hxxp://telegra[.]ph/Moj-pak-prikolov-dlya-njRAT-08-08

Analysis

max time kernel
47s
max time network
53s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
14/02/2024, 16:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://telegra.ph/Moj-pak-prikolov-dlya-njRAT-08-08

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133524034233586851"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3396	chrome.exe
3396	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3396 wrote to memory of 4532	3396	chrome.exe	41
PID 3396 wrote to memory of 4532	3396	chrome.exe	41
PID 3396 wrote to memory of 5004	3396	chrome.exe	86
PID 3396 wrote to memory of 5004	3396	chrome.exe	86
PID 3396 wrote to memory of 5004	3396	chrome.exe	86
PID 3396 wrote to memory of 5004	3396	chrome.exe	86
PID 3396 wrote to memory of 5004	3396	chrome.exe	86
PID 3396 wrote to memory of 5004	3396	chrome.exe	86
PID 3396 wrote to memory of 5004	3396	chrome.exe	86
PID 3396 wrote to memory of 5004	3396	chrome.exe	86
PID 3396 wrote to memory of 5004	3396	chrome.exe	86
PID 3396 wrote to memory of 5004	3396	chrome.exe	86
PID 3396 wrote to memory of 5004	3396	chrome.exe	86
PID 3396 wrote to memory of 5004	3396	chrome.exe	86
PID 3396 wrote to memory of 5004	3396	chrome.exe	86
PID 3396 wrote to memory of 5004	3396	chrome.exe	86
PID 3396 wrote to memory of 5004	3396	chrome.exe	86
PID 3396 wrote to memory of 5004	3396	chrome.exe	86
PID 3396 wrote to memory of 5004	3396	chrome.exe	86
PID 3396 wrote to memory of 5004	3396	chrome.exe	86
PID 3396 wrote to memory of 5004	3396	chrome.exe	86
PID 3396 wrote to memory of 5004	3396	chrome.exe	86
PID 3396 wrote to memory of 5004	3396	chrome.exe	86
PID 3396 wrote to memory of 5004	3396	chrome.exe	86
PID 3396 wrote to memory of 5004	3396	chrome.exe	86
PID 3396 wrote to memory of 5004	3396	chrome.exe	86
PID 3396 wrote to memory of 5004	3396	chrome.exe	86
PID 3396 wrote to memory of 5004	3396	chrome.exe	86
PID 3396 wrote to memory of 5004	3396	chrome.exe	86
PID 3396 wrote to memory of 5004	3396	chrome.exe	86
PID 3396 wrote to memory of 5004	3396	chrome.exe	86
PID 3396 wrote to memory of 5004	3396	chrome.exe	86
PID 3396 wrote to memory of 5004	3396	chrome.exe	86
PID 3396 wrote to memory of 5004	3396	chrome.exe	86
PID 3396 wrote to memory of 5004	3396	chrome.exe	86
PID 3396 wrote to memory of 5004	3396	chrome.exe	86
PID 3396 wrote to memory of 5004	3396	chrome.exe	86
PID 3396 wrote to memory of 5004	3396	chrome.exe	86
PID 3396 wrote to memory of 5004	3396	chrome.exe	86
PID 3396 wrote to memory of 5004	3396	chrome.exe	86
PID 3396 wrote to memory of 3240	3396	chrome.exe	87
PID 3396 wrote to memory of 3240	3396	chrome.exe	87
PID 3396 wrote to memory of 4956	3396	chrome.exe	88
PID 3396 wrote to memory of 4956	3396	chrome.exe	88
PID 3396 wrote to memory of 4956	3396	chrome.exe	88
PID 3396 wrote to memory of 4956	3396	chrome.exe	88
PID 3396 wrote to memory of 4956	3396	chrome.exe	88
PID 3396 wrote to memory of 4956	3396	chrome.exe	88
PID 3396 wrote to memory of 4956	3396	chrome.exe	88
PID 3396 wrote to memory of 4956	3396	chrome.exe	88
PID 3396 wrote to memory of 4956	3396	chrome.exe	88
PID 3396 wrote to memory of 4956	3396	chrome.exe	88
PID 3396 wrote to memory of 4956	3396	chrome.exe	88
PID 3396 wrote to memory of 4956	3396	chrome.exe	88
PID 3396 wrote to memory of 4956	3396	chrome.exe	88
PID 3396 wrote to memory of 4956	3396	chrome.exe	88
PID 3396 wrote to memory of 4956	3396	chrome.exe	88
PID 3396 wrote to memory of 4956	3396	chrome.exe	88
PID 3396 wrote to memory of 4956	3396	chrome.exe	88
PID 3396 wrote to memory of 4956	3396	chrome.exe	88
PID 3396 wrote to memory of 4956	3396	chrome.exe	88
PID 3396 wrote to memory of 4956	3396	chrome.exe	88
PID 3396 wrote to memory of 4956	3396	chrome.exe	88
PID 3396 wrote to memory of 4956	3396	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://telegra.ph/Moj-pak-prikolov-dlya-njRAT-08-08
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffccddb9758,0x7ffccddb9768,0x7ffccddb9778
  2⤵
  PID:4532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1788 --field-trial-handle=1932,i,10406008090841583583,17358525420706354143,131072 /prefetch:2
  2⤵
  PID:5004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 --field-trial-handle=1932,i,10406008090841583583,17358525420706354143,131072 /prefetch:8
  2⤵
  PID:3240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2288 --field-trial-handle=1932,i,10406008090841583583,17358525420706354143,131072 /prefetch:8
  2⤵
  PID:4956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3100 --field-trial-handle=1932,i,10406008090841583583,17358525420706354143,131072 /prefetch:1
  2⤵
  PID:524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3080 --field-trial-handle=1932,i,10406008090841583583,17358525420706354143,131072 /prefetch:1
  2⤵
  PID:1228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4528 --field-trial-handle=1932,i,10406008090841583583,17358525420706354143,131072 /prefetch:1
  2⤵
  PID:3684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5304 --field-trial-handle=1932,i,10406008090841583583,17358525420706354143,131072 /prefetch:8
  2⤵
  PID:1976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3216 --field-trial-handle=1932,i,10406008090841583583,17358525420706354143,131072 /prefetch:8
  2⤵
  PID:1552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3380 --field-trial-handle=1932,i,10406008090841583583,17358525420706354143,131072 /prefetch:8
  2⤵
  PID:4760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 --field-trial-handle=1932,i,10406008090841583583,17358525420706354143,131072 /prefetch:8
  2⤵
  PID:2860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4664 --field-trial-handle=1932,i,10406008090841583583,17358525420706354143,131072 /prefetch:1
  2⤵
  PID:5048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4988 --field-trial-handle=1932,i,10406008090841583583,17358525420706354143,131072 /prefetch:1
  2⤵
  PID:3576

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\4fb8de7f-252c-40cd-9844-44a1cf45025e.tmp

Filesize
6KB

MD5
52a9c3a2cc5054b1bf0ecc2a734b987a

SHA1
7e20e48ab9218892298cf88a0a4ca9a7646f5ad2

SHA256
3ac4834fbe3d159c011879c6d27b970735e6d0c81a42331550b5e28799b82249

SHA512
e3974d6696ee85dd115dd73a05cb23e438e56713b008f6b799ecb8aa281ddf823aa1594d92cb3d94f91d1799e321f3311c56be0e72712c0243bff6cb6d13b1ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
a48c2501b43f5b28c43a1a884d692891

SHA1
04037e456f549408abc4746d3f075dbcc44faba2

SHA256
99e1377476a53fdfa5f084f86fc764e771bf8918a5acf68747bb3ba94215277b

SHA512
4693ab957fcd6a7d8a6f40997aebe66efb50b68d918e9823337bca03a905156d595be264d2e1c1331b7cd24eb1c99dac07a32c71586372d66952664848a5ea86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
874B

MD5
725d95027b99dd1b52e0ff00838ebb41

SHA1
0bf986de316e011582b25fe4d07ed0bc5dda7171

SHA256
614a4444987e131cba3cab6cc1e3719d4ed244bce6336d89bb77b72c92fe150c

SHA512
47afd490dfcab620cada3eb02cf0c795bd9a48122e6668655241abae452ba90dd8ef5216de32a5bf80f585e4eef7b5bc69fd496a4153db2b9dc1af6154d2c841

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
3c95ed98772ceadbd9abb0a8139a5c20

SHA1
520613303d899b237611d2deee71afb17ae7eb4d

SHA256
f69b6e641a58cb4276ad1ed4cccd17a0f47f8321e7a3a30b554967b93641cf9c

SHA512
99af2949ec0911497094d637beccf643dfe335bab815a8436d2a57db719ba903fad827d6bee0c83eab6b6debe2d9f7ac6af5c5266498c199369cd14e5ab9ecf3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
115KB

MD5
1b0eb198371a86466df2548bf6cc39cc

SHA1
84f2e232c5a1cf1b6940bef596576a2839da84cb

SHA256
77e8772fef503698f28640c2aed5ff3c6f9465623ed0b7de4778058fbb11fc65

SHA512
1d3d73c2f7ce53dc35ef18e49e25468134e139362705402c4d7af08b82a729f66c360456ae3ec523a47cca61e3e30b0cb3223552afc5154537400af7720f604b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
2193b01577131cef941dbfd0fe5b3a38

SHA1
d8a4c3e9d91884f6df29e7c0cadef3d9d9e2799e

SHA256
0b734bfbbc49eae9a29aa0f20210589f20e8b917ccaa4e8ced3b844430dc607a

SHA512
de9a79479dfe1393433d6b6ca4a3d683c040394f2f3663d1da6a9c73fb91341c17bb79be2cb79c5f1dd25542e7db05d4de4c0abe5752ae1dcdf84da978d327ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit