c2cf5cf4e43f995b2e1a97b7ec0c0f4488ee8619d75efbbf6f3ca3c2466d7996612b6603d34d19aae5464c0050187365426

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
707B

MD5
5db2630d12cd21dde109d9882f72f568

SHA1
bf058c43bc25b5d65ac011a041473f833889c0ed

SHA256
e4ea581fe4c4c3edb687c6dfeca29b52e366c1df506df33786627871f6f9848d

SHA512
82fa7857a33175aff55604b52bac50f268c9d53eca5b22d255a4b0c084a38827d0836deab53cb4297f4d19db71f915aca81de6fc8a2686aaec2dd0a86d1c6f54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
bcf5699bc3f30ac979a37715036bd265

SHA1
f6425563455ea558352f7cc2541da8b465b8355d

SHA256
efca1d6555ad1026cca01fbf98ece9308fe6c3bb7480e119a059b404506d0638

SHA512
001f7dbc7a2b98a51e1e48aace919260e188ac3858234eb99dd3b3f89f90065560793a98c25a805b23eee447db26c6665199d3c2ab7f468fb5f4995c38733661

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
11af9d51abb00249ce88c4cd2fa3e4c1

SHA1
1a87d63c650d3339578fe2e9b2ccbbd52674ea2a

SHA256
485abf802736857b8684c244c954f0b29823ac126b6ec6dc4df3c02ed928271a

SHA512
faabba24bcd05af2e3dac64ac88ce893a7a2d411fb2addac6f08ee07d10a860297559a24547aa52848f73e37071568035944a6d13203b5d33b65690e51794d67

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit