hxxps://kothariwheels[.]com/mmmko

Analysis

max time kernel
300s
max time network
250s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18-02-2024 22:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://kothariwheels.com/mmmko

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133527693499132149"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
404	chrome.exe
404	chrome.exe
1112	chrome.exe
1112	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
404	chrome.exe
404	chrome.exe
404	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 404 wrote to memory of 4060	404	chrome.exe	83
PID 404 wrote to memory of 4060	404	chrome.exe	83
PID 404 wrote to memory of 392	404	chrome.exe	86
PID 404 wrote to memory of 392	404	chrome.exe	86
PID 404 wrote to memory of 392	404	chrome.exe	86
PID 404 wrote to memory of 392	404	chrome.exe	86
PID 404 wrote to memory of 392	404	chrome.exe	86
PID 404 wrote to memory of 392	404	chrome.exe	86
PID 404 wrote to memory of 392	404	chrome.exe	86
PID 404 wrote to memory of 392	404	chrome.exe	86
PID 404 wrote to memory of 392	404	chrome.exe	86
PID 404 wrote to memory of 392	404	chrome.exe	86
PID 404 wrote to memory of 392	404	chrome.exe	86
PID 404 wrote to memory of 392	404	chrome.exe	86
PID 404 wrote to memory of 392	404	chrome.exe	86
PID 404 wrote to memory of 392	404	chrome.exe	86
PID 404 wrote to memory of 392	404	chrome.exe	86
PID 404 wrote to memory of 392	404	chrome.exe	86
PID 404 wrote to memory of 392	404	chrome.exe	86
PID 404 wrote to memory of 392	404	chrome.exe	86
PID 404 wrote to memory of 392	404	chrome.exe	86
PID 404 wrote to memory of 392	404	chrome.exe	86
PID 404 wrote to memory of 392	404	chrome.exe	86
PID 404 wrote to memory of 392	404	chrome.exe	86
PID 404 wrote to memory of 392	404	chrome.exe	86
PID 404 wrote to memory of 392	404	chrome.exe	86
PID 404 wrote to memory of 392	404	chrome.exe	86
PID 404 wrote to memory of 392	404	chrome.exe	86
PID 404 wrote to memory of 392	404	chrome.exe	86
PID 404 wrote to memory of 392	404	chrome.exe	86
PID 404 wrote to memory of 392	404	chrome.exe	86
PID 404 wrote to memory of 392	404	chrome.exe	86
PID 404 wrote to memory of 392	404	chrome.exe	86
PID 404 wrote to memory of 392	404	chrome.exe	86
PID 404 wrote to memory of 392	404	chrome.exe	86
PID 404 wrote to memory of 392	404	chrome.exe	86
PID 404 wrote to memory of 392	404	chrome.exe	86
PID 404 wrote to memory of 392	404	chrome.exe	86
PID 404 wrote to memory of 392	404	chrome.exe	86
PID 404 wrote to memory of 392	404	chrome.exe	86
PID 404 wrote to memory of 4380	404	chrome.exe	85
PID 404 wrote to memory of 4380	404	chrome.exe	85
PID 404 wrote to memory of 4860	404	chrome.exe	87
PID 404 wrote to memory of 4860	404	chrome.exe	87
PID 404 wrote to memory of 4860	404	chrome.exe	87
PID 404 wrote to memory of 4860	404	chrome.exe	87
PID 404 wrote to memory of 4860	404	chrome.exe	87
PID 404 wrote to memory of 4860	404	chrome.exe	87
PID 404 wrote to memory of 4860	404	chrome.exe	87
PID 404 wrote to memory of 4860	404	chrome.exe	87
PID 404 wrote to memory of 4860	404	chrome.exe	87
PID 404 wrote to memory of 4860	404	chrome.exe	87
PID 404 wrote to memory of 4860	404	chrome.exe	87
PID 404 wrote to memory of 4860	404	chrome.exe	87
PID 404 wrote to memory of 4860	404	chrome.exe	87
PID 404 wrote to memory of 4860	404	chrome.exe	87
PID 404 wrote to memory of 4860	404	chrome.exe	87
PID 404 wrote to memory of 4860	404	chrome.exe	87
PID 404 wrote to memory of 4860	404	chrome.exe	87
PID 404 wrote to memory of 4860	404	chrome.exe	87
PID 404 wrote to memory of 4860	404	chrome.exe	87
PID 404 wrote to memory of 4860	404	chrome.exe	87
PID 404 wrote to memory of 4860	404	chrome.exe	87
PID 404 wrote to memory of 4860	404	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://kothariwheels.com/mmmko
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff987189758,0x7ff987189768,0x7ff987189778
  2⤵
  PID:4060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1996 --field-trial-handle=1952,i,798508101307451426,16920521067221174362,131072 /prefetch:8
  2⤵
  PID:4380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1708 --field-trial-handle=1952,i,798508101307451426,16920521067221174362,131072 /prefetch:2
  2⤵
  PID:392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2220 --field-trial-handle=1952,i,798508101307451426,16920521067221174362,131072 /prefetch:8
  2⤵
  PID:4860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3136 --field-trial-handle=1952,i,798508101307451426,16920521067221174362,131072 /prefetch:1
  2⤵
  PID:1676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3104 --field-trial-handle=1952,i,798508101307451426,16920521067221174362,131072 /prefetch:1
  2⤵
  PID:312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4492 --field-trial-handle=1952,i,798508101307451426,16920521067221174362,131072 /prefetch:1
  2⤵
  PID:2264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 --field-trial-handle=1952,i,798508101307451426,16920521067221174362,131072 /prefetch:8
  2⤵
  PID:2828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 --field-trial-handle=1952,i,798508101307451426,16920521067221174362,131072 /prefetch:8
  2⤵
  PID:4168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3176 --field-trial-handle=1952,i,798508101307451426,16920521067221174362,131072 /prefetch:8
  2⤵
  PID:3216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1812 --field-trial-handle=1952,i,798508101307451426,16920521067221174362,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1112

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
acc840e9a42b8a71e77377a7aff95663

SHA1
3eaeaf07c7386bc5efe4cc1cf662749561341c4a

SHA256
db277119a790bd95981d4395ec67c9f4fdcc3c1d3fb63bf4ec827f1607d00023

SHA512
09146c6c3f768dadff3e947d1d7ca3cbdfb885dce0dc477a5d54c10ec3737761d8e604debd7cee6b72f819a83667c69f4716342461ad2521609c036ba97c973c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
703B

MD5
06b0f7fa41b9ad5421ce6aa0c2fa978e

SHA1
a7590ad4201860e870ad90e046a0923ed97f91e3

SHA256
73f31add875b90b65e2bbe32f6baba4b24d6b01fd8842e879782b973ce40f573

SHA512
d9b73de2e8ef6e1ee9e365e79717b4d7054e39bd20322912589e49259e70885f2fc89a750417f6225e08965eea5ea77b86f580d2dbdccc06a3b3669ac11b3184

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
a5de1909e4ae438ae5c8ed650d85f87c

SHA1
877502f62bb87c210d632a7287e75e84391ebb82

SHA256
c54c48edf98d9576b1b1b0bdf8caa676e0832452ade934f32a1deeec08161c1c

SHA512
956411c07d43cf1b893a727b5dcba8e97304c02dea8bbc7fe41e8e4c2cca74248942bf967d91deea76cbf86acf768f0076044e9c8efb4abbd23024d61278df0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
183a197847dbb8a934ff6dbc84e64994

SHA1
639a9589a5c9bce9f7ff786be0b85b9974006631

SHA256
946f87397dd7c0b26f59a87a9d5ce4bc2921eb7f50f10cc38f13660ee19ea240

SHA512
580243aa02705e5266cf604661a537210ed8970c2f044f566f62d968b9151acc242b3cbb7c48b75c33615d1ea4bb35708193d3ec2cc843e940d33c7f55e90db5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
604272d707e1e256e13ebd614e992875

SHA1
54102f7e87436b7e3478535eafdff80ad6ec764d

SHA256
abb2c9474e610d760fbf20b01d8bf180bbc78b31f40421c73d1afd5d27910159

SHA512
db7ff1f390049a627bcdabc9756fa2ddebbc3f26596ebe3fccc575826482e1922319add6ca9dd2efcecf5b0136e52a9803fb22e2275e18c8caa476dd35e750e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
21ecc52c3401594eb0460588c70e5407

SHA1
3fc7e06792242a6bf1d7a122f38c174a21a5abf2

SHA256
f3bdd78d027a99ed272997d7828045fb81ba3253ba38dc55b065c2ec4c529dab

SHA512
4452dd06f57c15a85965d92bf1966ba71b282ffc0672b45c0a80c5466e9324c33624eeceb495a8439e4074fe2d033694208fe88deb904bd676a32853e89b9c21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit