hxxps://ess[.]cloud5[.]com[.]au/jde

Analysis

max time kernel
330s
max time network
309s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12-02-2024 14:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://ess.cloud5.com.au/jde

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133522202805362538"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3368	chrome.exe
3368	chrome.exe
4788	chrome.exe
4788	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3368	chrome.exe
3368	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3368 wrote to memory of 60	3368	chrome.exe	59
PID 3368 wrote to memory of 60	3368	chrome.exe	59
PID 3368 wrote to memory of 4496	3368	chrome.exe	86
PID 3368 wrote to memory of 4496	3368	chrome.exe	86
PID 3368 wrote to memory of 4496	3368	chrome.exe	86
PID 3368 wrote to memory of 4496	3368	chrome.exe	86
PID 3368 wrote to memory of 4496	3368	chrome.exe	86
PID 3368 wrote to memory of 4496	3368	chrome.exe	86
PID 3368 wrote to memory of 4496	3368	chrome.exe	86
PID 3368 wrote to memory of 4496	3368	chrome.exe	86
PID 3368 wrote to memory of 4496	3368	chrome.exe	86
PID 3368 wrote to memory of 4496	3368	chrome.exe	86
PID 3368 wrote to memory of 4496	3368	chrome.exe	86
PID 3368 wrote to memory of 4496	3368	chrome.exe	86
PID 3368 wrote to memory of 4496	3368	chrome.exe	86
PID 3368 wrote to memory of 4496	3368	chrome.exe	86
PID 3368 wrote to memory of 4496	3368	chrome.exe	86
PID 3368 wrote to memory of 4496	3368	chrome.exe	86
PID 3368 wrote to memory of 4496	3368	chrome.exe	86
PID 3368 wrote to memory of 4496	3368	chrome.exe	86
PID 3368 wrote to memory of 4496	3368	chrome.exe	86
PID 3368 wrote to memory of 4496	3368	chrome.exe	86
PID 3368 wrote to memory of 4496	3368	chrome.exe	86
PID 3368 wrote to memory of 4496	3368	chrome.exe	86
PID 3368 wrote to memory of 4496	3368	chrome.exe	86
PID 3368 wrote to memory of 4496	3368	chrome.exe	86
PID 3368 wrote to memory of 4496	3368	chrome.exe	86
PID 3368 wrote to memory of 4496	3368	chrome.exe	86
PID 3368 wrote to memory of 4496	3368	chrome.exe	86
PID 3368 wrote to memory of 4496	3368	chrome.exe	86
PID 3368 wrote to memory of 4496	3368	chrome.exe	86
PID 3368 wrote to memory of 4496	3368	chrome.exe	86
PID 3368 wrote to memory of 4496	3368	chrome.exe	86
PID 3368 wrote to memory of 4496	3368	chrome.exe	86
PID 3368 wrote to memory of 4496	3368	chrome.exe	86
PID 3368 wrote to memory of 4496	3368	chrome.exe	86
PID 3368 wrote to memory of 4496	3368	chrome.exe	86
PID 3368 wrote to memory of 4496	3368	chrome.exe	86
PID 3368 wrote to memory of 4496	3368	chrome.exe	86
PID 3368 wrote to memory of 4496	3368	chrome.exe	86
PID 3368 wrote to memory of 2712	3368	chrome.exe	87
PID 3368 wrote to memory of 2712	3368	chrome.exe	87
PID 3368 wrote to memory of 4640	3368	chrome.exe	88
PID 3368 wrote to memory of 4640	3368	chrome.exe	88
PID 3368 wrote to memory of 4640	3368	chrome.exe	88
PID 3368 wrote to memory of 4640	3368	chrome.exe	88
PID 3368 wrote to memory of 4640	3368	chrome.exe	88
PID 3368 wrote to memory of 4640	3368	chrome.exe	88
PID 3368 wrote to memory of 4640	3368	chrome.exe	88
PID 3368 wrote to memory of 4640	3368	chrome.exe	88
PID 3368 wrote to memory of 4640	3368	chrome.exe	88
PID 3368 wrote to memory of 4640	3368	chrome.exe	88
PID 3368 wrote to memory of 4640	3368	chrome.exe	88
PID 3368 wrote to memory of 4640	3368	chrome.exe	88
PID 3368 wrote to memory of 4640	3368	chrome.exe	88
PID 3368 wrote to memory of 4640	3368	chrome.exe	88
PID 3368 wrote to memory of 4640	3368	chrome.exe	88
PID 3368 wrote to memory of 4640	3368	chrome.exe	88
PID 3368 wrote to memory of 4640	3368	chrome.exe	88
PID 3368 wrote to memory of 4640	3368	chrome.exe	88
PID 3368 wrote to memory of 4640	3368	chrome.exe	88
PID 3368 wrote to memory of 4640	3368	chrome.exe	88
PID 3368 wrote to memory of 4640	3368	chrome.exe	88
PID 3368 wrote to memory of 4640	3368	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://ess.cloud5.com.au/jde
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9d9a89758,0x7ff9d9a89768,0x7ff9d9a89778
  2⤵
  PID:60
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1676 --field-trial-handle=1896,i,15880858123491180015,6910616525653698418,131072 /prefetch:2
  2⤵
  PID:4496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 --field-trial-handle=1896,i,15880858123491180015,6910616525653698418,131072 /prefetch:8
  2⤵
  PID:2712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2240 --field-trial-handle=1896,i,15880858123491180015,6910616525653698418,131072 /prefetch:8
  2⤵
  PID:4640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2916 --field-trial-handle=1896,i,15880858123491180015,6910616525653698418,131072 /prefetch:1
  2⤵
  PID:1728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2828 --field-trial-handle=1896,i,15880858123491180015,6910616525653698418,131072 /prefetch:1
  2⤵
  PID:2732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5316 --field-trial-handle=1896,i,15880858123491180015,6910616525653698418,131072 /prefetch:8
  2⤵
  PID:5116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5336 --field-trial-handle=1896,i,15880858123491180015,6910616525653698418,131072 /prefetch:8
  2⤵
  PID:2624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5008 --field-trial-handle=1896,i,15880858123491180015,6910616525653698418,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4788

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
ccf4806161e0dd72ebbd0c0bd5601d68

SHA1
d318b953ca1a62e44cc1dad9709ca56d65e928ba

SHA256
793c799ceefe09b2393a78693c8273e16de89f8ee45838e6daecf7d0785fedf2

SHA512
24220367eded8eb6fe0cb2c20438ca4901d553ed36d43f01204f744ba52bfb3b2d539f0805601f1f5c19cf802fce18919ae15ec9e95130f4e968fce1b294da1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
54ad31a95d1682f1e2815f40ad9c074b

SHA1
6cc0de0d62c97baec6c24762bf563e7a4777ebd7

SHA256
87ca16ed451410423f970124ef7b37b350a3daee556b218d8c2ac9fc3e68ca59

SHA512
680be213144ca9dc7b5d157754e6842597fd5cbbe851a92479d0edee5c0a5c63ecad249b9d738de9de50f79d7f0111029916ffcbf1cad46b808553832838cc32

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
6603f3a4b059c4adbd7628fb43bbcc82

SHA1
8d5517125fb2df6757cf8ad45bc48ef4eb0313df

SHA256
e060bb3d9c6a9ad9510b93cf2a3d12a17a4dac9cbc1b2c736a62222a57796200

SHA512
e7f65a4043395ff7a4494924d13a7e0bd8daac2521282c1a65aeb6c2b2cee8c6f6d07f4e3b3693b5f66d32922d2a318b6dd87dad78556ff6744f02ea165c370c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
40a77b063cd491a79d1d74acfc501d9c

SHA1
8a64c62c6318587ef8058c239d01175e5f051319

SHA256
d61a623ac10b8769891bc163c6a3b66dac7ce16fa521edd18bee4176b2a98747

SHA512
24734685af76eefd0a2c70f6930bc7f2f0791172a08663af80ef17191789d69daecda16030eb165c939f94ef2cb479698bf596eafcbdfbf85bb2b9ee650722f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
2574f7ac88f25146988ddb413b6d14ae

SHA1
5871a6d69b2114a9322863a931ce8056f4b1e310

SHA256
0b8d307328acf5a532a4f4679cc253e46d36ecf5bca3719ddaa67929caab6842

SHA512
8a2ce5d32fccec04963b4f7ff202fecb95f09179b3d36d58282175e81ab321fcbe8125f2fc26059d4124fe3ad223d5d405ce6ae05ce3129322b39dd637378224

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit