hxxp://noemifazio[.]github[.]io/fakeflix

General

Target

http://noemifazio.github.io/fakeflix

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133527768065540368"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

4824 chrome.exe
4824 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

4824 chrome.exe
4824 chrome.exe
4824 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4824 wrote to memory of 4068	4824	chrome.exe	chrome.exe
PID 4824 wrote to memory of 4068	4824	chrome.exe	chrome.exe
PID 4824 wrote to memory of 3892	4824	chrome.exe	chrome.exe
PID 4824 wrote to memory of 3892	4824	chrome.exe	chrome.exe
PID 4824 wrote to memory of 3892	4824	chrome.exe	chrome.exe
PID 4824 wrote to memory of 3892	4824	chrome.exe	chrome.exe
PID 4824 wrote to memory of 3892	4824	chrome.exe	chrome.exe
PID 4824 wrote to memory of 3892	4824	chrome.exe	chrome.exe
PID 4824 wrote to memory of 3892	4824	chrome.exe	chrome.exe
PID 4824 wrote to memory of 3892	4824	chrome.exe	chrome.exe
PID 4824 wrote to memory of 3892	4824	chrome.exe	chrome.exe
PID 4824 wrote to memory of 3892	4824	chrome.exe	chrome.exe
PID 4824 wrote to memory of 3892	4824	chrome.exe	chrome.exe
PID 4824 wrote to memory of 3892	4824	chrome.exe	chrome.exe
PID 4824 wrote to memory of 3892	4824	chrome.exe	chrome.exe
PID 4824 wrote to memory of 3892	4824	chrome.exe	chrome.exe
PID 4824 wrote to memory of 3892	4824	chrome.exe	chrome.exe
PID 4824 wrote to memory of 3892	4824	chrome.exe	chrome.exe
PID 4824 wrote to memory of 3892	4824	chrome.exe	chrome.exe
PID 4824 wrote to memory of 3892	4824	chrome.exe	chrome.exe
PID 4824 wrote to memory of 3892	4824	chrome.exe	chrome.exe
PID 4824 wrote to memory of 3892	4824	chrome.exe	chrome.exe
PID 4824 wrote to memory of 3892	4824	chrome.exe	chrome.exe
PID 4824 wrote to memory of 3892	4824	chrome.exe	chrome.exe
PID 4824 wrote to memory of 3892	4824	chrome.exe	chrome.exe
PID 4824 wrote to memory of 3892	4824	chrome.exe	chrome.exe
PID 4824 wrote to memory of 3892	4824	chrome.exe	chrome.exe
PID 4824 wrote to memory of 3892	4824	chrome.exe	chrome.exe
PID 4824 wrote to memory of 3892	4824	chrome.exe	chrome.exe
PID 4824 wrote to memory of 3892	4824	chrome.exe	chrome.exe
PID 4824 wrote to memory of 3892	4824	chrome.exe	chrome.exe
PID 4824 wrote to memory of 3892	4824	chrome.exe	chrome.exe
PID 4824 wrote to memory of 3892	4824	chrome.exe	chrome.exe
PID 4824 wrote to memory of 3892	4824	chrome.exe	chrome.exe
PID 4824 wrote to memory of 3892	4824	chrome.exe	chrome.exe
PID 4824 wrote to memory of 3892	4824	chrome.exe	chrome.exe
PID 4824 wrote to memory of 3892	4824	chrome.exe	chrome.exe
PID 4824 wrote to memory of 3892	4824	chrome.exe	chrome.exe
PID 4824 wrote to memory of 3892	4824	chrome.exe	chrome.exe
PID 4824 wrote to memory of 3892	4824	chrome.exe	chrome.exe
PID 4824 wrote to memory of 2816	4824	chrome.exe	chrome.exe
PID 4824 wrote to memory of 2816	4824	chrome.exe	chrome.exe
PID 4824 wrote to memory of 4788	4824	chrome.exe	chrome.exe
PID 4824 wrote to memory of 4788	4824	chrome.exe	chrome.exe
PID 4824 wrote to memory of 4788	4824	chrome.exe	chrome.exe
PID 4824 wrote to memory of 4788	4824	chrome.exe	chrome.exe
PID 4824 wrote to memory of 4788	4824	chrome.exe	chrome.exe
PID 4824 wrote to memory of 4788	4824	chrome.exe	chrome.exe
PID 4824 wrote to memory of 4788	4824	chrome.exe	chrome.exe
PID 4824 wrote to memory of 4788	4824	chrome.exe	chrome.exe
PID 4824 wrote to memory of 4788	4824	chrome.exe	chrome.exe
PID 4824 wrote to memory of 4788	4824	chrome.exe	chrome.exe
PID 4824 wrote to memory of 4788	4824	chrome.exe	chrome.exe
PID 4824 wrote to memory of 4788	4824	chrome.exe	chrome.exe
PID 4824 wrote to memory of 4788	4824	chrome.exe	chrome.exe
PID 4824 wrote to memory of 4788	4824	chrome.exe	chrome.exe
PID 4824 wrote to memory of 4788	4824	chrome.exe	chrome.exe
PID 4824 wrote to memory of 4788	4824	chrome.exe	chrome.exe
PID 4824 wrote to memory of 4788	4824	chrome.exe	chrome.exe
PID 4824 wrote to memory of 4788	4824	chrome.exe	chrome.exe
PID 4824 wrote to memory of 4788	4824	chrome.exe	chrome.exe
PID 4824 wrote to memory of 4788	4824	chrome.exe	chrome.exe
PID 4824 wrote to memory of 4788	4824	chrome.exe	chrome.exe
PID 4824 wrote to memory of 4788	4824	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://noemifazio.github.io/fakeflix
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc27039758,0x7ffc27039768,0x7ffc27039778
2⤵
PID:4068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1708 --field-trial-handle=1856,i,2569073954241955021,11979296505921904540,131072 /prefetch:2
2⤵
PID:3892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1856,i,2569073954241955021,11979296505921904540,131072 /prefetch:8
2⤵
PID:2816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2144 --field-trial-handle=1856,i,2569073954241955021,11979296505921904540,131072 /prefetch:8
2⤵
PID:4788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2840 --field-trial-handle=1856,i,2569073954241955021,11979296505921904540,131072 /prefetch:1
2⤵
PID:3544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2832 --field-trial-handle=1856,i,2569073954241955021,11979296505921904540,131072 /prefetch:1
2⤵
PID:3196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4532 --field-trial-handle=1856,i,2569073954241955021,11979296505921904540,131072 /prefetch:1
2⤵
PID:1640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3164 --field-trial-handle=1856,i,2569073954241955021,11979296505921904540,131072 /prefetch:8
2⤵
PID:1368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3148 --field-trial-handle=1856,i,2569073954241955021,11979296505921904540,131072 /prefetch:8
2⤵
PID:3940

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2604

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
707B

MD5
6eb157108fdd81c43216da47140e3d74

SHA1
88784d943ddffe96e3d6be171efc0431bed511ee

SHA256
0b4d46e8002124a24f207237e2b3da0e46ca8f0db8e948751880fe489210eb1f

SHA512
0a54327704e3545fbf56c1113a5dfa6edc2428abca19ba7731f0ba574f9b93ef49c15a65937f7b77ad519438ecdeec5a8d7842d7ec41a3301ae4772ea97db4bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
707B

MD5
7a49ceb023095223b9950c8a3c8576f2

SHA1
ac4f5eeea8ed5fd5ed5d4d63dbcd937644812049

SHA256
3c47083bd303f345a6f08d51fbc6df490beb1b90495841bf7055d9b821a1ae22

SHA512
9ad1b1e85c30e8b48d57b70c2068e1dc0d4ad181de48c3348b40e419f924335da1a5399b71d0c19963e7d3c536f41cb7d7a690fbcacb568c21beb61948013680

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
d4b220970c10deb456b8d70e5e924637

SHA1
5a406f039f4212278328e7981959095ad1a24799

SHA256
6f246d4d75600e842444de364f85f00982adcf76c7dd523eb1f998e0fb0c96d5

SHA512
30d4612068f3f3e4800864f47bf774427574a1ac5e24b1b0a6dd9b8612e3cb226d1a1dda0728341db560d8d9104d93bfe821a5d8b72a7972f2c0da943d29d6dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
7d56469e1165b89bc628508fdd746136

SHA1
25ea87b527b2082d3afb8953750f1f7ac4293290

SHA256
48d55b72cb47999e7341f183e8aeba396d92f37dc912efbfbd8868422e481dee

SHA512
eb06c9606db52ad27eb3c91970859cb0dc3db85556357f2206fab1765ecf64368225c1ccbcb4a8c0b3ad9616f09ff7ce664a5e8e93dca2a15674461242f497b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
114KB

MD5
ae8ef0343471049c7655d769eb9cbb90

SHA1
76f54f32c5a624b26d06c1401bc2cdaadc7d7e1a

SHA256
cd8b3e8a6b88afb3aced0a3c6979d6ff497a0ce1077b09624d17d07b1b855407

SHA512
3e81a4a0fc8937ecc6a604defbc689b25763e5e777618768364697c5f4a02c41f06eeaa9eebdf2a48d5fd98e75dff0e9ea496e51b6ef290548cabdb857381c95

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
\??\pipe\crashpad_4824_SGYTWESXLWUMEZVR
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads