hxxps://ddec1-0-en-ctp[.]trendmicro[.]com/wis/clicktime/v1/query?url=https%3a%2f%2fkibsi[.]com&umid=1f0b4092-0772-4813-bc57-4ec6f1e9288f&auth=65a620fa4b6e2edf0405a6ed61dc7465231096cd-7f5d4bae40ebe24fbbdef433a0f84e80e64784ad

Resubmissions

19/02/2024, 10:48

240219-mv81kach22 1

19/02/2024, 10:47

240219-mvn1dsce3x 1

Analysis

max time kernel
37s
max time network
44s
platform
windows10-1703_x64
resource
win10-20240214-en
resource tags

arch:x64arch:x86image:win10-20240214-enlocale:en-usos:windows10-1703-x64system
submitted
19/02/2024, 10:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://ddec1-0-en-ctp.trendmicro.com/wis/clicktime/v1/query?url=https%3a%2f%2fkibsi.com&umid=1f0b4092-0772-4813-bc57-4ec6f1e9288f&auth=65a620fa4b6e2edf0405a6ed61dc7465231096cd-7f5d4bae40ebe24fbbdef433a0f84e80e64784ad

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133528132820813674"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3172	chrome.exe
3172	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3172 wrote to memory of 1892	3172	chrome.exe	63
PID 3172 wrote to memory of 1892	3172	chrome.exe	63
PID 3172 wrote to memory of 32	3172	chrome.exe	77
PID 3172 wrote to memory of 32	3172	chrome.exe	77
PID 3172 wrote to memory of 32	3172	chrome.exe	77
PID 3172 wrote to memory of 32	3172	chrome.exe	77
PID 3172 wrote to memory of 32	3172	chrome.exe	77
PID 3172 wrote to memory of 32	3172	chrome.exe	77
PID 3172 wrote to memory of 32	3172	chrome.exe	77
PID 3172 wrote to memory of 32	3172	chrome.exe	77
PID 3172 wrote to memory of 32	3172	chrome.exe	77
PID 3172 wrote to memory of 32	3172	chrome.exe	77
PID 3172 wrote to memory of 32	3172	chrome.exe	77
PID 3172 wrote to memory of 32	3172	chrome.exe	77
PID 3172 wrote to memory of 32	3172	chrome.exe	77
PID 3172 wrote to memory of 32	3172	chrome.exe	77
PID 3172 wrote to memory of 32	3172	chrome.exe	77
PID 3172 wrote to memory of 32	3172	chrome.exe	77
PID 3172 wrote to memory of 32	3172	chrome.exe	77
PID 3172 wrote to memory of 32	3172	chrome.exe	77
PID 3172 wrote to memory of 32	3172	chrome.exe	77
PID 3172 wrote to memory of 32	3172	chrome.exe	77
PID 3172 wrote to memory of 32	3172	chrome.exe	77
PID 3172 wrote to memory of 32	3172	chrome.exe	77
PID 3172 wrote to memory of 32	3172	chrome.exe	77
PID 3172 wrote to memory of 32	3172	chrome.exe	77
PID 3172 wrote to memory of 32	3172	chrome.exe	77
PID 3172 wrote to memory of 32	3172	chrome.exe	77
PID 3172 wrote to memory of 32	3172	chrome.exe	77
PID 3172 wrote to memory of 32	3172	chrome.exe	77
PID 3172 wrote to memory of 32	3172	chrome.exe	77
PID 3172 wrote to memory of 32	3172	chrome.exe	77
PID 3172 wrote to memory of 32	3172	chrome.exe	77
PID 3172 wrote to memory of 32	3172	chrome.exe	77
PID 3172 wrote to memory of 32	3172	chrome.exe	77
PID 3172 wrote to memory of 32	3172	chrome.exe	77
PID 3172 wrote to memory of 32	3172	chrome.exe	77
PID 3172 wrote to memory of 32	3172	chrome.exe	77
PID 3172 wrote to memory of 32	3172	chrome.exe	77
PID 3172 wrote to memory of 32	3172	chrome.exe	77
PID 3172 wrote to memory of 5056	3172	chrome.exe	75
PID 3172 wrote to memory of 5056	3172	chrome.exe	75
PID 3172 wrote to memory of 2452	3172	chrome.exe	76
PID 3172 wrote to memory of 2452	3172	chrome.exe	76
PID 3172 wrote to memory of 2452	3172	chrome.exe	76
PID 3172 wrote to memory of 2452	3172	chrome.exe	76
PID 3172 wrote to memory of 2452	3172	chrome.exe	76
PID 3172 wrote to memory of 2452	3172	chrome.exe	76
PID 3172 wrote to memory of 2452	3172	chrome.exe	76
PID 3172 wrote to memory of 2452	3172	chrome.exe	76
PID 3172 wrote to memory of 2452	3172	chrome.exe	76
PID 3172 wrote to memory of 2452	3172	chrome.exe	76
PID 3172 wrote to memory of 2452	3172	chrome.exe	76
PID 3172 wrote to memory of 2452	3172	chrome.exe	76
PID 3172 wrote to memory of 2452	3172	chrome.exe	76
PID 3172 wrote to memory of 2452	3172	chrome.exe	76
PID 3172 wrote to memory of 2452	3172	chrome.exe	76
PID 3172 wrote to memory of 2452	3172	chrome.exe	76
PID 3172 wrote to memory of 2452	3172	chrome.exe	76
PID 3172 wrote to memory of 2452	3172	chrome.exe	76
PID 3172 wrote to memory of 2452	3172	chrome.exe	76
PID 3172 wrote to memory of 2452	3172	chrome.exe	76
PID 3172 wrote to memory of 2452	3172	chrome.exe	76
PID 3172 wrote to memory of 2452	3172	chrome.exe	76

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://ddec1-0-en-ctp.trendmicro.com/wis/clicktime/v1/query?url=https%3a%2f%2fkibsi.com&umid=1f0b4092-0772-4813-bc57-4ec6f1e9288f&auth=65a620fa4b6e2edf0405a6ed61dc7465231096cd-7f5d4bae40ebe24fbbdef433a0f84e80e64784ad
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff969529758,0x7ff969529768,0x7ff969529778
  2⤵
  PID:1892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1768 --field-trial-handle=1836,i,5936652541152345831,11061120569973318891,131072 /prefetch:8
  2⤵
  PID:5056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2080 --field-trial-handle=1836,i,5936652541152345831,11061120569973318891,131072 /prefetch:8
  2⤵
  PID:2452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1516 --field-trial-handle=1836,i,5936652541152345831,11061120569973318891,131072 /prefetch:2
  2⤵
  PID:32
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3052 --field-trial-handle=1836,i,5936652541152345831,11061120569973318891,131072 /prefetch:1
  2⤵
  PID:2888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3020 --field-trial-handle=1836,i,5936652541152345831,11061120569973318891,131072 /prefetch:1
  2⤵
  PID:1808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3712 --field-trial-handle=1836,i,5936652541152345831,11061120569973318891,131072 /prefetch:1
  2⤵
  PID:4172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4908 --field-trial-handle=1836,i,5936652541152345831,11061120569973318891,131072 /prefetch:1
  2⤵
  PID:3924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=5044 --field-trial-handle=1836,i,5936652541152345831,11061120569973318891,131072 /prefetch:1
  2⤵
  PID:2616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5308 --field-trial-handle=1836,i,5936652541152345831,11061120569973318891,131072 /prefetch:8
  2⤵
  PID:2872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1816 --field-trial-handle=1836,i,5936652541152345831,11061120569973318891,131072 /prefetch:8
  2⤵
  PID:4444

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3392

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x378
1⤵
PID:1268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\4bb5cbb7-38dc-49ae-8f97-1467333678c4.tmp

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
987B

MD5
6aac9ba546e697731c2bf3b6edb5d6b3

SHA1
daad7112a191e1552f97bdcb0aca32b4818dfd95

SHA256
dd5867596bec37398c277d3fa54905ebcf8e564d50a141a79f4c5f736172c8af

SHA512
a038a764c6e9fa5e69981c4c68127ae70ebe652683719fd96f0e93391d286be93ba2a06131ec9a227593950cf97395f70552da3e0674020cd756d2eefa66a8ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
ccdfb95b19a712b60e55be7e61e93a7f

SHA1
1d85824287ad14a2f874dcdb8a08840af3e6d0c5

SHA256
ef2edc8186d9ef2872c911874c2c3b518baf08b0d9e681d0e67fea347b6d0deb

SHA512
be1bdf6875511375358b09b2a51c812f938e44dfadff5c6095a4706c89f555554c06f2ede60e629f3c0b897613ef4089b294d93abd4630108f776782cd7a02b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
91e0e34d32ba6a49d6dd6f30e6d53060

SHA1
747162f6f51f052d7940899eb8b0b1c631df1720

SHA256
a68a933beb5c58540a3083561f32e4dd01009acb782fa36c835a19fccec3fbf7

SHA512
794821c760ae1f3f1ccc826bebd039a4945a25628a25b69c9da99a85a5c5739b0b24822f5141ec2c5b51ced87da735019b7be1e672476a15d9e11055a9728beb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
242acb5edf5523953a8c4fa415dedf16

SHA1
12c1e93344c843113e48165f16d60dfcbb9bee40

SHA256
ec8150fec17d03ec9f6c0d7b05b6ef244c312f5d667fe1c8dd69be025bc84a24

SHA512
5a6d8d4d58bd99d34047cbea634ec241a3299934da5b54eb5c222a3b8bc50030cf8172522b9a26eae7a2ede6a6f521d1d072664bcdf3b65bfccbdca344a4fd75

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
254KB

MD5
091470e4f2e02a9ef62574442f2aa3c0

SHA1
6b083b6ec01fb7fc520d88a809934be4c8a09164

SHA256
4291b03ea6c9458e2431eff418bb7e15c6d51fd852e9c7833760c942ed82bee5

SHA512
ab3f8677bd3f07a959fedb760780a20d1b5dced0133b9768f2e98cf2fc66a03a906fb6b3f4d1583097fcfc5001babf49385880dead1361e20a7a98ee983c32d1

Download Submit