hxxps://github[.]com/NotReal96/Malware/blob/master/MEMZ[.]md

Resubmissions

20/02/2024, 21:33

240220-1eennsff82 8

20/02/2024, 21:31

240220-1ddd8afb5x 6

20/02/2024, 21:19

240220-z6jahafa6y 7

20/02/2024, 21:13

240220-z2xx4afa3v 7

Analysis

max time kernel
599s
max time network
599s
platform
windows10-1703_x64
resource
win10-20240214-de
resource tags

arch:x64arch:x86image:win10-20240214-delocale:de-deos:windows10-1703-x64systemwindows
submitted
20/02/2024, 21:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/NotReal96/Malware/blob/master/MEMZ.md

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
24	camo.githubusercontent.com
25	camo.githubusercontent.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133529376827355287"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1392	chrome.exe
1392	chrome.exe
3304	chrome.exe
3304	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1392	chrome.exe
1392	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1392 wrote to memory of 4704	1392	chrome.exe	73
PID 1392 wrote to memory of 4704	1392	chrome.exe	73
PID 1392 wrote to memory of 764	1392	chrome.exe	79
PID 1392 wrote to memory of 764	1392	chrome.exe	79
PID 1392 wrote to memory of 764	1392	chrome.exe	79
PID 1392 wrote to memory of 764	1392	chrome.exe	79
PID 1392 wrote to memory of 764	1392	chrome.exe	79
PID 1392 wrote to memory of 764	1392	chrome.exe	79
PID 1392 wrote to memory of 764	1392	chrome.exe	79
PID 1392 wrote to memory of 764	1392	chrome.exe	79
PID 1392 wrote to memory of 764	1392	chrome.exe	79
PID 1392 wrote to memory of 764	1392	chrome.exe	79
PID 1392 wrote to memory of 764	1392	chrome.exe	79
PID 1392 wrote to memory of 764	1392	chrome.exe	79
PID 1392 wrote to memory of 764	1392	chrome.exe	79
PID 1392 wrote to memory of 764	1392	chrome.exe	79
PID 1392 wrote to memory of 764	1392	chrome.exe	79
PID 1392 wrote to memory of 764	1392	chrome.exe	79
PID 1392 wrote to memory of 764	1392	chrome.exe	79
PID 1392 wrote to memory of 764	1392	chrome.exe	79
PID 1392 wrote to memory of 764	1392	chrome.exe	79
PID 1392 wrote to memory of 764	1392	chrome.exe	79
PID 1392 wrote to memory of 764	1392	chrome.exe	79
PID 1392 wrote to memory of 764	1392	chrome.exe	79
PID 1392 wrote to memory of 764	1392	chrome.exe	79
PID 1392 wrote to memory of 764	1392	chrome.exe	79
PID 1392 wrote to memory of 764	1392	chrome.exe	79
PID 1392 wrote to memory of 764	1392	chrome.exe	79
PID 1392 wrote to memory of 764	1392	chrome.exe	79
PID 1392 wrote to memory of 764	1392	chrome.exe	79
PID 1392 wrote to memory of 764	1392	chrome.exe	79
PID 1392 wrote to memory of 764	1392	chrome.exe	79
PID 1392 wrote to memory of 764	1392	chrome.exe	79
PID 1392 wrote to memory of 764	1392	chrome.exe	79
PID 1392 wrote to memory of 764	1392	chrome.exe	79
PID 1392 wrote to memory of 764	1392	chrome.exe	79
PID 1392 wrote to memory of 764	1392	chrome.exe	79
PID 1392 wrote to memory of 764	1392	chrome.exe	79
PID 1392 wrote to memory of 764	1392	chrome.exe	79
PID 1392 wrote to memory of 764	1392	chrome.exe	79
PID 1392 wrote to memory of 4880	1392	chrome.exe	75
PID 1392 wrote to memory of 4880	1392	chrome.exe	75
PID 1392 wrote to memory of 4744	1392	chrome.exe	76
PID 1392 wrote to memory of 4744	1392	chrome.exe	76
PID 1392 wrote to memory of 4744	1392	chrome.exe	76
PID 1392 wrote to memory of 4744	1392	chrome.exe	76
PID 1392 wrote to memory of 4744	1392	chrome.exe	76
PID 1392 wrote to memory of 4744	1392	chrome.exe	76
PID 1392 wrote to memory of 4744	1392	chrome.exe	76
PID 1392 wrote to memory of 4744	1392	chrome.exe	76
PID 1392 wrote to memory of 4744	1392	chrome.exe	76
PID 1392 wrote to memory of 4744	1392	chrome.exe	76
PID 1392 wrote to memory of 4744	1392	chrome.exe	76
PID 1392 wrote to memory of 4744	1392	chrome.exe	76
PID 1392 wrote to memory of 4744	1392	chrome.exe	76
PID 1392 wrote to memory of 4744	1392	chrome.exe	76
PID 1392 wrote to memory of 4744	1392	chrome.exe	76
PID 1392 wrote to memory of 4744	1392	chrome.exe	76
PID 1392 wrote to memory of 4744	1392	chrome.exe	76
PID 1392 wrote to memory of 4744	1392	chrome.exe	76
PID 1392 wrote to memory of 4744	1392	chrome.exe	76
PID 1392 wrote to memory of 4744	1392	chrome.exe	76
PID 1392 wrote to memory of 4744	1392	chrome.exe	76
PID 1392 wrote to memory of 4744	1392	chrome.exe	76

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/NotReal96/Malware/blob/master/MEMZ.md
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffddc999758,0x7ffddc999768,0x7ffddc999778
  2⤵
  PID:4704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1936 --field-trial-handle=1772,i,12450960752941610110,2531180004012373579,131072 /prefetch:8
  2⤵
  PID:4880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1556 --field-trial-handle=1772,i,12450960752941610110,2531180004012373579,131072 /prefetch:8
  2⤵
  PID:4744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2868 --field-trial-handle=1772,i,12450960752941610110,2531180004012373579,131072 /prefetch:1
  2⤵
  PID:4816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2860 --field-trial-handle=1772,i,12450960752941610110,2531180004012373579,131072 /prefetch:1
  2⤵
  PID:4848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1520 --field-trial-handle=1772,i,12450960752941610110,2531180004012373579,131072 /prefetch:2
  2⤵
  PID:764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4480 --field-trial-handle=1772,i,12450960752941610110,2531180004012373579,131072 /prefetch:8
  2⤵
  PID:1356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4396 --field-trial-handle=1772,i,12450960752941610110,2531180004012373579,131072 /prefetch:8
  2⤵
  PID:4692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3212 --field-trial-handle=1772,i,12450960752941610110,2531180004012373579,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3304

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
50a725da67bac4d4c5669bef499aee77

SHA1
14ac5b06c90c33e21c5ac264eb2c26ce5a613e96

SHA256
2d97aea21f28ce7116a51b57e763bc2ff7ba4c22677eea9eed9812be4dcfdd3e

SHA512
5f6153c56ff406cb2834f6c09ee05888cc4f6a373571a2a618fadf71dabad7672b10643e3a9f230d3a0757f8108f206514574de1ef1e74788eafaa772d57d910

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
e6b4d400a7be00f904727e6aa3a14daf

SHA1
ff8afb408cdb21660cb8dc2d34881a6601c95a38

SHA256
1bfb54737645a9cd79442daafee26e3ff112dd2c5acb4b81345f40bb752c5c91

SHA512
55016f81ca24d6262d763005c41a101f7015834d696cfdeac3f9cbf5620f923a1ccc9b81497b70c87ea22ceb3f5ed1cd614edd28a84ba22a5a83eaaf746d0411

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
971bf777e86fe60c2a6188a7b51e591b

SHA1
11617ca75380108126bb7b227b3b9b03cfeb0f1b

SHA256
0590754c5ae66e90bd37ce9db65038881c0bc84c3c79da5f37870d7f3611bb16

SHA512
5ff3792a6dca9af7a99c6a18158796a757d1e22323c2bca06b89f7379d89d25e570c2928f53d32ebc22ec1001197f82a197d6c9224bb47ec6d2a400cc0d8bbb5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
155d17d9a70c91a78e008ec31d48d11a

SHA1
9dadbef36744228938086243aa727a5f37026ba9

SHA256
c46422056c730c9283fce15679a4ec12d8d6a0e730ff658727a53ac3c45deeee

SHA512
a829afb1a09a2fb9b718a16057e70534e7116b65145144d28ea1c38bcdb55a35e48780b7699a380547bde6dda9b22d7cf52bc36345f283c90a39604457502e11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
46a04903d5cd61e5ba1598bc2ec3d9d5

SHA1
f15d7b6aa8b643162b7efa16a53553471accf819

SHA256
c981383d8adb645e5d63e258733942764efe675adc706362bd0a7f90f117c530

SHA512
63b37c4cb08af3fc3afdadcc31b8128ea2f59f9a1b2bdeffe2ec7bc628a7daf24279ad692cd9e472bcb33e8970fba56a3924836d56b55f9da0a3cd5ff7c2f576

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
c03ee010aefff16db7ac47f03f1130c8

SHA1
b341bee09d420874ce9e155131a20a01f45aae97

SHA256
e2c14c157364272a5ddc42feb472376e7ac65605a841d588ede800ad5d41eb40

SHA512
752ddb23dcac9640208f02402bf58c39b3761fee59115e83b633487b9e18305cb54d10270c2caa7bd94dae8ca856252cd02a93198b78cee20d0326b01493b40f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
254KB

MD5
b6cafa4db7576d7d913295750ec24c7c

SHA1
b3b0c72e5f5fa6b4af66734c7cc8b5fcddbf88cb

SHA256
0c68cb08a054b90a5a2629874e8426ed5be70218808ca9ec54e415e043fff4d5

SHA512
82c810f4cee9087e32ba01212f8556bfe3fdd6a1b203255ce10be58b34e41f7259bc9984af0e8f5cfedcfd130ee35de011666b8bcc1bf83bb4cd975de8e2951a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit