hxxp://o-kuma[.]co[.]jp

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2024, 13:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://o-kuma.co.jp

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3712	chrome.exe
3712	chrome.exe
1544	chrome.exe
1544	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3712 wrote to memory of 3580	3712	chrome.exe	91
PID 3712 wrote to memory of 3580	3712	chrome.exe	91
PID 3712 wrote to memory of 4828	3712	chrome.exe	93
PID 3712 wrote to memory of 4828	3712	chrome.exe	93
PID 3712 wrote to memory of 4828	3712	chrome.exe	93
PID 3712 wrote to memory of 4828	3712	chrome.exe	93
PID 3712 wrote to memory of 4828	3712	chrome.exe	93
PID 3712 wrote to memory of 4828	3712	chrome.exe	93
PID 3712 wrote to memory of 4828	3712	chrome.exe	93
PID 3712 wrote to memory of 4828	3712	chrome.exe	93
PID 3712 wrote to memory of 4828	3712	chrome.exe	93
PID 3712 wrote to memory of 4828	3712	chrome.exe	93
PID 3712 wrote to memory of 4828	3712	chrome.exe	93
PID 3712 wrote to memory of 4828	3712	chrome.exe	93
PID 3712 wrote to memory of 4828	3712	chrome.exe	93
PID 3712 wrote to memory of 4828	3712	chrome.exe	93
PID 3712 wrote to memory of 4828	3712	chrome.exe	93
PID 3712 wrote to memory of 4828	3712	chrome.exe	93
PID 3712 wrote to memory of 4828	3712	chrome.exe	93
PID 3712 wrote to memory of 4828	3712	chrome.exe	93
PID 3712 wrote to memory of 4828	3712	chrome.exe	93
PID 3712 wrote to memory of 4828	3712	chrome.exe	93
PID 3712 wrote to memory of 4828	3712	chrome.exe	93
PID 3712 wrote to memory of 4828	3712	chrome.exe	93
PID 3712 wrote to memory of 4828	3712	chrome.exe	93
PID 3712 wrote to memory of 4828	3712	chrome.exe	93
PID 3712 wrote to memory of 4828	3712	chrome.exe	93
PID 3712 wrote to memory of 4828	3712	chrome.exe	93
PID 3712 wrote to memory of 4828	3712	chrome.exe	93
PID 3712 wrote to memory of 4828	3712	chrome.exe	93
PID 3712 wrote to memory of 4828	3712	chrome.exe	93
PID 3712 wrote to memory of 4828	3712	chrome.exe	93
PID 3712 wrote to memory of 4828	3712	chrome.exe	93
PID 3712 wrote to memory of 4828	3712	chrome.exe	93
PID 3712 wrote to memory of 4828	3712	chrome.exe	93
PID 3712 wrote to memory of 4828	3712	chrome.exe	93
PID 3712 wrote to memory of 4828	3712	chrome.exe	93
PID 3712 wrote to memory of 4828	3712	chrome.exe	93
PID 3712 wrote to memory of 4828	3712	chrome.exe	93
PID 3712 wrote to memory of 4828	3712	chrome.exe	93
PID 3712 wrote to memory of 1856	3712	chrome.exe	94
PID 3712 wrote to memory of 1856	3712	chrome.exe	94
PID 3712 wrote to memory of 1480	3712	chrome.exe	95
PID 3712 wrote to memory of 1480	3712	chrome.exe	95
PID 3712 wrote to memory of 1480	3712	chrome.exe	95
PID 3712 wrote to memory of 1480	3712	chrome.exe	95
PID 3712 wrote to memory of 1480	3712	chrome.exe	95
PID 3712 wrote to memory of 1480	3712	chrome.exe	95
PID 3712 wrote to memory of 1480	3712	chrome.exe	95
PID 3712 wrote to memory of 1480	3712	chrome.exe	95
PID 3712 wrote to memory of 1480	3712	chrome.exe	95
PID 3712 wrote to memory of 1480	3712	chrome.exe	95
PID 3712 wrote to memory of 1480	3712	chrome.exe	95
PID 3712 wrote to memory of 1480	3712	chrome.exe	95
PID 3712 wrote to memory of 1480	3712	chrome.exe	95
PID 3712 wrote to memory of 1480	3712	chrome.exe	95
PID 3712 wrote to memory of 1480	3712	chrome.exe	95
PID 3712 wrote to memory of 1480	3712	chrome.exe	95
PID 3712 wrote to memory of 1480	3712	chrome.exe	95
PID 3712 wrote to memory of 1480	3712	chrome.exe	95
PID 3712 wrote to memory of 1480	3712	chrome.exe	95
PID 3712 wrote to memory of 1480	3712	chrome.exe	95
PID 3712 wrote to memory of 1480	3712	chrome.exe	95
PID 3712 wrote to memory of 1480	3712	chrome.exe	95

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://o-kuma.co.jp
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb51999758,0x7ffb51999768,0x7ffb51999778
  2⤵
  PID:3580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1732 --field-trial-handle=1968,i,12972868768127484083,15232103406866398544,131072 /prefetch:2
  2⤵
  PID:4828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1904 --field-trial-handle=1968,i,12972868768127484083,15232103406866398544,131072 /prefetch:8
  2⤵
  PID:1856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2212 --field-trial-handle=1968,i,12972868768127484083,15232103406866398544,131072 /prefetch:8
  2⤵
  PID:1480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2944 --field-trial-handle=1968,i,12972868768127484083,15232103406866398544,131072 /prefetch:1
  2⤵
  PID:3448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2952 --field-trial-handle=1968,i,12972868768127484083,15232103406866398544,131072 /prefetch:1
  2⤵
  PID:4540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4804 --field-trial-handle=1968,i,12972868768127484083,15232103406866398544,131072 /prefetch:1
  2⤵
  PID:3380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3224 --field-trial-handle=1968,i,12972868768127484083,15232103406866398544,131072 /prefetch:8
  2⤵
  PID:852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1788 --field-trial-handle=1968,i,12972868768127484083,15232103406866398544,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1544

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3856

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x344 0x394
1⤵
PID:3256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000043

Filesize
63KB

MD5
659d7519146e4c2653082021da3bbd71

SHA1
0c930e8fd128760c2eded1442053eaa50198b517

SHA256
32da0e9fa9721a3b737051ac0f208fb8e5c923637961cdde228f61bbfdeccc5d

SHA512
70126f163b58396165e0e4ebf404d183240f313645f35302e6bda5a81c4bde753e43aee689b104ea1e0c58697cbd2c5c18d4009a287e93018a1718bb4ae54405

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000052

Filesize
602KB

MD5
8095c2e7478242dd5241a734bf8d2f03

SHA1
8093fc72f30d37323eb01b1d1074a0476c863dcf

SHA256
2ce529f274044d3680f63f9ad1a192ea0b741164f984943e4ef40573bd6f5495

SHA512
c8d0f236ce3b297cb9c2a07c04c23ff3f81cd48cf0134780c7e8bae8c9c0a012e4358afd02a84c07a20bf20bf8763674bbb09a375f4298f78f80f615ec7ac0d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
576B

MD5
424e3e186ebe33f01499c4104aa52767

SHA1
faddceec9216ce7f6846799586412fadd41f54ce

SHA256
4956a5dbee4cf7a36c974e48c1447b7507c16345a937ecf633592afdb7671222

SHA512
20c6198a95b293c15c7543ba350e70b5d88339325e26c19578083b4bda99cc17766ef541a6fd2dd59d19d01d0b0743a9ecc1813e8bcf30f2a0f2b945bd86ed31

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
12f94327cddb523c5462634cedd27f77

SHA1
25ecf35e0bdebbe0549c33cc0eba582149dafa56

SHA256
2a6dc325a8372ff8a8e472cd0b989acc460246e9b8316247a9e0ac0f8e8d4502

SHA512
1d300e06f4dab206f7e037a546090d1b6c71f5a8c596fee1ea475e73e46a36d74348f17999faf019aa1eb83b44a3c490edb2e0a6787fe82772af692d5c50ca53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
c93d636988c428c2f4ed6e0aa1397b54

SHA1
95d5d37b82e3132022f0d73979ac35e95f225b86

SHA256
6ede10b3ab2c7d3f41dc1e1b91ccc891ffdb2fd0f5520faa5c4d53035b194f00

SHA512
2c96e62dc985b50a51fed883c7114e21a1b91d7b36bbf72cfb6251f8aa922ddf5c797401593011d1cc787327b3b5b7f5d89db815508ccf0d79dc863debbbd7e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
d1fecd9147db7daa9f791c746ffae5be

SHA1
cec1890c0ea4b395e2d4737e78037ca803618a01

SHA256
9278a437f90482be2e54b41e5db3e881f7159d9861ace88d9a14011098648a48

SHA512
45198f5f04a42a04be6a93f24dc43bab8f4aa274b35e09d18c341af8aa5645f5c828d0a1ed874021971d0d0dfe929b907dac24ce50f7cc94b0538fa7cc8c0243

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
ce671399592b026d921230992bd602d9

SHA1
21ef5ca93de25a76dd5508dd51d7e81f08ddbbd9

SHA256
1e8167f17ae577eb9068dcb11711a59613d0e35218b456f8854a0d6651469413

SHA512
c7d9d2ca2c265c3f9756ebc7cd7adf7c8a6e2c7cbd2f35aafd168d46c998ee4880a12e5ebe83631ffe7decc9a958d6f994a19ca9697b252997b577738a60107b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f58d20a9b1c0329f3406f56a18c5cc13

SHA1
129c4a214860b0d2d575e120c8bf9c46d31bee8b

SHA256
9ab925d6f739cb8d751c77e5a2f4298c82b386e8de5fd9f415e4e787ddd07445

SHA512
5973b668097e4ca8bd266ab331f96069e657b8ab70992405261a38da40b405559b8aa7a119a33bcca7b82078c1bb51c3177b424d1ded2a17e03e121949eff3af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
811d26d5b38f5edb869133dc2e61bed9

SHA1
58c81fdff3903354791dde05de07c071b89a66e2

SHA256
5123f5611f6d770b89c7b8427a4f8338363f2679503b52f63de20ca418d8b6fa

SHA512
0c589d931db22796cea7bb20143457dddc684c579c1d3bcc6667c3727db404323d83336972969fc5e2bf089ae26685fe7ba14a892abbb8a1a12999eb50cea612

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\d47342ce-ab25-4625-a2ce-1afdf6d4e2c7.tmp

Filesize
128KB

MD5
576e285adef84a5fe310c64774ffc28a

SHA1
f31a9ccfcdb59dfcb929bc43f00b35bf1e6232a2

SHA256
e8245bbbc6f9ab3fa9d26a14dc6d749dc0d85c359212b1249c690023f8c0756c

SHA512
895fdc3da5c6cdec4be161361567a7a58e30e65716f12e0d6ef4c24155b9e96d74af491d43455be150697dad85722fd9a724b9777b257db8ac69745703468362

Download Submit