hxxp://www[.]cosmicbetrayers[.]com

Analysis

max time kernel
69s
max time network
71s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
17/04/2024, 20:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

http://www.cosmicbetrayers.com

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133578587411106676"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3532	chrome.exe
3532	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3532	chrome.exe
3532	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3532	chrome.exe
Token: SeCreatePagefilePrivilege	3532	chrome.exe
Token: SeShutdownPrivilege	3532	chrome.exe
Token: SeCreatePagefilePrivilege	3532	chrome.exe
Token: SeShutdownPrivilege	3532	chrome.exe
Token: SeCreatePagefilePrivilege	3532	chrome.exe
Token: SeShutdownPrivilege	3532	chrome.exe
Token: SeCreatePagefilePrivilege	3532	chrome.exe
Token: SeShutdownPrivilege	3532	chrome.exe
Token: SeCreatePagefilePrivilege	3532	chrome.exe
Token: SeShutdownPrivilege	3532	chrome.exe
Token: SeCreatePagefilePrivilege	3532	chrome.exe
Token: SeShutdownPrivilege	3532	chrome.exe
Token: SeCreatePagefilePrivilege	3532	chrome.exe
Token: SeShutdownPrivilege	3532	chrome.exe
Token: SeCreatePagefilePrivilege	3532	chrome.exe
Token: SeShutdownPrivilege	3532	chrome.exe
Token: SeCreatePagefilePrivilege	3532	chrome.exe
Token: SeShutdownPrivilege	3532	chrome.exe
Token: SeCreatePagefilePrivilege	3532	chrome.exe
Token: SeShutdownPrivilege	3532	chrome.exe
Token: SeCreatePagefilePrivilege	3532	chrome.exe
Token: SeShutdownPrivilege	3532	chrome.exe
Token: SeCreatePagefilePrivilege	3532	chrome.exe
Token: SeShutdownPrivilege	3532	chrome.exe
Token: SeCreatePagefilePrivilege	3532	chrome.exe
Token: SeShutdownPrivilege	3532	chrome.exe
Token: SeCreatePagefilePrivilege	3532	chrome.exe
Token: SeShutdownPrivilege	3532	chrome.exe
Token: SeCreatePagefilePrivilege	3532	chrome.exe
Token: SeShutdownPrivilege	3532	chrome.exe
Token: SeCreatePagefilePrivilege	3532	chrome.exe
Token: SeShutdownPrivilege	3532	chrome.exe
Token: SeCreatePagefilePrivilege	3532	chrome.exe
Token: SeShutdownPrivilege	3532	chrome.exe
Token: SeCreatePagefilePrivilege	3532	chrome.exe
Token: SeShutdownPrivilege	3532	chrome.exe
Token: SeCreatePagefilePrivilege	3532	chrome.exe
Token: SeShutdownPrivilege	3532	chrome.exe
Token: SeCreatePagefilePrivilege	3532	chrome.exe
Token: SeShutdownPrivilege	3532	chrome.exe
Token: SeCreatePagefilePrivilege	3532	chrome.exe
Token: SeShutdownPrivilege	3532	chrome.exe
Token: SeCreatePagefilePrivilege	3532	chrome.exe
Token: SeShutdownPrivilege	3532	chrome.exe
Token: SeCreatePagefilePrivilege	3532	chrome.exe
Token: SeShutdownPrivilege	3532	chrome.exe
Token: SeCreatePagefilePrivilege	3532	chrome.exe
Token: SeShutdownPrivilege	3532	chrome.exe
Token: SeCreatePagefilePrivilege	3532	chrome.exe
Token: SeShutdownPrivilege	3532	chrome.exe
Token: SeCreatePagefilePrivilege	3532	chrome.exe
Token: SeShutdownPrivilege	3532	chrome.exe
Token: SeCreatePagefilePrivilege	3532	chrome.exe
Token: SeShutdownPrivilege	3532	chrome.exe
Token: SeCreatePagefilePrivilege	3532	chrome.exe
Token: SeShutdownPrivilege	3532	chrome.exe
Token: SeCreatePagefilePrivilege	3532	chrome.exe
Token: SeShutdownPrivilege	3532	chrome.exe
Token: SeCreatePagefilePrivilege	3532	chrome.exe
Token: SeShutdownPrivilege	3532	chrome.exe
Token: SeCreatePagefilePrivilege	3532	chrome.exe
Token: SeShutdownPrivilege	3532	chrome.exe
Token: SeCreatePagefilePrivilege	3532	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3532 wrote to memory of 4924	3532	chrome.exe	79
PID 3532 wrote to memory of 4924	3532	chrome.exe	79
PID 3532 wrote to memory of 1176	3532	chrome.exe	80
PID 3532 wrote to memory of 1176	3532	chrome.exe	80
PID 3532 wrote to memory of 1176	3532	chrome.exe	80
PID 3532 wrote to memory of 1176	3532	chrome.exe	80
PID 3532 wrote to memory of 1176	3532	chrome.exe	80
PID 3532 wrote to memory of 1176	3532	chrome.exe	80
PID 3532 wrote to memory of 1176	3532	chrome.exe	80
PID 3532 wrote to memory of 1176	3532	chrome.exe	80
PID 3532 wrote to memory of 1176	3532	chrome.exe	80
PID 3532 wrote to memory of 1176	3532	chrome.exe	80
PID 3532 wrote to memory of 1176	3532	chrome.exe	80
PID 3532 wrote to memory of 1176	3532	chrome.exe	80
PID 3532 wrote to memory of 1176	3532	chrome.exe	80
PID 3532 wrote to memory of 1176	3532	chrome.exe	80
PID 3532 wrote to memory of 1176	3532	chrome.exe	80
PID 3532 wrote to memory of 1176	3532	chrome.exe	80
PID 3532 wrote to memory of 1176	3532	chrome.exe	80
PID 3532 wrote to memory of 1176	3532	chrome.exe	80
PID 3532 wrote to memory of 1176	3532	chrome.exe	80
PID 3532 wrote to memory of 1176	3532	chrome.exe	80
PID 3532 wrote to memory of 1176	3532	chrome.exe	80
PID 3532 wrote to memory of 1176	3532	chrome.exe	80
PID 3532 wrote to memory of 1176	3532	chrome.exe	80
PID 3532 wrote to memory of 1176	3532	chrome.exe	80
PID 3532 wrote to memory of 1176	3532	chrome.exe	80
PID 3532 wrote to memory of 1176	3532	chrome.exe	80
PID 3532 wrote to memory of 1176	3532	chrome.exe	80
PID 3532 wrote to memory of 1176	3532	chrome.exe	80
PID 3532 wrote to memory of 1176	3532	chrome.exe	80
PID 3532 wrote to memory of 1176	3532	chrome.exe	80
PID 3532 wrote to memory of 1176	3532	chrome.exe	80
PID 3532 wrote to memory of 2164	3532	chrome.exe	81
PID 3532 wrote to memory of 2164	3532	chrome.exe	81
PID 3532 wrote to memory of 1724	3532	chrome.exe	82
PID 3532 wrote to memory of 1724	3532	chrome.exe	82
PID 3532 wrote to memory of 1724	3532	chrome.exe	82
PID 3532 wrote to memory of 1724	3532	chrome.exe	82
PID 3532 wrote to memory of 1724	3532	chrome.exe	82
PID 3532 wrote to memory of 1724	3532	chrome.exe	82
PID 3532 wrote to memory of 1724	3532	chrome.exe	82
PID 3532 wrote to memory of 1724	3532	chrome.exe	82
PID 3532 wrote to memory of 1724	3532	chrome.exe	82
PID 3532 wrote to memory of 1724	3532	chrome.exe	82
PID 3532 wrote to memory of 1724	3532	chrome.exe	82
PID 3532 wrote to memory of 1724	3532	chrome.exe	82
PID 3532 wrote to memory of 1724	3532	chrome.exe	82
PID 3532 wrote to memory of 1724	3532	chrome.exe	82
PID 3532 wrote to memory of 1724	3532	chrome.exe	82
PID 3532 wrote to memory of 1724	3532	chrome.exe	82
PID 3532 wrote to memory of 1724	3532	chrome.exe	82
PID 3532 wrote to memory of 1724	3532	chrome.exe	82
PID 3532 wrote to memory of 1724	3532	chrome.exe	82
PID 3532 wrote to memory of 1724	3532	chrome.exe	82
PID 3532 wrote to memory of 1724	3532	chrome.exe	82
PID 3532 wrote to memory of 1724	3532	chrome.exe	82
PID 3532 wrote to memory of 1724	3532	chrome.exe	82
PID 3532 wrote to memory of 1724	3532	chrome.exe	82
PID 3532 wrote to memory of 1724	3532	chrome.exe	82
PID 3532 wrote to memory of 1724	3532	chrome.exe	82
PID 3532 wrote to memory of 1724	3532	chrome.exe	82
PID 3532 wrote to memory of 1724	3532	chrome.exe	82
PID 3532 wrote to memory of 1724	3532	chrome.exe	82

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://www.cosmicbetrayers.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe230bab58,0x7ffe230bab68,0x7ffe230bab78
  2⤵
  PID:4924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1520 --field-trial-handle=1820,i,5869094806870100533,17866320342706237517,131072 /prefetch:2
  2⤵
  PID:1176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 --field-trial-handle=1820,i,5869094806870100533,17866320342706237517,131072 /prefetch:8
  2⤵
  PID:2164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2164 --field-trial-handle=1820,i,5869094806870100533,17866320342706237517,131072 /prefetch:8
  2⤵
  PID:1724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2960 --field-trial-handle=1820,i,5869094806870100533,17866320342706237517,131072 /prefetch:1
  2⤵
  PID:3396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2988 --field-trial-handle=1820,i,5869094806870100533,17866320342706237517,131072 /prefetch:1
  2⤵
  PID:1592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4532 --field-trial-handle=1820,i,5869094806870100533,17866320342706237517,131072 /prefetch:8
  2⤵
  PID:2868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4356 --field-trial-handle=1820,i,5869094806870100533,17866320342706237517,131072 /prefetch:8
  2⤵
  PID:5048

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
240B

MD5
4f169e874b0eb70adbefa5deaa18ea98

SHA1
de5ac8e20c5b8c9fa4647d4bba5d365a23d0e229

SHA256
f5b847eaf71368d3d9398b18d9f51092c2a691dae46b73d337434bc21732a1bf

SHA512
2a7d55a8d7a45ea92067535d4287438dacab37b0a371e172f63c34350117af35a5d9adeecfb997e4140233726dee159c163775f696ebe8ff7d5038296865bcf2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
533a48f631639782431d73e8ccd35a13

SHA1
68ab9a602dc43a3ea19cb656e2559f555838cc7e

SHA256
6de63a9b8310333985e70ccf4dce9ec1cde86e1f9996a4d016dd8b82c4baf3f6

SHA512
73bd60878b22cb42881c7a65a3a75e68892ac74c0b05561f85c85f98aef09e749263dc6578ccae93545129eee6c2a87593aedbf9fecc177a1b634288efab1c3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
08e5d2a513dbf0b05000f70c22ec84f3

SHA1
62d7535d9601a3915c243beb997d191231e4846e

SHA256
a1960738701003ea917c689560443cd86780cd2c8de93b0ca6b14ae89cdabea5

SHA512
cf0fbf74b1f4292f0f0666c9e40f5c7fa362e8f010e5d33c0642a85cc23f354280a7a57c5c1150a027a43436d402faa5bd4e82d9a505922ab5da3ef451356ba4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
ca3862c6ec9e40b4ad35d739296ca1a5

SHA1
2dc238a0c495bc6389c08cc89b61894956e49cc6

SHA256
2be470afb475a6e1f2082b38f169f8004a1faef8fe49b660a9776d9ff5037f19

SHA512
ff223842de51a3b08d3c4850e7ccb7280eefcacaaf21bb887b0a32686a6486e02430b219c76ce980922d8d5e1c5fc4779d837adca37429026e46ccf381e5712f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
854B

MD5
a417172b93cff3f6698325987954b3c8

SHA1
81d1c37a8c8dc7fee9be8af6a075f31430589f2c

SHA256
ca1d71194274b3592798c887e84881dd3e8e979539eb192c1c8510b91c0229d0

SHA512
0965107b89660e883e55046ba2588e332f529502895a332a573d8faecc52ae323fd64e802abf2b2abfcda08973496af3539d0dacd7dc5d51a09c6952bebdf2df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
69a4beae80fc7a8e9b5a849d407fabad

SHA1
b8310040d1ef5f680b3fdd4137231f4359fd2006

SHA256
548af9c0353387331acf60b2e3d8b049615f1ab4f375ea4fc810fb53159a6893

SHA512
32e6fc2807629c28dd4a96c08cb6e3a6bac0a15cc52e7f196980fceb93558818aa63b6fa1b8673d70336487083d6cad09b4e9f554ecc4a23e27ae13e54483511

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
942fea786492c7f73438bc14f170eda1

SHA1
378dfc1487d7b78353090de911eaa3399c78afdb

SHA256
967777c3aeb477b28ca277ecbdd64aa4aaf11b3cb067bed51c16d0eab6586aff

SHA512
4708058dd4b6a0b1c9cc9b71f8ded94c6ee55cd81ac30a7a7feb5e9ad544bdc551d6afd54a492948f084d70be74f852fe4a02fe1a7eb12efb8d2b057163a6738

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
9497113f7c2b4eb8a14ed45c60703bd3

SHA1
514c5bc0cac4e4bfdf7cf708fab5364d0aa0a4d7

SHA256
f4f3b5ec6754a7276e520ea7c41b646a137794cb51a87fc2cff5b5211fd40b16

SHA512
aa6d024a5053b065a86103f598127f7aabf0f8df7af2cfe54a6f1d020a9fe29533234e93d13c2b44b51baa765fcfdbba5bf86a2102d1b532be3f763b8bc6473f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
127KB

MD5
ced561d0358b9319be55187c77fac177

SHA1
28d258db1831c32116388ff24230f8c77e80c1cc

SHA256
17cfdc3064a25689cc0c9d059e12db9fac6a68413cc93b9320f7d2c7d6e7ce85

SHA512
772a326ec28cb9be8a405715d001474d5217ba11deb00651233dec7460aadba4a3c5fa6eab1158a08dbd60b1373b1a0029ba528b32a785d6902fb3ed63df79c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
127KB

MD5
e5c791ce743ee66c5885a4f8c676b61c

SHA1
51bef98d912cc3166646972ca6339868a5cd61b9

SHA256
c14ec3dcfb5397b187f71a32e0003890714287a8f9aa3f85715751c3c9ae0e0a

SHA512
0274b0f949e439c5607298cb312664a911bb6f79a47eda14a820c8d27b53cd228c8beda5771c8015f516a9776618f7c63149ab15ce8269c41f07522152990191

Download Submit