hxxps://tomowebsite[.]net/wp-includes/fonts/lod/dex/captcha/

Analysis

max time kernel
42s
max time network
45s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13-03-2024 03:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://tomowebsite.net/wp-includes/fonts/lod/dex/captcha/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133547729407884976"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2636	chrome.exe
2636	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2636	chrome.exe
2636	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2636 wrote to memory of 4132	2636	chrome.exe	89
PID 2636 wrote to memory of 4132	2636	chrome.exe	89
PID 2636 wrote to memory of 4100	2636	chrome.exe	91
PID 2636 wrote to memory of 4100	2636	chrome.exe	91
PID 2636 wrote to memory of 4100	2636	chrome.exe	91
PID 2636 wrote to memory of 4100	2636	chrome.exe	91
PID 2636 wrote to memory of 4100	2636	chrome.exe	91
PID 2636 wrote to memory of 4100	2636	chrome.exe	91
PID 2636 wrote to memory of 4100	2636	chrome.exe	91
PID 2636 wrote to memory of 4100	2636	chrome.exe	91
PID 2636 wrote to memory of 4100	2636	chrome.exe	91
PID 2636 wrote to memory of 4100	2636	chrome.exe	91
PID 2636 wrote to memory of 4100	2636	chrome.exe	91
PID 2636 wrote to memory of 4100	2636	chrome.exe	91
PID 2636 wrote to memory of 4100	2636	chrome.exe	91
PID 2636 wrote to memory of 4100	2636	chrome.exe	91
PID 2636 wrote to memory of 4100	2636	chrome.exe	91
PID 2636 wrote to memory of 4100	2636	chrome.exe	91
PID 2636 wrote to memory of 4100	2636	chrome.exe	91
PID 2636 wrote to memory of 4100	2636	chrome.exe	91
PID 2636 wrote to memory of 4100	2636	chrome.exe	91
PID 2636 wrote to memory of 4100	2636	chrome.exe	91
PID 2636 wrote to memory of 4100	2636	chrome.exe	91
PID 2636 wrote to memory of 4100	2636	chrome.exe	91
PID 2636 wrote to memory of 4100	2636	chrome.exe	91
PID 2636 wrote to memory of 4100	2636	chrome.exe	91
PID 2636 wrote to memory of 4100	2636	chrome.exe	91
PID 2636 wrote to memory of 4100	2636	chrome.exe	91
PID 2636 wrote to memory of 4100	2636	chrome.exe	91
PID 2636 wrote to memory of 4100	2636	chrome.exe	91
PID 2636 wrote to memory of 4100	2636	chrome.exe	91
PID 2636 wrote to memory of 4100	2636	chrome.exe	91
PID 2636 wrote to memory of 4100	2636	chrome.exe	91
PID 2636 wrote to memory of 4100	2636	chrome.exe	91
PID 2636 wrote to memory of 4100	2636	chrome.exe	91
PID 2636 wrote to memory of 4100	2636	chrome.exe	91
PID 2636 wrote to memory of 4100	2636	chrome.exe	91
PID 2636 wrote to memory of 4100	2636	chrome.exe	91
PID 2636 wrote to memory of 4100	2636	chrome.exe	91
PID 2636 wrote to memory of 4100	2636	chrome.exe	91
PID 2636 wrote to memory of 4020	2636	chrome.exe	92
PID 2636 wrote to memory of 4020	2636	chrome.exe	92
PID 2636 wrote to memory of 4024	2636	chrome.exe	93
PID 2636 wrote to memory of 4024	2636	chrome.exe	93
PID 2636 wrote to memory of 4024	2636	chrome.exe	93
PID 2636 wrote to memory of 4024	2636	chrome.exe	93
PID 2636 wrote to memory of 4024	2636	chrome.exe	93
PID 2636 wrote to memory of 4024	2636	chrome.exe	93
PID 2636 wrote to memory of 4024	2636	chrome.exe	93
PID 2636 wrote to memory of 4024	2636	chrome.exe	93
PID 2636 wrote to memory of 4024	2636	chrome.exe	93
PID 2636 wrote to memory of 4024	2636	chrome.exe	93
PID 2636 wrote to memory of 4024	2636	chrome.exe	93
PID 2636 wrote to memory of 4024	2636	chrome.exe	93
PID 2636 wrote to memory of 4024	2636	chrome.exe	93
PID 2636 wrote to memory of 4024	2636	chrome.exe	93
PID 2636 wrote to memory of 4024	2636	chrome.exe	93
PID 2636 wrote to memory of 4024	2636	chrome.exe	93
PID 2636 wrote to memory of 4024	2636	chrome.exe	93
PID 2636 wrote to memory of 4024	2636	chrome.exe	93
PID 2636 wrote to memory of 4024	2636	chrome.exe	93
PID 2636 wrote to memory of 4024	2636	chrome.exe	93
PID 2636 wrote to memory of 4024	2636	chrome.exe	93
PID 2636 wrote to memory of 4024	2636	chrome.exe	93

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://tomowebsite.net/wp-includes/fonts/lod/dex/captcha/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb5dfb9758,0x7ffb5dfb9768,0x7ffb5dfb9778
  2⤵
  PID:4132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1804 --field-trial-handle=1708,i,5657747093174107876,12803763450294195172,131072 /prefetch:2
  2⤵
  PID:4100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1708,i,5657747093174107876,12803763450294195172,131072 /prefetch:8
  2⤵
  PID:4020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1688 --field-trial-handle=1708,i,5657747093174107876,12803763450294195172,131072 /prefetch:8
  2⤵
  PID:4024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2880 --field-trial-handle=1708,i,5657747093174107876,12803763450294195172,131072 /prefetch:1
  2⤵
  PID:1092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2888 --field-trial-handle=1708,i,5657747093174107876,12803763450294195172,131072 /prefetch:1
  2⤵
  PID:4932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4584 --field-trial-handle=1708,i,5657747093174107876,12803763450294195172,131072 /prefetch:8
  2⤵
  PID:1700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5152 --field-trial-handle=1708,i,5657747093174107876,12803763450294195172,131072 /prefetch:8
  2⤵
  PID:4312

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
360B

MD5
b57b2e99e9e980b2bb8ccc1b7a29ce46

SHA1
08d8d4d61280371ab5d7c99dfbf82e2f106f66db

SHA256
92f081c039d717067760888f39e2a17c94e69c58676be77ed807b969a3a3d11e

SHA512
304594d78a8bb350d703ebaa92cf33116b04059261b6e5446c78c65a8239323e922d8af9b5e1331f071c586f0e3847c9e974a756be498859bd0156711379cf72

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
bb3b4338d6d85c8d114416decf40c5fb

SHA1
f08ea285fa72e270c57ebf1b333451d32a0f9dca

SHA256
6445b31175e58e9475a821fe65b36b74f56146fd665476217080db818ffeb054

SHA512
5135281c6039b4621ff9f849380542fb6950eff6ebd52ded919a2f5002011de94642b784d7ac661c4e506ab5578649595029ecd2c4f45e3ea5b6adc99623e035

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
f2bfefdc702f2de4870bacd1e20209b2

SHA1
9175c5abd471a8c2a181b1e84cf663d670ca841c

SHA256
6d1401f8a1e8961d3ab4b0108224b3c69bb7ee8d97ee9a99f285bd55359e78bb

SHA512
3d4b783dc9edbb9d4aaba8da8f8cf8c0dc8b23d24c99db6989deb7b5853356bc3e24fdb2180fe41be642406ea59783a3e3a2897a183294a90a8111f57a0843c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
7c7c58c3927f468a8253c6118efb48ae

SHA1
57f4127634a66ac30c59fede0c731d743063573b

SHA256
10419b8022c546daa587d7b294e5356315d769d77ef15416328e9dde98bee65f

SHA512
0bb9135303637091a5f2e6d32bb9984777f8f1a8d4074af21e9db155f01d6efe180d49ef2dac1cf87882287474a8e5b92da8f9273d63ffd3ca9d0be778704b62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
707B

MD5
08f97e25020d8195e6b180b29e2800e3

SHA1
159963558187b5c817665332a8438f0bf0c45048

SHA256
5405888bfd05ba96053f72e5ac117143dea86aa1521ac1949e6d46817c032aee

SHA512
eab83f6b8b2f242817a903515adfcd590fec9d8f6930cf1a8a0bd22eb24cba046f958f002e82a3dc6007e1ada8c01159ae146077877a09f349f288e6775f27b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
318b985b24a766cada272af4179c88af

SHA1
2bdf1fa69d20ad52d0449ed88397847e2a000f71

SHA256
0f0764f29586896700032c8b85c52f136cbd1f4fe3ad3135ea4d8e8c522c2eb8

SHA512
6a2f6edacc954e30f771cd2a72ab17a8dbc40a84000e90de3cf23f44ae1519ffc418ab093725c338368319ec6272610c7f8ef9320fb99fd3f4111ea6ff1c4f3d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
88429dd2111052fd7900ede2905a2293

SHA1
e4d665a04023b18de77161f47ed801aa42398a4e

SHA256
aea946294c1e9e0e388e45dab330736df3c794a4955e3cdc9bc143e1bbecdc58

SHA512
708306aa16e75ea3124a516ec04e8d34f21974e5d447090a7ae55ec9407662d420c6319c07696ed70fff38a2178fbf212bdb9197b506b2d9101294c2d69a510d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
253KB

MD5
6bf4532272d57b66ec702613428bf70f

SHA1
c37de325d2ae76dc899d5f552a8b3da4657061d4

SHA256
b5cff9c5e8535658eecaf147de62e9df7002d576a50296cde622495077d16902

SHA512
d8ff9e41b8bf297f1b3a0d0cba46b748c0fd101bb29df2cefa864a64c0568d3ec85bb3c0f6553c9c28be1278be7333ed1ef4bac6d581bf7233b25b900b15689b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit