hxxp://www[.]cosmicbetrayers[.]com

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2024, 20:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://www.cosmicbetrayers.com

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133578588436009480"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
632	chrome.exe
632	chrome.exe
3708	chrome.exe
3708	chrome.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
632	chrome.exe
632	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 632 wrote to memory of 3700	632	chrome.exe	85
PID 632 wrote to memory of 3700	632	chrome.exe	85
PID 632 wrote to memory of 4068	632	chrome.exe	86
PID 632 wrote to memory of 4068	632	chrome.exe	86
PID 632 wrote to memory of 4068	632	chrome.exe	86
PID 632 wrote to memory of 4068	632	chrome.exe	86
PID 632 wrote to memory of 4068	632	chrome.exe	86
PID 632 wrote to memory of 4068	632	chrome.exe	86
PID 632 wrote to memory of 4068	632	chrome.exe	86
PID 632 wrote to memory of 4068	632	chrome.exe	86
PID 632 wrote to memory of 4068	632	chrome.exe	86
PID 632 wrote to memory of 4068	632	chrome.exe	86
PID 632 wrote to memory of 4068	632	chrome.exe	86
PID 632 wrote to memory of 4068	632	chrome.exe	86
PID 632 wrote to memory of 4068	632	chrome.exe	86
PID 632 wrote to memory of 4068	632	chrome.exe	86
PID 632 wrote to memory of 4068	632	chrome.exe	86
PID 632 wrote to memory of 4068	632	chrome.exe	86
PID 632 wrote to memory of 4068	632	chrome.exe	86
PID 632 wrote to memory of 4068	632	chrome.exe	86
PID 632 wrote to memory of 4068	632	chrome.exe	86
PID 632 wrote to memory of 4068	632	chrome.exe	86
PID 632 wrote to memory of 4068	632	chrome.exe	86
PID 632 wrote to memory of 4068	632	chrome.exe	86
PID 632 wrote to memory of 4068	632	chrome.exe	86
PID 632 wrote to memory of 4068	632	chrome.exe	86
PID 632 wrote to memory of 4068	632	chrome.exe	86
PID 632 wrote to memory of 4068	632	chrome.exe	86
PID 632 wrote to memory of 4068	632	chrome.exe	86
PID 632 wrote to memory of 4068	632	chrome.exe	86
PID 632 wrote to memory of 4068	632	chrome.exe	86
PID 632 wrote to memory of 4068	632	chrome.exe	86
PID 632 wrote to memory of 4068	632	chrome.exe	86
PID 632 wrote to memory of 540	632	chrome.exe	87
PID 632 wrote to memory of 540	632	chrome.exe	87
PID 632 wrote to memory of 3580	632	chrome.exe	88
PID 632 wrote to memory of 3580	632	chrome.exe	88
PID 632 wrote to memory of 3580	632	chrome.exe	88
PID 632 wrote to memory of 3580	632	chrome.exe	88
PID 632 wrote to memory of 3580	632	chrome.exe	88
PID 632 wrote to memory of 3580	632	chrome.exe	88
PID 632 wrote to memory of 3580	632	chrome.exe	88
PID 632 wrote to memory of 3580	632	chrome.exe	88
PID 632 wrote to memory of 3580	632	chrome.exe	88
PID 632 wrote to memory of 3580	632	chrome.exe	88
PID 632 wrote to memory of 3580	632	chrome.exe	88
PID 632 wrote to memory of 3580	632	chrome.exe	88
PID 632 wrote to memory of 3580	632	chrome.exe	88
PID 632 wrote to memory of 3580	632	chrome.exe	88
PID 632 wrote to memory of 3580	632	chrome.exe	88
PID 632 wrote to memory of 3580	632	chrome.exe	88
PID 632 wrote to memory of 3580	632	chrome.exe	88
PID 632 wrote to memory of 3580	632	chrome.exe	88
PID 632 wrote to memory of 3580	632	chrome.exe	88
PID 632 wrote to memory of 3580	632	chrome.exe	88
PID 632 wrote to memory of 3580	632	chrome.exe	88
PID 632 wrote to memory of 3580	632	chrome.exe	88
PID 632 wrote to memory of 3580	632	chrome.exe	88
PID 632 wrote to memory of 3580	632	chrome.exe	88
PID 632 wrote to memory of 3580	632	chrome.exe	88
PID 632 wrote to memory of 3580	632	chrome.exe	88
PID 632 wrote to memory of 3580	632	chrome.exe	88
PID 632 wrote to memory of 3580	632	chrome.exe	88
PID 632 wrote to memory of 3580	632	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://www.cosmicbetrayers.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xb4,0x108,0x7ffaaabbab58,0x7ffaaabbab68,0x7ffaaabbab78
  2⤵
  PID:3700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1600 --field-trial-handle=1892,i,5482653952581139875,10967991171881997457,131072 /prefetch:2
  2⤵
  PID:4068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1892,i,5482653952581139875,10967991171881997457,131072 /prefetch:8
  2⤵
  PID:540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2228 --field-trial-handle=1892,i,5482653952581139875,10967991171881997457,131072 /prefetch:8
  2⤵
  PID:3580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2968 --field-trial-handle=1892,i,5482653952581139875,10967991171881997457,131072 /prefetch:1
  2⤵
  PID:1388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2976 --field-trial-handle=1892,i,5482653952581139875,10967991171881997457,131072 /prefetch:1
  2⤵
  PID:2404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5020 --field-trial-handle=1892,i,5482653952581139875,10967991171881997457,131072 /prefetch:8
  2⤵
  PID:1268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4456 --field-trial-handle=1892,i,5482653952581139875,10967991171881997457,131072 /prefetch:8
  2⤵
  PID:3236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1528 --field-trial-handle=1892,i,5482653952581139875,10967991171881997457,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3708

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
240B

MD5
e056aa208d2dffd1d6666f1fae9c95c4

SHA1
3597b6107b42525f183dc469beac8b077ae47318

SHA256
42655197ee70c261490ca8357ac75d7543fce3877ec4a915bc1182f33098c6b7

SHA512
20574a6df8b03e3fd7545d3009fb082a1615ad533f0c3edaff784d8a7aead73b9a241ea540435603f72a0047374a884afb2a7c50bdecff95e9d81087570235ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
8de606215d0f6433b69f4e6c543bec57

SHA1
21da6e0d02d376609b6e15519b7c77c4edb69ec4

SHA256
d417f6d0d226ef09df1fbf063e33ec7e597ee3b9d01c76d14616d7b251cb7fb0

SHA512
8236cbd6444deab2f7027a78c0c0c9baf9098b548400b20db08999d5b6aba41ba24e9b72d72dc529f78bda1cda76eafb1130ff4a4f97026cd2e793d810b1d6ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
de9a3cf0c7af0d1b20f13bfa756a7098

SHA1
5babe7edba169f374721814ba7210f9a09a4f234

SHA256
2f8aca0c5aa57e0c7dc012f388d1b83b1e936a23c6ad3fa1092c99b986c62eb1

SHA512
b26809a4140767d51eb305d4b4e58339c53f6eb504499e92133a363f479cd68c0f378fef07f6d9f3fe78e7fa845a8bbee5a5da930ae3f0612ee2da974f3200ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
858B

MD5
3371acb269b352c6428c7e6bb0a2708c

SHA1
b2017d68661f0b82a92320b53877f6e1d65a6f4f

SHA256
bcee86a715d3db50bbc6ec7e747f33afc613e37bcccb9ac4d7c55cb69a851313

SHA512
f32aff4ad99171b42f4c98083529ba58ab6131711544c154f984c89796b7aef09a09d46c53f46781c350cdd1d16bf45e12daff9defd397d71710a1a3d6c67e2e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
df5c72fee6e9934f2c331232a569ed57

SHA1
3d90bc6d2009219235c0c57756870380da18e0e6

SHA256
1d31709e992c5b1b5b40e3198241141e43c7214539e77435c7112b4a09b7abf4

SHA512
8051acb014e1d2a8096634c81788dfdb2f58921d4328280355c0023576461646b65c8761b0971069c665aafb3e8964955c2dfee2ce77497ffb3b4025480e30d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
9c94e2cbfb2a4d046d521313a16af112

SHA1
c708c2982aa4452dee74e5aff56bdd9554ddf7e3

SHA256
03ed526dc50c4bb7a22367c5bd84da2a4130b5abcbec39a97ed4972f303659a6

SHA512
e6798031efe3b27b1dcb73ee44ae095b49c2bf38f6f58fe26d3cfbcb098d9bf765533d484e388c24f1e584864cd2bb2bb1885698f0414ba020f23e9517c42762

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
127KB

MD5
0ea0c60e6de0f9fa82d9b0ac8d2b9252

SHA1
d91356234339fad7928bbe5b8435588fd0c2d779

SHA256
6a7c10e81501991a365208281eebed7e337dc6d9e9eb66b26fc3d70775e13125

SHA512
615629af18850f6b0d6266194e4c07bd0a4bc1a4bf8ac6c4234d612108ab88d328266f5d36dd3b75207c2b14c7ae2424c88759436d2e307eb7c133aec8715c01

Download Submit