hxxp://nklnc[.]com

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2024, 21:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://nklnc.com

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133541493631932815"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4396	chrome.exe
4396	chrome.exe
1812	chrome.exe
1812	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4396	chrome.exe
4396	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4396 wrote to memory of 1148	4396	chrome.exe	87
PID 4396 wrote to memory of 1148	4396	chrome.exe	87
PID 4396 wrote to memory of 2544	4396	chrome.exe	89
PID 4396 wrote to memory of 2544	4396	chrome.exe	89
PID 4396 wrote to memory of 2544	4396	chrome.exe	89
PID 4396 wrote to memory of 2544	4396	chrome.exe	89
PID 4396 wrote to memory of 2544	4396	chrome.exe	89
PID 4396 wrote to memory of 2544	4396	chrome.exe	89
PID 4396 wrote to memory of 2544	4396	chrome.exe	89
PID 4396 wrote to memory of 2544	4396	chrome.exe	89
PID 4396 wrote to memory of 2544	4396	chrome.exe	89
PID 4396 wrote to memory of 2544	4396	chrome.exe	89
PID 4396 wrote to memory of 2544	4396	chrome.exe	89
PID 4396 wrote to memory of 2544	4396	chrome.exe	89
PID 4396 wrote to memory of 2544	4396	chrome.exe	89
PID 4396 wrote to memory of 2544	4396	chrome.exe	89
PID 4396 wrote to memory of 2544	4396	chrome.exe	89
PID 4396 wrote to memory of 2544	4396	chrome.exe	89
PID 4396 wrote to memory of 2544	4396	chrome.exe	89
PID 4396 wrote to memory of 2544	4396	chrome.exe	89
PID 4396 wrote to memory of 2544	4396	chrome.exe	89
PID 4396 wrote to memory of 2544	4396	chrome.exe	89
PID 4396 wrote to memory of 2544	4396	chrome.exe	89
PID 4396 wrote to memory of 2544	4396	chrome.exe	89
PID 4396 wrote to memory of 2544	4396	chrome.exe	89
PID 4396 wrote to memory of 2544	4396	chrome.exe	89
PID 4396 wrote to memory of 2544	4396	chrome.exe	89
PID 4396 wrote to memory of 2544	4396	chrome.exe	89
PID 4396 wrote to memory of 2544	4396	chrome.exe	89
PID 4396 wrote to memory of 2544	4396	chrome.exe	89
PID 4396 wrote to memory of 2544	4396	chrome.exe	89
PID 4396 wrote to memory of 2544	4396	chrome.exe	89
PID 4396 wrote to memory of 2544	4396	chrome.exe	89
PID 4396 wrote to memory of 2544	4396	chrome.exe	89
PID 4396 wrote to memory of 2544	4396	chrome.exe	89
PID 4396 wrote to memory of 2544	4396	chrome.exe	89
PID 4396 wrote to memory of 2544	4396	chrome.exe	89
PID 4396 wrote to memory of 2544	4396	chrome.exe	89
PID 4396 wrote to memory of 2544	4396	chrome.exe	89
PID 4396 wrote to memory of 2544	4396	chrome.exe	89
PID 4396 wrote to memory of 4456	4396	chrome.exe	90
PID 4396 wrote to memory of 4456	4396	chrome.exe	90
PID 4396 wrote to memory of 2184	4396	chrome.exe	91
PID 4396 wrote to memory of 2184	4396	chrome.exe	91
PID 4396 wrote to memory of 2184	4396	chrome.exe	91
PID 4396 wrote to memory of 2184	4396	chrome.exe	91
PID 4396 wrote to memory of 2184	4396	chrome.exe	91
PID 4396 wrote to memory of 2184	4396	chrome.exe	91
PID 4396 wrote to memory of 2184	4396	chrome.exe	91
PID 4396 wrote to memory of 2184	4396	chrome.exe	91
PID 4396 wrote to memory of 2184	4396	chrome.exe	91
PID 4396 wrote to memory of 2184	4396	chrome.exe	91
PID 4396 wrote to memory of 2184	4396	chrome.exe	91
PID 4396 wrote to memory of 2184	4396	chrome.exe	91
PID 4396 wrote to memory of 2184	4396	chrome.exe	91
PID 4396 wrote to memory of 2184	4396	chrome.exe	91
PID 4396 wrote to memory of 2184	4396	chrome.exe	91
PID 4396 wrote to memory of 2184	4396	chrome.exe	91
PID 4396 wrote to memory of 2184	4396	chrome.exe	91
PID 4396 wrote to memory of 2184	4396	chrome.exe	91
PID 4396 wrote to memory of 2184	4396	chrome.exe	91
PID 4396 wrote to memory of 2184	4396	chrome.exe	91
PID 4396 wrote to memory of 2184	4396	chrome.exe	91
PID 4396 wrote to memory of 2184	4396	chrome.exe	91

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://nklnc.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdb44f9758,0x7ffdb44f9768,0x7ffdb44f9778
  2⤵
  PID:1148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1728 --field-trial-handle=1820,i,6233132388214869012,13015574453073473847,131072 /prefetch:2
  2⤵
  PID:2544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 --field-trial-handle=1820,i,6233132388214869012,13015574453073473847,131072 /prefetch:8
  2⤵
  PID:4456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2192 --field-trial-handle=1820,i,6233132388214869012,13015574453073473847,131072 /prefetch:8
  2⤵
  PID:2184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2904 --field-trial-handle=1820,i,6233132388214869012,13015574453073473847,131072 /prefetch:1
  2⤵
  PID:2512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2912 --field-trial-handle=1820,i,6233132388214869012,13015574453073473847,131072 /prefetch:1
  2⤵
  PID:3720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5036 --field-trial-handle=1820,i,6233132388214869012,13015574453073473847,131072 /prefetch:8
  2⤵
  PID:2596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 --field-trial-handle=1820,i,6233132388214869012,13015574453073473847,131072 /prefetch:8
  2⤵
  PID:1268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2744 --field-trial-handle=1820,i,6233132388214869012,13015574453073473847,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1812

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
9d0e6d59703bd2277f8eeb4d65d052c5

SHA1
5b5cf1da9c26cb83fe25f95d22843a7b8ee852e8

SHA256
5f10df68e9fe036be3a01a6b14d0f0fbb157238dd3b986a92e2c2a06aa1d7f74

SHA512
9407027fb31b0d30bf6d6acde2336ab166418c23202057635f91fd91ed00f8f1245ecce3d920a91e436b5673793e41c5d867f942896ef05a4e5c013ef5a58880

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
c88f0ccfd95754e8c35042f587cc9196

SHA1
53676b19778dd59ea95ae6ec7552253c4c6a11f3

SHA256
8b66263b481013c11040c16a47dda1e49698775fe74f1d947c21bee2527ef792

SHA512
c243b482d06f0418af21e8dc9372ec4d2e7f4ad1d024a8a4a48d57defe73d5a9225971c66f6bdf5a2f816bdbc18949dc9125f02e6d04ce89ed332c8eb51220c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
baddbf81c7d2e471a01c6a79e782e765

SHA1
b57a0c2d9c9d99630b53723ca96b56ea20289582

SHA256
5e0e4eb3ef170925aea5461fb040f561f56bd17c896611a9f199676a596fe3e6

SHA512
1ecf2808d10abe27822ce465ef264799b84ee71411d8be8d970c98f065f52e75b4cbfe09bff892d07bf5a9c2b6b4532ca52c9b01ea5aec9493d287a045012388

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d402f40800da1a0f0cf4bee7ae927588

SHA1
42e49809041449ecf52e09890539dee13f5349cc

SHA256
afeaffe937357a0b26ba8660363c92896208c250c672f28f69e30c70b0fd70b5

SHA512
f2d00dd0af7548a66dc1f81f9010748d334e68292dd28e17c6ac0a3b2fe33d4d32432cf4d2b5d389776d14cdbd15e862f24b00a1c3450a5db9af70fb3e4895af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
cf20660e8152af48f231a0e87be81818

SHA1
2181203e4701225bde40e3292e057aa2978b3636

SHA256
4f4b52e5ebf67345e05f5b2c50b5beaf8efd3da81184414eeb172f9b738fbbe0

SHA512
22c41de1145d78025f6435154268b911b14dca546dfb221077df28f81cf386d74507ff30a385fd99f244c166dd989ecb61f2d3396fb14f14656efd42b12d77fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit