hxxps://fitgirl-repacks[.]site/strike-force-heroes/

Analysis

max time kernel
20s
max time network
28s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
15/04/2024, 12:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://fitgirl-repacks.site/strike-force-heroes/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133576588504343301"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2516240262-2296879883-3965305654-1000\{4E445A63-DAB9-4119-A274-8CBE539654EA}	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
128	chrome.exe
128	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
128	chrome.exe
128	chrome.exe
128	chrome.exe
128	chrome.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

description	pid	Process
Token: SeShutdownPrivilege	128	chrome.exe
Token: SeCreatePagefilePrivilege	128	chrome.exe
Token: SeShutdownPrivilege	128	chrome.exe
Token: SeCreatePagefilePrivilege	128	chrome.exe
Token: SeShutdownPrivilege	128	chrome.exe
Token: SeCreatePagefilePrivilege	128	chrome.exe
Token: SeShutdownPrivilege	128	chrome.exe
Token: SeCreatePagefilePrivilege	128	chrome.exe
Token: SeShutdownPrivilege	128	chrome.exe
Token: SeCreatePagefilePrivilege	128	chrome.exe
Token: SeShutdownPrivilege	128	chrome.exe
Token: SeCreatePagefilePrivilege	128	chrome.exe
Token: SeShutdownPrivilege	128	chrome.exe
Token: SeCreatePagefilePrivilege	128	chrome.exe
Token: SeShutdownPrivilege	128	chrome.exe
Token: SeCreatePagefilePrivilege	128	chrome.exe
Token: SeShutdownPrivilege	128	chrome.exe
Token: SeCreatePagefilePrivilege	128	chrome.exe
Token: SeShutdownPrivilege	128	chrome.exe
Token: SeCreatePagefilePrivilege	128	chrome.exe
Token: SeShutdownPrivilege	128	chrome.exe
Token: SeCreatePagefilePrivilege	128	chrome.exe
Token: SeShutdownPrivilege	128	chrome.exe
Token: SeCreatePagefilePrivilege	128	chrome.exe
Token: SeShutdownPrivilege	128	chrome.exe
Token: SeCreatePagefilePrivilege	128	chrome.exe
Token: SeShutdownPrivilege	128	chrome.exe
Token: SeCreatePagefilePrivilege	128	chrome.exe
Token: SeShutdownPrivilege	128	chrome.exe
Token: SeCreatePagefilePrivilege	128	chrome.exe
Token: SeShutdownPrivilege	128	chrome.exe
Token: SeCreatePagefilePrivilege	128	chrome.exe
Token: SeShutdownPrivilege	128	chrome.exe
Token: SeCreatePagefilePrivilege	128	chrome.exe
Token: SeShutdownPrivilege	128	chrome.exe
Token: SeCreatePagefilePrivilege	128	chrome.exe
Token: SeShutdownPrivilege	128	chrome.exe
Token: SeCreatePagefilePrivilege	128	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
128	chrome.exe
128	chrome.exe
128	chrome.exe
128	chrome.exe
128	chrome.exe
128	chrome.exe
128	chrome.exe
128	chrome.exe
128	chrome.exe
128	chrome.exe
128	chrome.exe
128	chrome.exe
128	chrome.exe
128	chrome.exe
128	chrome.exe
128	chrome.exe
128	chrome.exe
128	chrome.exe
128	chrome.exe
128	chrome.exe
128	chrome.exe
128	chrome.exe
128	chrome.exe
128	chrome.exe
128	chrome.exe
128	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
128	chrome.exe
128	chrome.exe
128	chrome.exe
128	chrome.exe
128	chrome.exe
128	chrome.exe
128	chrome.exe
128	chrome.exe
128	chrome.exe
128	chrome.exe
128	chrome.exe
128	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 128 wrote to memory of 4884	128	chrome.exe	78
PID 128 wrote to memory of 4884	128	chrome.exe	78
PID 128 wrote to memory of 2184	128	chrome.exe	79
PID 128 wrote to memory of 2184	128	chrome.exe	79
PID 128 wrote to memory of 2184	128	chrome.exe	79
PID 128 wrote to memory of 2184	128	chrome.exe	79
PID 128 wrote to memory of 2184	128	chrome.exe	79
PID 128 wrote to memory of 2184	128	chrome.exe	79
PID 128 wrote to memory of 2184	128	chrome.exe	79
PID 128 wrote to memory of 2184	128	chrome.exe	79
PID 128 wrote to memory of 2184	128	chrome.exe	79
PID 128 wrote to memory of 2184	128	chrome.exe	79
PID 128 wrote to memory of 2184	128	chrome.exe	79
PID 128 wrote to memory of 2184	128	chrome.exe	79
PID 128 wrote to memory of 2184	128	chrome.exe	79
PID 128 wrote to memory of 2184	128	chrome.exe	79
PID 128 wrote to memory of 2184	128	chrome.exe	79
PID 128 wrote to memory of 2184	128	chrome.exe	79
PID 128 wrote to memory of 2184	128	chrome.exe	79
PID 128 wrote to memory of 2184	128	chrome.exe	79
PID 128 wrote to memory of 2184	128	chrome.exe	79
PID 128 wrote to memory of 2184	128	chrome.exe	79
PID 128 wrote to memory of 2184	128	chrome.exe	79
PID 128 wrote to memory of 2184	128	chrome.exe	79
PID 128 wrote to memory of 2184	128	chrome.exe	79
PID 128 wrote to memory of 2184	128	chrome.exe	79
PID 128 wrote to memory of 2184	128	chrome.exe	79
PID 128 wrote to memory of 2184	128	chrome.exe	79
PID 128 wrote to memory of 2184	128	chrome.exe	79
PID 128 wrote to memory of 2184	128	chrome.exe	79
PID 128 wrote to memory of 2184	128	chrome.exe	79
PID 128 wrote to memory of 2184	128	chrome.exe	79
PID 128 wrote to memory of 2184	128	chrome.exe	79
PID 128 wrote to memory of 2156	128	chrome.exe	80
PID 128 wrote to memory of 2156	128	chrome.exe	80
PID 128 wrote to memory of 2344	128	chrome.exe	81
PID 128 wrote to memory of 2344	128	chrome.exe	81
PID 128 wrote to memory of 2344	128	chrome.exe	81
PID 128 wrote to memory of 2344	128	chrome.exe	81
PID 128 wrote to memory of 2344	128	chrome.exe	81
PID 128 wrote to memory of 2344	128	chrome.exe	81
PID 128 wrote to memory of 2344	128	chrome.exe	81
PID 128 wrote to memory of 2344	128	chrome.exe	81
PID 128 wrote to memory of 2344	128	chrome.exe	81
PID 128 wrote to memory of 2344	128	chrome.exe	81
PID 128 wrote to memory of 2344	128	chrome.exe	81
PID 128 wrote to memory of 2344	128	chrome.exe	81
PID 128 wrote to memory of 2344	128	chrome.exe	81
PID 128 wrote to memory of 2344	128	chrome.exe	81
PID 128 wrote to memory of 2344	128	chrome.exe	81
PID 128 wrote to memory of 2344	128	chrome.exe	81
PID 128 wrote to memory of 2344	128	chrome.exe	81
PID 128 wrote to memory of 2344	128	chrome.exe	81
PID 128 wrote to memory of 2344	128	chrome.exe	81
PID 128 wrote to memory of 2344	128	chrome.exe	81
PID 128 wrote to memory of 2344	128	chrome.exe	81
PID 128 wrote to memory of 2344	128	chrome.exe	81
PID 128 wrote to memory of 2344	128	chrome.exe	81
PID 128 wrote to memory of 2344	128	chrome.exe	81
PID 128 wrote to memory of 2344	128	chrome.exe	81
PID 128 wrote to memory of 2344	128	chrome.exe	81
PID 128 wrote to memory of 2344	128	chrome.exe	81
PID 128 wrote to memory of 2344	128	chrome.exe	81
PID 128 wrote to memory of 2344	128	chrome.exe	81

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://fitgirl-repacks.site/strike-force-heroes/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc7e44ab58,0x7ffc7e44ab68,0x7ffc7e44ab78
  2⤵
  PID:4884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1580 --field-trial-handle=1532,i,5639396377935473835,14743616859131564526,131072 /prefetch:2
  2⤵
  PID:2184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 --field-trial-handle=1532,i,5639396377935473835,14743616859131564526,131072 /prefetch:8
  2⤵
  PID:2156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2164 --field-trial-handle=1532,i,5639396377935473835,14743616859131564526,131072 /prefetch:8
  2⤵
  PID:2344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2952 --field-trial-handle=1532,i,5639396377935473835,14743616859131564526,131072 /prefetch:1
  2⤵
  PID:412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2972 --field-trial-handle=1532,i,5639396377935473835,14743616859131564526,131072 /prefetch:1
  2⤵
  PID:4748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4164 --field-trial-handle=1532,i,5639396377935473835,14743616859131564526,131072 /prefetch:1
  2⤵
  PID:772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4380 --field-trial-handle=1532,i,5639396377935473835,14743616859131564526,131072 /prefetch:1
  2⤵
  PID:4912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4696 --field-trial-handle=1532,i,5639396377935473835,14743616859131564526,131072 /prefetch:8
  2⤵
  PID:3360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4688 --field-trial-handle=1532,i,5639396377935473835,14743616859131564526,131072 /prefetch:8
  2⤵
  - Modifies registry class
  PID:4132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4988 --field-trial-handle=1532,i,5639396377935473835,14743616859131564526,131072 /prefetch:8
  2⤵
  PID:4928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 --field-trial-handle=1532,i,5639396377935473835,14743616859131564526,131072 /prefetch:8
  2⤵
  PID:3136

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
499b82c6a28b819809696815c462edc1

SHA1
722eb1b94098f7e3ff202e7cec790cf9079d285c

SHA256
e619bf97fbb97d8ce133e9367dd97a0ee7343e8f66c00010a278f2a57fd3c590

SHA512
45d7993bf91c85acba72e3f2e4d046100e85c2b543d5a0f010db0c748ed6b6a1a7906e7dac89e6dabb897fbedc4a4788df6b5a10fe9b940d920148ac265d6760

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
b06d26ca87f91619ada5facd19231bec

SHA1
dce7b1bf04e3dcde0126302f372eb50332709f20

SHA256
c5e1a56008ce2b1c6facdd70c3ea39c8cb641dfde4039220d1e21a409b696b11

SHA512
1ae97c8bb0aad52c7ac8211d86531ff90cbd44eea1dbd1e1001023ff74721a45acef8cbcb6141d9e3145ce88d606eb0c8d685b1ea11abf192a8dcd0b142f5943

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
56B

MD5
ae1bccd6831ebfe5ad03b482ee266e4f

SHA1
01f4179f48f1af383b275d7ee338dd160b6f558a

SHA256
1b11047e738f76c94c9d15ee981ec46b286a54def1a7852ca1ade7f908988649

SHA512
baf7ff6747f30e542c254f46a9678b9dbf42312933962c391b79eca6fcb615e4ba9283c00f554d6021e594f18c087899bc9b5362c41c0d6f862bba7fb9f83038

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe578925.TMP

Filesize
120B

MD5
e3d46dee8fa9f6de335d8f6cd5ff1e2d

SHA1
910a8ec9e447bf35f9a12f845920ec47f367e4fe

SHA256
090ebeca59cc825c20946cad338015400f75813e68b3edc9b204ad5e8b67d80e

SHA512
670478571c1e737d48b886f0dfc1a2ed45b5f60dd452584df36a0bb3669beda47ab4dbc55b88594facce2630ae559a8fc2e0f8981e45dfca4c313b8c95d7fc64

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
127KB

MD5
490adf959af6f287ff47b37df4f8699c

SHA1
f07e39035986949daae477ce818e0ec8d20955b7

SHA256
4d5907fb3f3bd6c9711f1f8bccbd0451c1ce36d9b4109ec903f2ee8538be070e

SHA512
b4bf378278dd18b76d5abb1ce3b90561d051b3c990ec1904821c24049379f4fd2d51064650da68964769d30530a55e1a388821a97dc31c7898f97e9284a0a56a

Download Submit