hxxp://formoney[.]com[.]br

Analysis

max time kernel
72s
max time network
74s
platform
windows10-2004_x64
resource
win10v2004-20240426-es
resource tags

arch:x64arch:x86image:win10v2004-20240426-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
09/05/2024, 14:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://formoney.com.br

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133597377121218309"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
932	chrome.exe
932	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 932 wrote to memory of 1424	932	chrome.exe	85
PID 932 wrote to memory of 1424	932	chrome.exe	85
PID 932 wrote to memory of 2200	932	chrome.exe	86
PID 932 wrote to memory of 2200	932	chrome.exe	86
PID 932 wrote to memory of 2200	932	chrome.exe	86
PID 932 wrote to memory of 2200	932	chrome.exe	86
PID 932 wrote to memory of 2200	932	chrome.exe	86
PID 932 wrote to memory of 2200	932	chrome.exe	86
PID 932 wrote to memory of 2200	932	chrome.exe	86
PID 932 wrote to memory of 2200	932	chrome.exe	86
PID 932 wrote to memory of 2200	932	chrome.exe	86
PID 932 wrote to memory of 2200	932	chrome.exe	86
PID 932 wrote to memory of 2200	932	chrome.exe	86
PID 932 wrote to memory of 2200	932	chrome.exe	86
PID 932 wrote to memory of 2200	932	chrome.exe	86
PID 932 wrote to memory of 2200	932	chrome.exe	86
PID 932 wrote to memory of 2200	932	chrome.exe	86
PID 932 wrote to memory of 2200	932	chrome.exe	86
PID 932 wrote to memory of 2200	932	chrome.exe	86
PID 932 wrote to memory of 2200	932	chrome.exe	86
PID 932 wrote to memory of 2200	932	chrome.exe	86
PID 932 wrote to memory of 2200	932	chrome.exe	86
PID 932 wrote to memory of 2200	932	chrome.exe	86
PID 932 wrote to memory of 2200	932	chrome.exe	86
PID 932 wrote to memory of 2200	932	chrome.exe	86
PID 932 wrote to memory of 2200	932	chrome.exe	86
PID 932 wrote to memory of 2200	932	chrome.exe	86
PID 932 wrote to memory of 2200	932	chrome.exe	86
PID 932 wrote to memory of 2200	932	chrome.exe	86
PID 932 wrote to memory of 2200	932	chrome.exe	86
PID 932 wrote to memory of 2200	932	chrome.exe	86
PID 932 wrote to memory of 2200	932	chrome.exe	86
PID 932 wrote to memory of 2200	932	chrome.exe	86
PID 932 wrote to memory of 1392	932	chrome.exe	87
PID 932 wrote to memory of 1392	932	chrome.exe	87
PID 932 wrote to memory of 2148	932	chrome.exe	88
PID 932 wrote to memory of 2148	932	chrome.exe	88
PID 932 wrote to memory of 2148	932	chrome.exe	88
PID 932 wrote to memory of 2148	932	chrome.exe	88
PID 932 wrote to memory of 2148	932	chrome.exe	88
PID 932 wrote to memory of 2148	932	chrome.exe	88
PID 932 wrote to memory of 2148	932	chrome.exe	88
PID 932 wrote to memory of 2148	932	chrome.exe	88
PID 932 wrote to memory of 2148	932	chrome.exe	88
PID 932 wrote to memory of 2148	932	chrome.exe	88
PID 932 wrote to memory of 2148	932	chrome.exe	88
PID 932 wrote to memory of 2148	932	chrome.exe	88
PID 932 wrote to memory of 2148	932	chrome.exe	88
PID 932 wrote to memory of 2148	932	chrome.exe	88
PID 932 wrote to memory of 2148	932	chrome.exe	88
PID 932 wrote to memory of 2148	932	chrome.exe	88
PID 932 wrote to memory of 2148	932	chrome.exe	88
PID 932 wrote to memory of 2148	932	chrome.exe	88
PID 932 wrote to memory of 2148	932	chrome.exe	88
PID 932 wrote to memory of 2148	932	chrome.exe	88
PID 932 wrote to memory of 2148	932	chrome.exe	88
PID 932 wrote to memory of 2148	932	chrome.exe	88
PID 932 wrote to memory of 2148	932	chrome.exe	88
PID 932 wrote to memory of 2148	932	chrome.exe	88
PID 932 wrote to memory of 2148	932	chrome.exe	88
PID 932 wrote to memory of 2148	932	chrome.exe	88
PID 932 wrote to memory of 2148	932	chrome.exe	88
PID 932 wrote to memory of 2148	932	chrome.exe	88
PID 932 wrote to memory of 2148	932	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://formoney.com.br
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff4f50ab58,0x7fff4f50ab68,0x7fff4f50ab78
  2⤵
  PID:1424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1684 --field-trial-handle=1892,i,18083007478038104561,9874097305021402602,131072 /prefetch:2
  2⤵
  PID:2200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1892,i,18083007478038104561,9874097305021402602,131072 /prefetch:8
  2⤵
  PID:1392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2184 --field-trial-handle=1892,i,18083007478038104561,9874097305021402602,131072 /prefetch:8
  2⤵
  PID:2148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2940 --field-trial-handle=1892,i,18083007478038104561,9874097305021402602,131072 /prefetch:1
  2⤵
  PID:4400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3004 --field-trial-handle=1892,i,18083007478038104561,9874097305021402602,131072 /prefetch:1
  2⤵
  PID:5420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4360 --field-trial-handle=1892,i,18083007478038104561,9874097305021402602,131072 /prefetch:1
  2⤵
  PID:5788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4472 --field-trial-handle=1892,i,18083007478038104561,9874097305021402602,131072 /prefetch:1
  2⤵
  PID:5792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4784 --field-trial-handle=1892,i,18083007478038104561,9874097305021402602,131072 /prefetch:8
  2⤵
  PID:3236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3240 --field-trial-handle=1892,i,18083007478038104561,9874097305021402602,131072 /prefetch:8
  2⤵
  PID:3388

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
01e3ef693f1edadeaa4c323234680dcd

SHA1
8e4a65e3fe8286442d859dec08bcc1eb1ad09fcc

SHA256
fd09d1b2ed94b338947d0e8aeac6c7b4384822489614fa6b5903c00445343052

SHA512
140c1452bbbd0e82312c4f64188e17e3ee2a0e8e7939a734f442adfbd26a8034262ebb20e4a6ef0aa8bd2d8543c2b3f81618580abcfe64dbaba01542b3fa27a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
925a99fc02ae2e356281e291488ffa41

SHA1
3c4b525e88fecef11f7e0f7d60ce81be88c457a7

SHA256
c8ed4915bafae91347e4c756337b409ddd10f56e326b9275574df0249d7e0198

SHA512
801809a2e728737d8d888dbcf2a71ba70981a92c71a8b3e1613bcfc7031ded280a5189582926f897e1ec295777306c3e8a7b1bc2fffcfc129679d8447b671fc3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
11aba79f616e6ed1d2ce43974f47a531

SHA1
5fd6cfbd6e8ee6612be598764ce1dc55a18496fd

SHA256
897ca02f52a6eff7f14b43ba70b0e40020628b79349f2ebc2e07384489a3fadd

SHA512
74b1c3d5637012a7347ba7f3a1608b31f797f320ce2a6dfbb5b1387ac3368c423a22c72623192db855f9edeabdbf696f3d639b9033779e6305f90c73030e1090

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
aeff72059227da77ded3597e367bed58

SHA1
52e82495f20ec4f3ee43a1031c480e77fce2edb3

SHA256
56356784ccf32ad111d157a13afb682cb915e15e8d83edb11663819e6be87c0b

SHA512
4eac0cde3ccd201c38a226b36ac8fd79a7f9747f7c1ee11c3540043eb4f9030f25b6439eaa78350e18ee5d4ad2d6602c343804dd5625be4909470faad03ec4c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
b9be09410817751ae8c90a9c6fc29c6a

SHA1
e2bea0127a6655aefdc0d8fbf56e263020f7a40f

SHA256
9f3b808d6aa14bfa63d3d3de55889fb391465468f008781ed9aa0726e6d7e9ae

SHA512
e0ad2c30062763a1b147f78d8013b0f067f13bf5a87a5a975baef0bc25e34ba7220202b356fe3e639256fd2561fc15cf40eaad55adb0974f464124f70832ef07

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\66193cf91dc320cf6dea58417deccf489b463ad8\index.txt

Filesize
136B

MD5
7afc26c27aade8fa3e496fcfc2163146

SHA1
dc2a721821b7c3e9e52f2d2508dd8cf54c22e5f4

SHA256
f612b77f21eb9a2e486e5ff9ab4cb4e6f5b5f4bbe2d014bb1dab66825c335285

SHA512
e4654265d415f62697d42c2bbbbf21e050b846f38969d8b34720ab9f92ef80503ab78d591454ca53eadbde09923748fd36ca4268b1f4c41c8f84879f40192dd2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\66193cf91dc320cf6dea58417deccf489b463ad8\index.txt~RFe579143.TMP

Filesize
143B

MD5
3bff177e0f270de2f4fb7a5985e4e2ef

SHA1
e616e1de78d0af64a52befa161a02cad8f3430c9

SHA256
ecfb228ed678dd065724b9a294b99b5f85db7191fb89871e4f46b4dd8aec0f01

SHA512
fe23513436921591fd288e261d6b3b96a85f4ed8a9ca70833413f8abda70f9fc8d073faca39fd825820bc3347edff987133530284eb3f13d7a17892536fca0c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
ac2c06eeb3084a10d78c2ec6d5a4fb79

SHA1
eb3a66fbb067029f4cb971c51ad88c6654791054

SHA256
3257ec7da04dcac52fc0b96ff776742176e0410ab07741a45f7a65f4d582349b

SHA512
52cebf670b6ac3b530305ac1c250eeaf463676afa4ea611624094f9f3e58fdbd2376a056fb9fdc6e0742c2fe1875c24cbdb3801c0d42fa7e92a5959fa1f85b0c

Download Submit