hxxps://cloudflare-ipfs[.]com/ipfs/bafybeifqsrtjbkshtaaqjqwa5lzod7vtd4d5wkxermek46zsbnwwhdbmwm/Kwabroder[.]html

General

Target

https://cloudflare-ipfs.com/ipfs/bafybeifqsrtjbkshtaaqjqwa5lzod7vtd4d5wkxermek46zsbnwwhdbmwm/Kwabroder.html

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

11 cloudflare-ipfs.com
8 cloudflare-ipfs.com

flow	ioc
11	cloudflare-ipfs.com
8	cloudflare-ipfs.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133583222530036983"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

4708 chrome.exe
4708 chrome.exe
368 chrome.exe
368 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

4708 chrome.exe
4708 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4708 wrote to memory of 5068	4708	chrome.exe	chrome.exe
PID 4708 wrote to memory of 5068	4708	chrome.exe	chrome.exe
PID 4708 wrote to memory of 3076	4708	chrome.exe	chrome.exe
PID 4708 wrote to memory of 3076	4708	chrome.exe	chrome.exe
PID 4708 wrote to memory of 3076	4708	chrome.exe	chrome.exe
PID 4708 wrote to memory of 3076	4708	chrome.exe	chrome.exe
PID 4708 wrote to memory of 3076	4708	chrome.exe	chrome.exe
PID 4708 wrote to memory of 3076	4708	chrome.exe	chrome.exe
PID 4708 wrote to memory of 3076	4708	chrome.exe	chrome.exe
PID 4708 wrote to memory of 3076	4708	chrome.exe	chrome.exe
PID 4708 wrote to memory of 3076	4708	chrome.exe	chrome.exe
PID 4708 wrote to memory of 3076	4708	chrome.exe	chrome.exe
PID 4708 wrote to memory of 3076	4708	chrome.exe	chrome.exe
PID 4708 wrote to memory of 3076	4708	chrome.exe	chrome.exe
PID 4708 wrote to memory of 3076	4708	chrome.exe	chrome.exe
PID 4708 wrote to memory of 3076	4708	chrome.exe	chrome.exe
PID 4708 wrote to memory of 3076	4708	chrome.exe	chrome.exe
PID 4708 wrote to memory of 3076	4708	chrome.exe	chrome.exe
PID 4708 wrote to memory of 3076	4708	chrome.exe	chrome.exe
PID 4708 wrote to memory of 3076	4708	chrome.exe	chrome.exe
PID 4708 wrote to memory of 3076	4708	chrome.exe	chrome.exe
PID 4708 wrote to memory of 3076	4708	chrome.exe	chrome.exe
PID 4708 wrote to memory of 3076	4708	chrome.exe	chrome.exe
PID 4708 wrote to memory of 3076	4708	chrome.exe	chrome.exe
PID 4708 wrote to memory of 3076	4708	chrome.exe	chrome.exe
PID 4708 wrote to memory of 3076	4708	chrome.exe	chrome.exe
PID 4708 wrote to memory of 3076	4708	chrome.exe	chrome.exe
PID 4708 wrote to memory of 3076	4708	chrome.exe	chrome.exe
PID 4708 wrote to memory of 3076	4708	chrome.exe	chrome.exe
PID 4708 wrote to memory of 3076	4708	chrome.exe	chrome.exe
PID 4708 wrote to memory of 3076	4708	chrome.exe	chrome.exe
PID 4708 wrote to memory of 3076	4708	chrome.exe	chrome.exe
PID 4708 wrote to memory of 3076	4708	chrome.exe	chrome.exe
PID 4708 wrote to memory of 2480	4708	chrome.exe	chrome.exe
PID 4708 wrote to memory of 2480	4708	chrome.exe	chrome.exe
PID 4708 wrote to memory of 2936	4708	chrome.exe	chrome.exe
PID 4708 wrote to memory of 2936	4708	chrome.exe	chrome.exe
PID 4708 wrote to memory of 2936	4708	chrome.exe	chrome.exe
PID 4708 wrote to memory of 2936	4708	chrome.exe	chrome.exe
PID 4708 wrote to memory of 2936	4708	chrome.exe	chrome.exe
PID 4708 wrote to memory of 2936	4708	chrome.exe	chrome.exe
PID 4708 wrote to memory of 2936	4708	chrome.exe	chrome.exe
PID 4708 wrote to memory of 2936	4708	chrome.exe	chrome.exe
PID 4708 wrote to memory of 2936	4708	chrome.exe	chrome.exe
PID 4708 wrote to memory of 2936	4708	chrome.exe	chrome.exe
PID 4708 wrote to memory of 2936	4708	chrome.exe	chrome.exe
PID 4708 wrote to memory of 2936	4708	chrome.exe	chrome.exe
PID 4708 wrote to memory of 2936	4708	chrome.exe	chrome.exe
PID 4708 wrote to memory of 2936	4708	chrome.exe	chrome.exe
PID 4708 wrote to memory of 2936	4708	chrome.exe	chrome.exe
PID 4708 wrote to memory of 2936	4708	chrome.exe	chrome.exe
PID 4708 wrote to memory of 2936	4708	chrome.exe	chrome.exe
PID 4708 wrote to memory of 2936	4708	chrome.exe	chrome.exe
PID 4708 wrote to memory of 2936	4708	chrome.exe	chrome.exe
PID 4708 wrote to memory of 2936	4708	chrome.exe	chrome.exe
PID 4708 wrote to memory of 2936	4708	chrome.exe	chrome.exe
PID 4708 wrote to memory of 2936	4708	chrome.exe	chrome.exe
PID 4708 wrote to memory of 2936	4708	chrome.exe	chrome.exe
PID 4708 wrote to memory of 2936	4708	chrome.exe	chrome.exe
PID 4708 wrote to memory of 2936	4708	chrome.exe	chrome.exe
PID 4708 wrote to memory of 2936	4708	chrome.exe	chrome.exe
PID 4708 wrote to memory of 2936	4708	chrome.exe	chrome.exe
PID 4708 wrote to memory of 2936	4708	chrome.exe	chrome.exe
PID 4708 wrote to memory of 2936	4708	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://cloudflare-ipfs.com/ipfs/bafybeifqsrtjbkshtaaqjqwa5lzod7vtd4d5wkxermek46zsbnwwhdbmwm/Kwabroder.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb7c94ab58,0x7ffb7c94ab68,0x7ffb7c94ab78
2⤵
PID:5068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1680 --field-trial-handle=1892,i,17726963630370664914,14547101019994382974,131072 /prefetch:2
2⤵
PID:3076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1892,i,17726963630370664914,14547101019994382974,131072 /prefetch:8
2⤵
PID:2480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2188 --field-trial-handle=1892,i,17726963630370664914,14547101019994382974,131072 /prefetch:8
2⤵
PID:2936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3032 --field-trial-handle=1892,i,17726963630370664914,14547101019994382974,131072 /prefetch:1
2⤵
PID:2676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3040 --field-trial-handle=1892,i,17726963630370664914,14547101019994382974,131072 /prefetch:1
2⤵
PID:4644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4392 --field-trial-handle=1892,i,17726963630370664914,14547101019994382974,131072 /prefetch:8
2⤵
PID:3556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4548 --field-trial-handle=1892,i,17726963630370664914,14547101019994382974,131072 /prefetch:8
2⤵
PID:3248

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1528 --field-trial-handle=1892,i,17726963630370664914,14547101019994382974,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:368

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4672

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
120B

MD5
24667a7dd2f6b78565f4b51e1d305da0

SHA1
95d658897b8ed84f1c1706c86692904e9a24952a

SHA256
06e2b1de08cdb52e408e517f4284102e9b28aa47d36a1bd1a835f56b1b5423bf

SHA512
7e5022bd59297a2b1770a4f1555d1839171c95af88cedfcacbe04a1a5cbe3f2445517415738e3cceb6ad578a769fe97c89441a0ef831ac457f223fe4c21d0d52

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
9602b5a80135da55ec72c1ea98c36f3a

SHA1
8b5503d36709761ceab4b019b1e2b4c57e95ea0a

SHA256
9d3d4163a5efbd5b49d5ba8e20a9b1cac73682fb36ce9cc2b1f0907ef5bb98b8

SHA512
913d145fc9b5415b9eae9e008415aa97d55aaf8ba2115c1ac381f767f57c4102a1a20485a1d1f643a92c4b731cc0326a0606aede53f1c7199e1ef2331f14a8a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
691B

MD5
cde9ad7774b735a75520e1b73d1229d5

SHA1
428198ce92ad8d1060bdc7bf01bb66daa02a66ce

SHA256
5b94adb9c9ab0ee105bca6241839015e450ed5c171394d10abc4cc08c37c8ba7

SHA512
9f993a5374bcd75e390643c24c4dc88d6d061d265ff9191c9c60f13dfb01621d58a3af0ca8a102465aba8efda33e7dbfe47d76687b64e45461d8b10c1dc4d34f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
c8681a30180968ca618c815aeaeb2937

SHA1
a49e0988bd0e552761c363be216d7e3200b13751

SHA256
e01ccf9aad28ebe7a61d676b3d89283a637da63ff0757204b9a8c3bf82055f6d

SHA512
a45f4aa69ca1146bbe749328b7db6e6a44eeef0c07de2cbdffdecffad31be592cd58139beee7408ce2543c8d604c80455974b33ee0e484060ee170a1fc6b3b7e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
250KB

MD5
4089ff204cc84549ba30425fbc247b75

SHA1
697b65a8ab637255c9cd4cc6ae3c6ff960cc815d

SHA256
f514852a85e35ddae8f7af6eeb3c9d2e667f2bc7dc8e7a25a23922af5795167f

SHA512
902571e85dbf242ee2a807319589b533060e0187951c25d34e82f91537bb1658878cc071528a79cbb6c10e4980c1aaee79e32363d663348ed0c8055709890cab

Download Submit
\??\pipe\crashpad_4708_VLHPPBWIYNZHFFAW
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads