hxxps://1fichier[.]com/?wldrirmud8nkymy69chj

General

Target

https://1fichier.com/?wldrirmud8nkymy69chj

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133559362116904225"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

3968 chrome.exe
3968 chrome.exe
2564 chrome.exe
2564 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

3968 chrome.exe
3968 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3968 wrote to memory of 4004	3968	chrome.exe	chrome.exe
PID 3968 wrote to memory of 4004	3968	chrome.exe	chrome.exe
PID 3968 wrote to memory of 4948	3968	chrome.exe	chrome.exe
PID 3968 wrote to memory of 4948	3968	chrome.exe	chrome.exe
PID 3968 wrote to memory of 4948	3968	chrome.exe	chrome.exe
PID 3968 wrote to memory of 4948	3968	chrome.exe	chrome.exe
PID 3968 wrote to memory of 4948	3968	chrome.exe	chrome.exe
PID 3968 wrote to memory of 4948	3968	chrome.exe	chrome.exe
PID 3968 wrote to memory of 4948	3968	chrome.exe	chrome.exe
PID 3968 wrote to memory of 4948	3968	chrome.exe	chrome.exe
PID 3968 wrote to memory of 4948	3968	chrome.exe	chrome.exe
PID 3968 wrote to memory of 4948	3968	chrome.exe	chrome.exe
PID 3968 wrote to memory of 4948	3968	chrome.exe	chrome.exe
PID 3968 wrote to memory of 4948	3968	chrome.exe	chrome.exe
PID 3968 wrote to memory of 4948	3968	chrome.exe	chrome.exe
PID 3968 wrote to memory of 4948	3968	chrome.exe	chrome.exe
PID 3968 wrote to memory of 4948	3968	chrome.exe	chrome.exe
PID 3968 wrote to memory of 4948	3968	chrome.exe	chrome.exe
PID 3968 wrote to memory of 4948	3968	chrome.exe	chrome.exe
PID 3968 wrote to memory of 4948	3968	chrome.exe	chrome.exe
PID 3968 wrote to memory of 4948	3968	chrome.exe	chrome.exe
PID 3968 wrote to memory of 4948	3968	chrome.exe	chrome.exe
PID 3968 wrote to memory of 4948	3968	chrome.exe	chrome.exe
PID 3968 wrote to memory of 4948	3968	chrome.exe	chrome.exe
PID 3968 wrote to memory of 4948	3968	chrome.exe	chrome.exe
PID 3968 wrote to memory of 4948	3968	chrome.exe	chrome.exe
PID 3968 wrote to memory of 4948	3968	chrome.exe	chrome.exe
PID 3968 wrote to memory of 4948	3968	chrome.exe	chrome.exe
PID 3968 wrote to memory of 4948	3968	chrome.exe	chrome.exe
PID 3968 wrote to memory of 4948	3968	chrome.exe	chrome.exe
PID 3968 wrote to memory of 4948	3968	chrome.exe	chrome.exe
PID 3968 wrote to memory of 4948	3968	chrome.exe	chrome.exe
PID 3968 wrote to memory of 4948	3968	chrome.exe	chrome.exe
PID 3968 wrote to memory of 4948	3968	chrome.exe	chrome.exe
PID 3968 wrote to memory of 4948	3968	chrome.exe	chrome.exe
PID 3968 wrote to memory of 4948	3968	chrome.exe	chrome.exe
PID 3968 wrote to memory of 4948	3968	chrome.exe	chrome.exe
PID 3968 wrote to memory of 4948	3968	chrome.exe	chrome.exe
PID 3968 wrote to memory of 4948	3968	chrome.exe	chrome.exe
PID 3968 wrote to memory of 4948	3968	chrome.exe	chrome.exe
PID 3968 wrote to memory of 3740	3968	chrome.exe	chrome.exe
PID 3968 wrote to memory of 3740	3968	chrome.exe	chrome.exe
PID 3968 wrote to memory of 4456	3968	chrome.exe	chrome.exe
PID 3968 wrote to memory of 4456	3968	chrome.exe	chrome.exe
PID 3968 wrote to memory of 4456	3968	chrome.exe	chrome.exe
PID 3968 wrote to memory of 4456	3968	chrome.exe	chrome.exe
PID 3968 wrote to memory of 4456	3968	chrome.exe	chrome.exe
PID 3968 wrote to memory of 4456	3968	chrome.exe	chrome.exe
PID 3968 wrote to memory of 4456	3968	chrome.exe	chrome.exe
PID 3968 wrote to memory of 4456	3968	chrome.exe	chrome.exe
PID 3968 wrote to memory of 4456	3968	chrome.exe	chrome.exe
PID 3968 wrote to memory of 4456	3968	chrome.exe	chrome.exe
PID 3968 wrote to memory of 4456	3968	chrome.exe	chrome.exe
PID 3968 wrote to memory of 4456	3968	chrome.exe	chrome.exe
PID 3968 wrote to memory of 4456	3968	chrome.exe	chrome.exe
PID 3968 wrote to memory of 4456	3968	chrome.exe	chrome.exe
PID 3968 wrote to memory of 4456	3968	chrome.exe	chrome.exe
PID 3968 wrote to memory of 4456	3968	chrome.exe	chrome.exe
PID 3968 wrote to memory of 4456	3968	chrome.exe	chrome.exe
PID 3968 wrote to memory of 4456	3968	chrome.exe	chrome.exe
PID 3968 wrote to memory of 4456	3968	chrome.exe	chrome.exe
PID 3968 wrote to memory of 4456	3968	chrome.exe	chrome.exe
PID 3968 wrote to memory of 4456	3968	chrome.exe	chrome.exe
PID 3968 wrote to memory of 4456	3968	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://1fichier.com/?wldrirmud8nkymy69chj
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd8f1a9758,0x7ffd8f1a9768,0x7ffd8f1a9778
2⤵
PID:4004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1724 --field-trial-handle=1896,i,10165874845623788936,13056015804204892543,131072 /prefetch:2
2⤵
PID:4948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2024 --field-trial-handle=1896,i,10165874845623788936,13056015804204892543,131072 /prefetch:8
2⤵
PID:3740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 --field-trial-handle=1896,i,10165874845623788936,13056015804204892543,131072 /prefetch:8
2⤵
PID:4456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2780 --field-trial-handle=1896,i,10165874845623788936,13056015804204892543,131072 /prefetch:1
2⤵
PID:1980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2788 --field-trial-handle=1896,i,10165874845623788936,13056015804204892543,131072 /prefetch:1
2⤵
PID:4708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5348 --field-trial-handle=1896,i,10165874845623788936,13056015804204892543,131072 /prefetch:8
2⤵
PID:3756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4004 --field-trial-handle=1896,i,10165874845623788936,13056015804204892543,131072 /prefetch:8
2⤵
PID:4952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4676 --field-trial-handle=1896,i,10165874845623788936,13056015804204892543,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2564

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1676

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
312B

MD5
c385fd99f1018cc8b47563077bcbddf2

SHA1
6e7534e51018082506b8926e05d7a0bab9260229

SHA256
89633078a8d71019f09866b0ea0f0293bff9e075ebfda6eefd38b939e725b727

SHA512
563c9ebdce41d4af9d8b6ad15318132067ede4e141595b44396eb0c0be20b9ed82e7136866667e5c6f15a1b7e54f7c999a4f4c451376e6e71216563245a14945

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
418093b503a23bc2d98499f36a2d51ac

SHA1
a8ee20c9c69a880242954971831c8fecd70d3452

SHA256
d7acfc29649174faab1072ff18292775db2cefabf0ca75f7e6a53dbc5f1f87f7

SHA512
96bbe3370be5d41517b696452a6a29d87e1b10278437721faced1d3238703f665822b9a493ebcc6b51fa351f2822e6f9210127288daed1efd3eef9861c86659f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
774eb8da67b9c3a06009a0904aad6e2a

SHA1
fab201ce25c3ad7ebeb7d4f36b8ea36813304d8d

SHA256
0afa2378096dfe18c1b554333342d2d9cca5df46221ac015ab994c22352740f8

SHA512
fc76b08480a56dd45a9a13bca159739a80cdab82c8ad9b6d12b6c3a897db4fc6196437f30d4a1cd76b391e982f367cdf1ab346e6e79441b5d75efdfd55699e35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
3a7266d196692062006faebf08a67eb2

SHA1
0fcb06685c5f557625fa8109426809cb3ec45a74

SHA256
9f0e0d78e47f422f28dd12a7b46191cc4737a04de8a36a1cda9d277824704a94

SHA512
7591c535e1a8d66bfb7f7ba204002f07c317fe0507486aeb657fd1d37c5a3db467ef6a6c558d1282265de9b7fb94080e0026360a0b553dfef1c63fb1e4cec3e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
253KB

MD5
fc82c69137d6fe2be5b38fb809c8440c

SHA1
776f6a523fa0e2d4a609f46a3c1e91cd4dc59f5e

SHA256
1e57356f2afb876fecb3f16f0754a7b4eab66749f49f807c68a653be6e967659

SHA512
bbdd99dde9d1ddae3b75a07ef23b854b800a893c6ef794657303d369014dd4a52d6d7c928fad24edba29764945710faa2d01235cb65b55cf1eb3957033dfbe53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
\??\pipe\crashpad_3968_ATNFNILHZKFXWWGR
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads