hxxps://kothariwheels[.]com/mmmko

General

Target

https://kothariwheels.com/mmmko

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133527693499132149"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

404 chrome.exe
404 chrome.exe
1112 chrome.exe
1112 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

404 chrome.exe
404 chrome.exe
404 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

Processes:

chrome.exe

pid	process
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe
404	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 404 wrote to memory of 4060	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 4060	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 392	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 392	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 392	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 392	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 392	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 392	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 392	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 392	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 392	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 392	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 392	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 392	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 392	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 392	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 392	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 392	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 392	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 392	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 392	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 392	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 392	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 392	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 392	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 392	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 392	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 392	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 392	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 392	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 392	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 392	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 392	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 392	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 392	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 392	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 392	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 392	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 392	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 392	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 4380	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 4380	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 4860	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 4860	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 4860	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 4860	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 4860	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 4860	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 4860	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 4860	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 4860	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 4860	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 4860	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 4860	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 4860	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 4860	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 4860	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 4860	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 4860	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 4860	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 4860	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 4860	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 4860	404	chrome.exe	chrome.exe
PID 404 wrote to memory of 4860	404	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://kothariwheels.com/mmmko
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff987189758,0x7ff987189768,0x7ff987189778
2⤵
PID:4060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1996 --field-trial-handle=1952,i,798508101307451426,16920521067221174362,131072 /prefetch:8
2⤵
PID:4380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1708 --field-trial-handle=1952,i,798508101307451426,16920521067221174362,131072 /prefetch:2
2⤵
PID:392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2220 --field-trial-handle=1952,i,798508101307451426,16920521067221174362,131072 /prefetch:8
2⤵
PID:4860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3136 --field-trial-handle=1952,i,798508101307451426,16920521067221174362,131072 /prefetch:1
2⤵
PID:1676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3104 --field-trial-handle=1952,i,798508101307451426,16920521067221174362,131072 /prefetch:1
2⤵
PID:312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4492 --field-trial-handle=1952,i,798508101307451426,16920521067221174362,131072 /prefetch:1
2⤵
PID:2264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 --field-trial-handle=1952,i,798508101307451426,16920521067221174362,131072 /prefetch:8
2⤵
PID:2828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 --field-trial-handle=1952,i,798508101307451426,16920521067221174362,131072 /prefetch:8
2⤵
PID:4168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3176 --field-trial-handle=1952,i,798508101307451426,16920521067221174362,131072 /prefetch:8
2⤵
PID:3216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1812 --field-trial-handle=1952,i,798508101307451426,16920521067221174362,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1112

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4588

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
acc840e9a42b8a71e77377a7aff95663

SHA1
3eaeaf07c7386bc5efe4cc1cf662749561341c4a

SHA256
db277119a790bd95981d4395ec67c9f4fdcc3c1d3fb63bf4ec827f1607d00023

SHA512
09146c6c3f768dadff3e947d1d7ca3cbdfb885dce0dc477a5d54c10ec3737761d8e604debd7cee6b72f819a83667c69f4716342461ad2521609c036ba97c973c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
703B

MD5
06b0f7fa41b9ad5421ce6aa0c2fa978e

SHA1
a7590ad4201860e870ad90e046a0923ed97f91e3

SHA256
73f31add875b90b65e2bbe32f6baba4b24d6b01fd8842e879782b973ce40f573

SHA512
d9b73de2e8ef6e1ee9e365e79717b4d7054e39bd20322912589e49259e70885f2fc89a750417f6225e08965eea5ea77b86f580d2dbdccc06a3b3669ac11b3184

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
a5de1909e4ae438ae5c8ed650d85f87c

SHA1
877502f62bb87c210d632a7287e75e84391ebb82

SHA256
c54c48edf98d9576b1b1b0bdf8caa676e0832452ade934f32a1deeec08161c1c

SHA512
956411c07d43cf1b893a727b5dcba8e97304c02dea8bbc7fe41e8e4c2cca74248942bf967d91deea76cbf86acf768f0076044e9c8efb4abbd23024d61278df0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
183a197847dbb8a934ff6dbc84e64994

SHA1
639a9589a5c9bce9f7ff786be0b85b9974006631

SHA256
946f87397dd7c0b26f59a87a9d5ce4bc2921eb7f50f10cc38f13660ee19ea240

SHA512
580243aa02705e5266cf604661a537210ed8970c2f044f566f62d968b9151acc242b3cbb7c48b75c33615d1ea4bb35708193d3ec2cc843e940d33c7f55e90db5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
604272d707e1e256e13ebd614e992875

SHA1
54102f7e87436b7e3478535eafdff80ad6ec764d

SHA256
abb2c9474e610d760fbf20b01d8bf180bbc78b31f40421c73d1afd5d27910159

SHA512
db7ff1f390049a627bcdabc9756fa2ddebbc3f26596ebe3fccc575826482e1922319add6ca9dd2efcecf5b0136e52a9803fb22e2275e18c8caa476dd35e750e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
114KB

MD5
21ecc52c3401594eb0460588c70e5407

SHA1
3fc7e06792242a6bf1d7a122f38c174a21a5abf2

SHA256
f3bdd78d027a99ed272997d7828045fb81ba3253ba38dc55b065c2ec4c529dab

SHA512
4452dd06f57c15a85965d92bf1966ba71b282ffc0672b45c0a80c5466e9324c33624eeceb495a8439e4074fe2d033694208fe88deb904bd676a32853e89b9c21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
\??\pipe\crashpad_404_KTKMMNDEIXMJDEFW
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads