hxxp://www[.]cosmicbetrayers[.]com

General

Target

http://www.cosmicbetrayers.com

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

Processes:

chrome.exe

description ioc process

File opened for modification C:\Windows\SystemTemp chrome.exe

description	ioc	process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133587308598006279"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

872 chrome.exe
872 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

chrome.exe

pid process

872 chrome.exe
872 chrome.exe
872 chrome.exe
872 chrome.exe
872 chrome.exe
872 chrome.exe
872 chrome.exe
872 chrome.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

chrome.exe

pid	process
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 872 wrote to memory of 2568	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 2568	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3792	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3792	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3792	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3792	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3792	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3792	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3792	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3792	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3792	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3792	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3792	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3792	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3792	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3792	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3792	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3792	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3792	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3792	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3792	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3792	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3792	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3792	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3792	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3792	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3792	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3792	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3792	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3792	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3792	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3792	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3696	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3696	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3032	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3032	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3032	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3032	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3032	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3032	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3032	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3032	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3032	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3032	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3032	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3032	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3032	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3032	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3032	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3032	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3032	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3032	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3032	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3032	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3032	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3032	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3032	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3032	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3032	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3032	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3032	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3032	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3032	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3032	872	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://www.cosmicbetrayers.com
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff2328cc40,0x7fff2328cc4c,0x7fff2328cc58
2⤵
PID:2568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1864,i,18271811378201235197,4336516317266916345,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1860 /prefetch:2
2⤵
PID:3792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2024,i,18271811378201235197,4336516317266916345,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2068 /prefetch:3
2⤵
PID:3696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2164,i,18271811378201235197,4336516317266916345,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2360 /prefetch:8
2⤵
PID:3032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3008,i,18271811378201235197,4336516317266916345,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3032 /prefetch:1
2⤵
PID:1576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3028,i,18271811378201235197,4336516317266916345,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3060 /prefetch:1
2⤵
PID:4924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4492,i,18271811378201235197,4336516317266916345,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4512 /prefetch:8
2⤵
PID:2108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4536,i,18271811378201235197,4336516317266916345,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4540 /prefetch:1
2⤵
PID:5072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4864,i,18271811378201235197,4336516317266916345,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4880 /prefetch:1
2⤵
PID:1272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5100,i,18271811378201235197,4336516317266916345,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5112 /prefetch:1
2⤵
PID:4656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3340,i,18271811378201235197,4336516317266916345,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3284 /prefetch:1
2⤵
PID:1908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4872,i,18271811378201235197,4336516317266916345,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5228 /prefetch:1
2⤵
PID:3356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3280,i,18271811378201235197,4336516317266916345,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4512 /prefetch:1
2⤵
PID:2144

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:4744

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3288

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
Filesize
649B

MD5
0fb4d56f65c9af10d1de3fbb46b7efd7

SHA1
d196c44a4162ab52afb8dae16613c38e05c8b976

SHA256
336e0969e8752b368ee3e6c3dd27587c80109f38544d65543e170a768a975c4a

SHA512
75e1e4ed2bd1a3c4c17b438a57ce81c2c3349e7043fe18b722b004221b94b818b2bf9c0b489ae3c2b22b3a021d73bc0d6ff24332be37e2d76774ec9837a82448

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
9KB

MD5
0c0c16a0149807a0e164d79a1cc32e17

SHA1
df615daaf3192bb56c0aafc08544279bfd3c5b06

SHA256
517ea0b6bcd5537264d4721973ff7fec3b63d2bb94577b22855e89f1c0931c75

SHA512
2739686ed098f8ab6895e4083af5a502b1cf6393f31e56fa03b01f2dda935390873403b253e96633b12f29932046d90907740e85156b79bb3f9c4efc5b1a12fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
9KB

MD5
7845aa9acc4188570a4cb0f66e624a9e

SHA1
6864e199823f2a19e917da8b8157ab5d2386da4c

SHA256
82fa71ced7348300f4d4ba28c3d61046f7bacdf526816bfdba26e89c30c02e1f

SHA512
b30319d7962ba77bc0a2c78655bda0160d36fa4597ee4cdb9814f9a7d0b9b8b4fb48db24ea0dd7e61b803b39a2288365d3eb1564f1dff4a337339ccc91888383

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
77KB

MD5
d733fe83fb319fc61b88e69af285a3d8

SHA1
34e790aa536ac7b34f3826b353c343c28bf509f0

SHA256
5c0ac0d2be8bd6716c22a1b7f80b86b4ca8c717875f28ace796d8b33ac1b0188

SHA512
c527c85e6adc9e6a0257bb9bc26557b968aa74ee4d853b8698d386d7bad37b5e06250420674488db422261722f128cbde4f9caafc780d662fab7dbd05fb733a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
77KB

MD5
dd97fa67ab75acd760704ec7216e55f6

SHA1
98dbcb29c6335770004e903d8157cd3d12c35952

SHA256
ba2fc77775093e5b2d9f0635b6b26777d18f3795cccc801fa91124057002b011

SHA512
687a5e72a391b11e710f137a948246dec93a98db53e06690e25756bed0949306147f1e0686c578388c960eda612812d75cfd9323f723dfe0d11fa156be0b379a

Download Submit
\??\pipe\crashpad_872_MSGMTGUYHANQERDD
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads