hxxps://ej136[.]cfd/w046

General

Target

https://ej136.cfd/w046

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133575248528310084"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

4776 chrome.exe
4776 chrome.exe
4144 chrome.exe
4144 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

4776 chrome.exe
4776 chrome.exe
4776 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	4776	chrome.exe
Token: SeCreatePagefilePrivilege	4776	chrome.exe
Token: SeShutdownPrivilege	4776	chrome.exe
Token: SeCreatePagefilePrivilege	4776	chrome.exe
Token: SeShutdownPrivilege	4776	chrome.exe
Token: SeCreatePagefilePrivilege	4776	chrome.exe
Token: SeShutdownPrivilege	4776	chrome.exe
Token: SeCreatePagefilePrivilege	4776	chrome.exe
Token: SeShutdownPrivilege	4776	chrome.exe
Token: SeCreatePagefilePrivilege	4776	chrome.exe
Token: SeShutdownPrivilege	4776	chrome.exe
Token: SeCreatePagefilePrivilege	4776	chrome.exe
Token: SeShutdownPrivilege	4776	chrome.exe
Token: SeCreatePagefilePrivilege	4776	chrome.exe
Token: SeShutdownPrivilege	4776	chrome.exe
Token: SeCreatePagefilePrivilege	4776	chrome.exe
Token: SeShutdownPrivilege	4776	chrome.exe
Token: SeCreatePagefilePrivilege	4776	chrome.exe
Token: SeShutdownPrivilege	4776	chrome.exe
Token: SeCreatePagefilePrivilege	4776	chrome.exe
Token: SeShutdownPrivilege	4776	chrome.exe
Token: SeCreatePagefilePrivilege	4776	chrome.exe
Token: SeShutdownPrivilege	4776	chrome.exe
Token: SeCreatePagefilePrivilege	4776	chrome.exe
Token: SeShutdownPrivilege	4776	chrome.exe
Token: SeCreatePagefilePrivilege	4776	chrome.exe
Token: SeShutdownPrivilege	4776	chrome.exe
Token: SeCreatePagefilePrivilege	4776	chrome.exe
Token: SeShutdownPrivilege	4776	chrome.exe
Token: SeCreatePagefilePrivilege	4776	chrome.exe
Token: SeShutdownPrivilege	4776	chrome.exe
Token: SeCreatePagefilePrivilege	4776	chrome.exe
Token: SeShutdownPrivilege	4776	chrome.exe
Token: SeCreatePagefilePrivilege	4776	chrome.exe
Token: SeShutdownPrivilege	4776	chrome.exe
Token: SeCreatePagefilePrivilege	4776	chrome.exe
Token: SeShutdownPrivilege	4776	chrome.exe
Token: SeCreatePagefilePrivilege	4776	chrome.exe
Token: SeShutdownPrivilege	4776	chrome.exe
Token: SeCreatePagefilePrivilege	4776	chrome.exe
Token: SeShutdownPrivilege	4776	chrome.exe
Token: SeCreatePagefilePrivilege	4776	chrome.exe
Token: SeShutdownPrivilege	4776	chrome.exe
Token: SeCreatePagefilePrivilege	4776	chrome.exe
Token: SeShutdownPrivilege	4776	chrome.exe
Token: SeCreatePagefilePrivilege	4776	chrome.exe
Token: SeShutdownPrivilege	4776	chrome.exe
Token: SeCreatePagefilePrivilege	4776	chrome.exe
Token: SeShutdownPrivilege	4776	chrome.exe
Token: SeCreatePagefilePrivilege	4776	chrome.exe
Token: SeShutdownPrivilege	4776	chrome.exe
Token: SeCreatePagefilePrivilege	4776	chrome.exe
Token: SeShutdownPrivilege	4776	chrome.exe
Token: SeCreatePagefilePrivilege	4776	chrome.exe
Token: SeShutdownPrivilege	4776	chrome.exe
Token: SeCreatePagefilePrivilege	4776	chrome.exe
Token: SeShutdownPrivilege	4776	chrome.exe
Token: SeCreatePagefilePrivilege	4776	chrome.exe
Token: SeShutdownPrivilege	4776	chrome.exe
Token: SeCreatePagefilePrivilege	4776	chrome.exe
Token: SeShutdownPrivilege	4776	chrome.exe
Token: SeCreatePagefilePrivilege	4776	chrome.exe
Token: SeShutdownPrivilege	4776	chrome.exe
Token: SeCreatePagefilePrivilege	4776	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
4776	chrome.exe
4776	chrome.exe
4776	chrome.exe
4776	chrome.exe
4776	chrome.exe
4776	chrome.exe
4776	chrome.exe
4776	chrome.exe
4776	chrome.exe
4776	chrome.exe
4776	chrome.exe
4776	chrome.exe
4776	chrome.exe
4776	chrome.exe
4776	chrome.exe
4776	chrome.exe
4776	chrome.exe
4776	chrome.exe
4776	chrome.exe
4776	chrome.exe
4776	chrome.exe
4776	chrome.exe
4776	chrome.exe
4776	chrome.exe
4776	chrome.exe
4776	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4776	chrome.exe
4776	chrome.exe
4776	chrome.exe
4776	chrome.exe
4776	chrome.exe
4776	chrome.exe
4776	chrome.exe
4776	chrome.exe
4776	chrome.exe
4776	chrome.exe
4776	chrome.exe
4776	chrome.exe
4776	chrome.exe
4776	chrome.exe
4776	chrome.exe
4776	chrome.exe
4776	chrome.exe
4776	chrome.exe
4776	chrome.exe
4776	chrome.exe
4776	chrome.exe
4776	chrome.exe
4776	chrome.exe
4776	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4776 wrote to memory of 2372	4776	chrome.exe	chrome.exe
PID 4776 wrote to memory of 2372	4776	chrome.exe	chrome.exe
PID 4776 wrote to memory of 3600	4776	chrome.exe	chrome.exe
PID 4776 wrote to memory of 3600	4776	chrome.exe	chrome.exe
PID 4776 wrote to memory of 3600	4776	chrome.exe	chrome.exe
PID 4776 wrote to memory of 3600	4776	chrome.exe	chrome.exe
PID 4776 wrote to memory of 3600	4776	chrome.exe	chrome.exe
PID 4776 wrote to memory of 3600	4776	chrome.exe	chrome.exe
PID 4776 wrote to memory of 3600	4776	chrome.exe	chrome.exe
PID 4776 wrote to memory of 3600	4776	chrome.exe	chrome.exe
PID 4776 wrote to memory of 3600	4776	chrome.exe	chrome.exe
PID 4776 wrote to memory of 3600	4776	chrome.exe	chrome.exe
PID 4776 wrote to memory of 3600	4776	chrome.exe	chrome.exe
PID 4776 wrote to memory of 3600	4776	chrome.exe	chrome.exe
PID 4776 wrote to memory of 3600	4776	chrome.exe	chrome.exe
PID 4776 wrote to memory of 3600	4776	chrome.exe	chrome.exe
PID 4776 wrote to memory of 3600	4776	chrome.exe	chrome.exe
PID 4776 wrote to memory of 3600	4776	chrome.exe	chrome.exe
PID 4776 wrote to memory of 3600	4776	chrome.exe	chrome.exe
PID 4776 wrote to memory of 3600	4776	chrome.exe	chrome.exe
PID 4776 wrote to memory of 3600	4776	chrome.exe	chrome.exe
PID 4776 wrote to memory of 3600	4776	chrome.exe	chrome.exe
PID 4776 wrote to memory of 3600	4776	chrome.exe	chrome.exe
PID 4776 wrote to memory of 3600	4776	chrome.exe	chrome.exe
PID 4776 wrote to memory of 3600	4776	chrome.exe	chrome.exe
PID 4776 wrote to memory of 3600	4776	chrome.exe	chrome.exe
PID 4776 wrote to memory of 3600	4776	chrome.exe	chrome.exe
PID 4776 wrote to memory of 3600	4776	chrome.exe	chrome.exe
PID 4776 wrote to memory of 3600	4776	chrome.exe	chrome.exe
PID 4776 wrote to memory of 3600	4776	chrome.exe	chrome.exe
PID 4776 wrote to memory of 3600	4776	chrome.exe	chrome.exe
PID 4776 wrote to memory of 3600	4776	chrome.exe	chrome.exe
PID 4776 wrote to memory of 3600	4776	chrome.exe	chrome.exe
PID 4776 wrote to memory of 2288	4776	chrome.exe	chrome.exe
PID 4776 wrote to memory of 2288	4776	chrome.exe	chrome.exe
PID 4776 wrote to memory of 4588	4776	chrome.exe	chrome.exe
PID 4776 wrote to memory of 4588	4776	chrome.exe	chrome.exe
PID 4776 wrote to memory of 4588	4776	chrome.exe	chrome.exe
PID 4776 wrote to memory of 4588	4776	chrome.exe	chrome.exe
PID 4776 wrote to memory of 4588	4776	chrome.exe	chrome.exe
PID 4776 wrote to memory of 4588	4776	chrome.exe	chrome.exe
PID 4776 wrote to memory of 4588	4776	chrome.exe	chrome.exe
PID 4776 wrote to memory of 4588	4776	chrome.exe	chrome.exe
PID 4776 wrote to memory of 4588	4776	chrome.exe	chrome.exe
PID 4776 wrote to memory of 4588	4776	chrome.exe	chrome.exe
PID 4776 wrote to memory of 4588	4776	chrome.exe	chrome.exe
PID 4776 wrote to memory of 4588	4776	chrome.exe	chrome.exe
PID 4776 wrote to memory of 4588	4776	chrome.exe	chrome.exe
PID 4776 wrote to memory of 4588	4776	chrome.exe	chrome.exe
PID 4776 wrote to memory of 4588	4776	chrome.exe	chrome.exe
PID 4776 wrote to memory of 4588	4776	chrome.exe	chrome.exe
PID 4776 wrote to memory of 4588	4776	chrome.exe	chrome.exe
PID 4776 wrote to memory of 4588	4776	chrome.exe	chrome.exe
PID 4776 wrote to memory of 4588	4776	chrome.exe	chrome.exe
PID 4776 wrote to memory of 4588	4776	chrome.exe	chrome.exe
PID 4776 wrote to memory of 4588	4776	chrome.exe	chrome.exe
PID 4776 wrote to memory of 4588	4776	chrome.exe	chrome.exe
PID 4776 wrote to memory of 4588	4776	chrome.exe	chrome.exe
PID 4776 wrote to memory of 4588	4776	chrome.exe	chrome.exe
PID 4776 wrote to memory of 4588	4776	chrome.exe	chrome.exe
PID 4776 wrote to memory of 4588	4776	chrome.exe	chrome.exe
PID 4776 wrote to memory of 4588	4776	chrome.exe	chrome.exe
PID 4776 wrote to memory of 4588	4776	chrome.exe	chrome.exe
PID 4776 wrote to memory of 4588	4776	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://ej136.cfd/w046
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffccbcfab58,0x7ffccbcfab68,0x7ffccbcfab78
2⤵
PID:2372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1740 --field-trial-handle=1856,i,12271062947167187025,16708138673264850284,131072 /prefetch:2
2⤵
PID:3600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1856,i,12271062947167187025,16708138673264850284,131072 /prefetch:8
2⤵
PID:2288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2200 --field-trial-handle=1856,i,12271062947167187025,16708138673264850284,131072 /prefetch:8
2⤵
PID:4588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3040 --field-trial-handle=1856,i,12271062947167187025,16708138673264850284,131072 /prefetch:1
2⤵
PID:5464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3060 --field-trial-handle=1856,i,12271062947167187025,16708138673264850284,131072 /prefetch:1
2⤵
PID:5428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3988 --field-trial-handle=1856,i,12271062947167187025,16708138673264850284,131072 /prefetch:1
2⤵
PID:4940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4412 --field-trial-handle=1856,i,12271062947167187025,16708138673264850284,131072 /prefetch:8
2⤵
PID:4384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4516 --field-trial-handle=1856,i,12271062947167187025,16708138673264850284,131072 /prefetch:8
2⤵
PID:5152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1856,i,12271062947167187025,16708138673264850284,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4144

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2168

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
432B

MD5
d705d720ae40765a4a4137ff41e36ffb

SHA1
e58fcff636ad33e2d760778806d354a04d854214

SHA256
11777c3bfd268f019d877c358ac88e8cf5295a651c58edc2dc0dd93eca221f59

SHA512
5b8555ed77495daeed8278f93fc338b9d32528319b2538e215d3bd71f5af5d73e28593a0bc8305a93ba5822e19df2b1a6aa28bc71213c9f807ea4fce61727e5c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
f10a7e7cabacc72d8407f17af9c80a19

SHA1
8bc2efb30eceff2006468960950433a5f1981ebe

SHA256
0e48c1789467a104e915cf16431063815e1e88978e7fa42ce0bb49a601bbe255

SHA512
3444618d0a2f1b282e5ef75e8d80910e831dda1049e7216c9cf96b6c3a1fe96fd7be5b97cc914b516fd9f79c46abfbfb221c05fd3d743199df9ffc6241b21474

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
522ee510360af203937bb826032c4c31

SHA1
579d0edf20d778c772199bb5b5e08953a8e1f5a7

SHA256
7b803602d957f60a94def8f4afe2dc54c0ecbda19661eab408a15f42aef89573

SHA512
306d44f251c336beaff9387620a87ec153d3482129f5cb9749c56f645246dceca20f3d6c329026af8a848d71b47950c9c3e3ddcdc0d429c49cff4980b53344f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
860B

MD5
9af8eee7703fcad93b8ef9908aa93ce0

SHA1
fc9fdf5ab94527ee8681784471affcca546c29a3

SHA256
b65124776767123dfe05eeda04172aceb493dc64bd8e94243b60125683505672

SHA512
514fe97e251a2b33c092b16e55e0abb5cbe59b8102b3b978a76a7e1ce52347c9e0f5aa8fd1850d721a44cd6a877ef2fd04ba60e94ad5f78fd59607e0937c8751

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
06683560f4e54aaa86bc571feb17c298

SHA1
39c7b48abecd8a45feffa24531aebb0ce7ffde3d

SHA256
d062bdf7830c8dd29502b0748df835204b1d9f9dce7513c1da775335054beb39

SHA512
06223228858a22c0b2d50b13bf2447c682b0d733d6087432694c71f63f84e88d1115c6e13135e34dbfd9fd4b5d89573a332deb6e58a998c0a9944496811c7f0c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
250KB

MD5
11c5b0d20e671edcb11dec1e61a9b31c

SHA1
9a14be0d5e8bea604b0b07773404ef56bf6b08cd

SHA256
c7bee0441f9578ae5762252cbec96df64c8862d54d5f3dd894ae0ff1b746d63d

SHA512
295a8019f817003d1f5f55893e4bae0924311ef3722c0e0ca4394bee57e38277f2c301b6b5e59986d9b5bc6e1943be2ff16910955dd5d76c8fc5dd504b9bcefb

Download Submit
\??\pipe\crashpad_4776_WKZKDAXYTAZGKGBY
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads