hxxps://github[.]com/RattlesHyper/TrafficerMC/releases/download/v2[.]3/TrafficerMC-2[.]3-windows-x64[.]exe

max time kernel
23s
max time network
23s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
29/04/2024, 21:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/RattlesHyper/TrafficerMC/releases/download/v2.3/TrafficerMC-2.3-windows-x64.exe

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133589013988479933"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2704	chrome.exe
2704	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 3664	2704	chrome.exe	80
PID 2704 wrote to memory of 3664	2704	chrome.exe	80
PID 2704 wrote to memory of 1656	2704	chrome.exe	81
PID 2704 wrote to memory of 1656	2704	chrome.exe	81
PID 2704 wrote to memory of 1656	2704	chrome.exe	81
PID 2704 wrote to memory of 1656	2704	chrome.exe	81
PID 2704 wrote to memory of 1656	2704	chrome.exe	81
PID 2704 wrote to memory of 1656	2704	chrome.exe	81
PID 2704 wrote to memory of 1656	2704	chrome.exe	81
PID 2704 wrote to memory of 1656	2704	chrome.exe	81
PID 2704 wrote to memory of 1656	2704	chrome.exe	81
PID 2704 wrote to memory of 1656	2704	chrome.exe	81
PID 2704 wrote to memory of 1656	2704	chrome.exe	81
PID 2704 wrote to memory of 1656	2704	chrome.exe	81
PID 2704 wrote to memory of 1656	2704	chrome.exe	81
PID 2704 wrote to memory of 1656	2704	chrome.exe	81
PID 2704 wrote to memory of 1656	2704	chrome.exe	81
PID 2704 wrote to memory of 1656	2704	chrome.exe	81
PID 2704 wrote to memory of 1656	2704	chrome.exe	81
PID 2704 wrote to memory of 1656	2704	chrome.exe	81
PID 2704 wrote to memory of 1656	2704	chrome.exe	81
PID 2704 wrote to memory of 1656	2704	chrome.exe	81
PID 2704 wrote to memory of 1656	2704	chrome.exe	81
PID 2704 wrote to memory of 1656	2704	chrome.exe	81
PID 2704 wrote to memory of 1656	2704	chrome.exe	81
PID 2704 wrote to memory of 1656	2704	chrome.exe	81
PID 2704 wrote to memory of 1656	2704	chrome.exe	81
PID 2704 wrote to memory of 1656	2704	chrome.exe	81
PID 2704 wrote to memory of 1656	2704	chrome.exe	81
PID 2704 wrote to memory of 1656	2704	chrome.exe	81
PID 2704 wrote to memory of 1656	2704	chrome.exe	81
PID 2704 wrote to memory of 1656	2704	chrome.exe	81
PID 2704 wrote to memory of 3556	2704	chrome.exe	82
PID 2704 wrote to memory of 3556	2704	chrome.exe	82
PID 2704 wrote to memory of 3412	2704	chrome.exe	83
PID 2704 wrote to memory of 3412	2704	chrome.exe	83
PID 2704 wrote to memory of 3412	2704	chrome.exe	83
PID 2704 wrote to memory of 3412	2704	chrome.exe	83
PID 2704 wrote to memory of 3412	2704	chrome.exe	83
PID 2704 wrote to memory of 3412	2704	chrome.exe	83
PID 2704 wrote to memory of 3412	2704	chrome.exe	83
PID 2704 wrote to memory of 3412	2704	chrome.exe	83
PID 2704 wrote to memory of 3412	2704	chrome.exe	83
PID 2704 wrote to memory of 3412	2704	chrome.exe	83
PID 2704 wrote to memory of 3412	2704	chrome.exe	83
PID 2704 wrote to memory of 3412	2704	chrome.exe	83
PID 2704 wrote to memory of 3412	2704	chrome.exe	83
PID 2704 wrote to memory of 3412	2704	chrome.exe	83
PID 2704 wrote to memory of 3412	2704	chrome.exe	83
PID 2704 wrote to memory of 3412	2704	chrome.exe	83
PID 2704 wrote to memory of 3412	2704	chrome.exe	83
PID 2704 wrote to memory of 3412	2704	chrome.exe	83
PID 2704 wrote to memory of 3412	2704	chrome.exe	83
PID 2704 wrote to memory of 3412	2704	chrome.exe	83
PID 2704 wrote to memory of 3412	2704	chrome.exe	83
PID 2704 wrote to memory of 3412	2704	chrome.exe	83
PID 2704 wrote to memory of 3412	2704	chrome.exe	83
PID 2704 wrote to memory of 3412	2704	chrome.exe	83
PID 2704 wrote to memory of 3412	2704	chrome.exe	83
PID 2704 wrote to memory of 3412	2704	chrome.exe	83
PID 2704 wrote to memory of 3412	2704	chrome.exe	83
PID 2704 wrote to memory of 3412	2704	chrome.exe	83
PID 2704 wrote to memory of 3412	2704	chrome.exe	83
PID 2704 wrote to memory of 3412	2704	chrome.exe	83

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/RattlesHyper/TrafficerMC/releases/download/v2.3/TrafficerMC-2.3-windows-x64.exe
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffade99cc40,0x7ffade99cc4c,0x7ffade99cc58
  2⤵
  PID:3664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1808,i,14423373422565076349,15802188528751268778,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1772 /prefetch:2
  2⤵
  PID:1656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2076,i,14423373422565076349,15802188528751268778,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2088 /prefetch:3
  2⤵
  PID:3556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2176,i,14423373422565076349,15802188528751268778,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2332 /prefetch:8
  2⤵
  PID:3412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3076,i,14423373422565076349,15802188528751268778,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3120 /prefetch:1
  2⤵
  PID:1576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3084,i,14423373422565076349,15802188528751268778,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3148 /prefetch:1
  2⤵
  PID:3868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4516,i,14423373422565076349,15802188528751268778,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4524 /prefetch:8
  2⤵
  PID:3800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4916,i,14423373422565076349,15802188528751268778,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4824 /prefetch:1
  2⤵
  PID:4836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4976,i,14423373422565076349,15802188528751268778,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4772 /prefetch:1
  2⤵
  PID:4960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5032,i,14423373422565076349,15802188528751268778,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4800 /prefetch:1
  2⤵
  PID:2284

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:3512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
5e8e5d52931af043b911f68077365d8f

SHA1
934c57b487733ecfbaf309716439b8d32065fbc7

SHA256
0bc8ceda8a25dfe2d1b5b794382773963ddb3244e6f948ffd2a1ba5e368294d1

SHA512
0f2c6a2cf41142dc2e251e34583acbfd14d116a461d36d6e02bff5665e2ee8364cdf7d47ef60b5cdfc7ea1398b85dfa03432955ca516792dc7b727df5de8885b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
6b21746eb9444824d583aa009be9e9ee

SHA1
4a28097ae2d873c03724fb5918e0257870532789

SHA256
76e6078bab2e150b58f869b90e6d820b6de1b40045c27cdd071bad68c3424ec8

SHA512
2b29fd0c1c30c39556fe011366287808952e6c4eb2eda79de658fa44a34eec7580f74ecc55b5f4d6431d01ecbb9be4a04659d85c98fb464b68f67f8917101925

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f685e74cb60b5eb06e83ef8b04149f69

SHA1
5034b3a81532e67e1e2e2f2cd7b0e4de33e753af

SHA256
318b9d2dbb653877587e21ba060c3defead778fa37742b85c821087962d5500c

SHA512
5f8a1bfdbd0b1a09d299fcf2e1b4195f037fb668485485c7119575f6909101825a699de366449cf325c6b5ba8ea9ae3749465be3343eccc32fede1a93378da2a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
77KB

MD5
cf23ab0160e2160c80a0c8cce54f73b1

SHA1
b95e66d01f6bb9e973d4b215e0469bdcb0d33c86

SHA256
d2b694d148147ce9daec7d7713f26cbe52ac03eeb3c069aa6a36e765719e5819

SHA512
beb671fe9bdeef6b5296a05503ebfb32c592892da29f136e752b94fce013b0ce0d318e8a6dafc436163cc14236914f261404d6311bd4cf8fc9ce5c16c8ba2c7e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
77KB

MD5
d737648b906de8b2109e5a91095c5343

SHA1
20e8175b04e780ee3c7dfe288209727f4d6c8adc

SHA256
999818ed55d0cb75d06f6278ab2bf1259ddb4d701326ca209d984e4225083484

SHA512
77ef199f3c7c6ec04de4a981576e60ea3302d140499d16412166e580e252050e8725df980bc720f318a7f15a910b07c5fda099e7c460539ba3a7aeac5a8add5b

Download Submit