hxxps://www[.]bookyrivals[.]com

Resubmissions

26/04/2024, 18:22

240426-wz2ayshd65 1

26/04/2024, 18:20

26/04/2024, 18:12

26/04/2024, 17:55

26/04/2024, 17:54

26/04/2024, 17:47

Analysis

max time kernel
84s
max time network
87s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
26/04/2024, 18:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.bookyrivals.com

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3660	chrome.exe
3660	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3660 wrote to memory of 2664	3660	chrome.exe	77
PID 3660 wrote to memory of 2664	3660	chrome.exe	77
PID 3660 wrote to memory of 4224	3660	chrome.exe	78
PID 3660 wrote to memory of 4224	3660	chrome.exe	78
PID 3660 wrote to memory of 4224	3660	chrome.exe	78
PID 3660 wrote to memory of 4224	3660	chrome.exe	78
PID 3660 wrote to memory of 4224	3660	chrome.exe	78
PID 3660 wrote to memory of 4224	3660	chrome.exe	78
PID 3660 wrote to memory of 4224	3660	chrome.exe	78
PID 3660 wrote to memory of 4224	3660	chrome.exe	78
PID 3660 wrote to memory of 4224	3660	chrome.exe	78
PID 3660 wrote to memory of 4224	3660	chrome.exe	78
PID 3660 wrote to memory of 4224	3660	chrome.exe	78
PID 3660 wrote to memory of 4224	3660	chrome.exe	78
PID 3660 wrote to memory of 4224	3660	chrome.exe	78
PID 3660 wrote to memory of 4224	3660	chrome.exe	78
PID 3660 wrote to memory of 4224	3660	chrome.exe	78
PID 3660 wrote to memory of 4224	3660	chrome.exe	78
PID 3660 wrote to memory of 4224	3660	chrome.exe	78
PID 3660 wrote to memory of 4224	3660	chrome.exe	78
PID 3660 wrote to memory of 4224	3660	chrome.exe	78
PID 3660 wrote to memory of 4224	3660	chrome.exe	78
PID 3660 wrote to memory of 4224	3660	chrome.exe	78
PID 3660 wrote to memory of 4224	3660	chrome.exe	78
PID 3660 wrote to memory of 4224	3660	chrome.exe	78
PID 3660 wrote to memory of 4224	3660	chrome.exe	78
PID 3660 wrote to memory of 4224	3660	chrome.exe	78
PID 3660 wrote to memory of 4224	3660	chrome.exe	78
PID 3660 wrote to memory of 4224	3660	chrome.exe	78
PID 3660 wrote to memory of 4224	3660	chrome.exe	78
PID 3660 wrote to memory of 4224	3660	chrome.exe	78
PID 3660 wrote to memory of 4224	3660	chrome.exe	78
PID 3660 wrote to memory of 4224	3660	chrome.exe	78
PID 3660 wrote to memory of 5076	3660	chrome.exe	79
PID 3660 wrote to memory of 5076	3660	chrome.exe	79
PID 3660 wrote to memory of 2224	3660	chrome.exe	80
PID 3660 wrote to memory of 2224	3660	chrome.exe	80
PID 3660 wrote to memory of 2224	3660	chrome.exe	80
PID 3660 wrote to memory of 2224	3660	chrome.exe	80
PID 3660 wrote to memory of 2224	3660	chrome.exe	80
PID 3660 wrote to memory of 2224	3660	chrome.exe	80
PID 3660 wrote to memory of 2224	3660	chrome.exe	80
PID 3660 wrote to memory of 2224	3660	chrome.exe	80
PID 3660 wrote to memory of 2224	3660	chrome.exe	80
PID 3660 wrote to memory of 2224	3660	chrome.exe	80
PID 3660 wrote to memory of 2224	3660	chrome.exe	80
PID 3660 wrote to memory of 2224	3660	chrome.exe	80
PID 3660 wrote to memory of 2224	3660	chrome.exe	80
PID 3660 wrote to memory of 2224	3660	chrome.exe	80
PID 3660 wrote to memory of 2224	3660	chrome.exe	80
PID 3660 wrote to memory of 2224	3660	chrome.exe	80
PID 3660 wrote to memory of 2224	3660	chrome.exe	80
PID 3660 wrote to memory of 2224	3660	chrome.exe	80
PID 3660 wrote to memory of 2224	3660	chrome.exe	80
PID 3660 wrote to memory of 2224	3660	chrome.exe	80
PID 3660 wrote to memory of 2224	3660	chrome.exe	80
PID 3660 wrote to memory of 2224	3660	chrome.exe	80
PID 3660 wrote to memory of 2224	3660	chrome.exe	80
PID 3660 wrote to memory of 2224	3660	chrome.exe	80
PID 3660 wrote to memory of 2224	3660	chrome.exe	80
PID 3660 wrote to memory of 2224	3660	chrome.exe	80
PID 3660 wrote to memory of 2224	3660	chrome.exe	80
PID 3660 wrote to memory of 2224	3660	chrome.exe	80
PID 3660 wrote to memory of 2224	3660	chrome.exe	80

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.bookyrivals.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcc48bab58,0x7ffcc48bab68,0x7ffcc48bab78
  2⤵
  PID:2664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1676 --field-trial-handle=1744,i,2547498632655797745,13475032892004575596,131072 /prefetch:2
  2⤵
  PID:4224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 --field-trial-handle=1744,i,2547498632655797745,13475032892004575596,131072 /prefetch:8
  2⤵
  PID:5076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2196 --field-trial-handle=1744,i,2547498632655797745,13475032892004575596,131072 /prefetch:8
  2⤵
  PID:2224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3048 --field-trial-handle=1744,i,2547498632655797745,13475032892004575596,131072 /prefetch:1
  2⤵
  PID:2340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3060 --field-trial-handle=1744,i,2547498632655797745,13475032892004575596,131072 /prefetch:1
  2⤵
  PID:2768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4312 --field-trial-handle=1744,i,2547498632655797745,13475032892004575596,131072 /prefetch:8
  2⤵
  PID:5072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4652 --field-trial-handle=1744,i,2547498632655797745,13475032892004575596,131072 /prefetch:8
  2⤵
  PID:4956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4688 --field-trial-handle=1744,i,2547498632655797745,13475032892004575596,131072 /prefetch:1
  2⤵
  PID:832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --pdf-renderer --lang=en-US --js-flags=--jitless --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4576 --field-trial-handle=1744,i,2547498632655797745,13475032892004575596,131072 /prefetch:1
  2⤵
  PID:3772

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\138f124f-e301-441b-a608-1026a57328f0.tmp

Filesize
6KB

MD5
a28d5216b1a2369334baab88cd5cb94c

SHA1
4359d9b34964f06f53644e1d2ede4c5fea3f6738

SHA256
5d312d6c65242b2d5ed62ded9684395574eeaaf1023f1e0a223063e33b0ddd3c

SHA512
c0c36e6a6efe7b5bf292544e71ec80b3f9b1fbf8bb4a2574bf5fc019882ff8c7e4fc9588112f226d2e0c2e59571bdc4244ce56386e8c16d9b29e0d08c0f8d9b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

Filesize
45KB

MD5
2e365c01216e563edb25a33b5b37a6a1

SHA1
e563b5a012027f22125f796b3e2125ca681affb0

SHA256
031def0e344c3871791ac2ed6bcf55a8526ba4e74a971926dd31aec0042688b7

SHA512
50b75bb11b30a3ace174b5ea218b09cd656f81f4d4d294a24f7218a3e449985aeb535ecb417b7ef5aeee51f0a01be1259229a81cb99a7cc5838425d33b87ddbb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000009

Filesize
94KB

MD5
2b7de41419dc11c61f913cf2e534a523

SHA1
8553ab877aac3a7c4ab514f7b41317fea54519a8

SHA256
4eedef695add318ce6fcaa0f2e7061ce79ee0a0a6cd820ed6541b7b1a9bb75b7

SHA512
50e48bfb90c39a777acf13ac36bed5a239d7941929a11732e8fc06f75e7eeb5bff06c6d9d2d7bf91f98a050f81db7caad1ba12d1bab50961f5a17b9b3e26475a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
f730a46a3808e2868af486e4d11073b5

SHA1
2d06d76845b7f98cc0030a84896b8ff31f711a33

SHA256
dbf4580f8d7226681ee97151eaa6def51d1b107633bdcadf589c5a55bb829534

SHA512
10a3260cc4f517b94ef83965885aac51fc641e4d577a302b526a7526850ce0e1c25d24d417293e5431049b0957f753d1d86a843cfc4c0d3dad7365dfbee54727

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
3b831e4e39b0c22dd5c69614ac1346cf

SHA1
af3903355d21ae568b44677c26e40723553f859c

SHA256
ac079c41dbb87cb00575ea5bd8de1030b710ba59b19b5d127ca3b68de58ec10b

SHA512
82a741a2f3b7e0b0928397b96f97af871e1bfb5448ed02e2ac893f0df0de267e02ef0c65fa6f50bbba4c688ff72b007ba00bbec5c0ae6d80f9995ddeda20c66b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
0606d3639fe4c65eef13e36e227242b5

SHA1
faec8e78db104879cfad72e40ad603aefd18db0c

SHA256
c433b2653ee88ed5323d22233d134bd852a187a5caa05bff3dc1b3482ca35443

SHA512
9d10517d6a0880170060224542d8556787e8876f57b86ca081942cb80ca8215a370b7261b07bde525ebc1182273a14e7d679c7bca661774c5da19b04197b18d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b260f7ee9112da5b78e9819d52d0bcf4

SHA1
0834ef54491790c6a9b155b4ffc39b6aefa43bb4

SHA256
dde0e03902cdcb081a07c6fae66c4aec41207ca736c6132adfa7e081a5dc1134

SHA512
1e8ab7e561062c190acc306f7ff2c510bccbfe0a191e8402804a5f1758a4a041263ecf9954040bfc5588af1d9913381f9889c35796cd421e497ba328e8b77c03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
e2d9542bf255e4fe32e4a0219e1ddfe7

SHA1
1e29bfa8b55b997d524c307d1f4c853a43d5097a

SHA256
e5e1480ed7c49763e0687cfddf8a06bc6480b6952b621f85f68a39b50471f5b7

SHA512
bc1bb2646562d11df68c1f556b4e83ee8c30de891554b41982e70d4c6d494b88498b1292f9687a7397824585aa419169dad4b9ce3c6608931a8703bd232a80ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
f570bc02f355a9b22ae1518bc86e331f

SHA1
1502d4d5ad882c74fe7fdf6a7058f448113eb3d8

SHA256
a3ae04f1df994d8d566a46e7a93838eccbaccc61737c2f531189926d1a6fa815

SHA512
fa912fa6450e720aecbe27547e21014d6c16885ae2b75ba12a09b1f6810b245c70d7dc0f171d944fafd688703571a46e67d49f5d6244a1649af82508cbe834a7

Download Submit