hxxps://cloudflare-ipfs[.]com/ipfs/bafkreidwx525xvmzf2oxa77sgdhp2hsw5yxekmtehf3i2cczn76belwue4#vendon@vendon[.]net

Resubmissions

10-05-2024 09:04

240510-k1pg1aea7x 8

10-05-2024 09:00

240510-kyej1sdh6v 8

Analysis

max time kernel
149s
max time network
142s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
10-05-2024 09:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cloudflare-ipfs.com/ipfs/bafkreidwx525xvmzf2oxa77sgdhp2hsw5yxekmtehf3i2cczn76belwue4#[email protected]

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
2	cloudflare-ipfs.com
3	cloudflare-ipfs.com
4	cloudflare-ipfs.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133598052344001958"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1448	chrome.exe
1448	chrome.exe
3980	chrome.exe
3980	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 2304	1448	chrome.exe	73
PID 1448 wrote to memory of 2304	1448	chrome.exe	73
PID 1448 wrote to memory of 4632	1448	chrome.exe	75
PID 1448 wrote to memory of 4632	1448	chrome.exe	75
PID 1448 wrote to memory of 4632	1448	chrome.exe	75
PID 1448 wrote to memory of 4632	1448	chrome.exe	75
PID 1448 wrote to memory of 4632	1448	chrome.exe	75
PID 1448 wrote to memory of 4632	1448	chrome.exe	75
PID 1448 wrote to memory of 4632	1448	chrome.exe	75
PID 1448 wrote to memory of 4632	1448	chrome.exe	75
PID 1448 wrote to memory of 4632	1448	chrome.exe	75
PID 1448 wrote to memory of 4632	1448	chrome.exe	75
PID 1448 wrote to memory of 4632	1448	chrome.exe	75
PID 1448 wrote to memory of 4632	1448	chrome.exe	75
PID 1448 wrote to memory of 4632	1448	chrome.exe	75
PID 1448 wrote to memory of 4632	1448	chrome.exe	75
PID 1448 wrote to memory of 4632	1448	chrome.exe	75
PID 1448 wrote to memory of 4632	1448	chrome.exe	75
PID 1448 wrote to memory of 4632	1448	chrome.exe	75
PID 1448 wrote to memory of 4632	1448	chrome.exe	75
PID 1448 wrote to memory of 4632	1448	chrome.exe	75
PID 1448 wrote to memory of 4632	1448	chrome.exe	75
PID 1448 wrote to memory of 4632	1448	chrome.exe	75
PID 1448 wrote to memory of 4632	1448	chrome.exe	75
PID 1448 wrote to memory of 4632	1448	chrome.exe	75
PID 1448 wrote to memory of 4632	1448	chrome.exe	75
PID 1448 wrote to memory of 4632	1448	chrome.exe	75
PID 1448 wrote to memory of 4632	1448	chrome.exe	75
PID 1448 wrote to memory of 4632	1448	chrome.exe	75
PID 1448 wrote to memory of 4632	1448	chrome.exe	75
PID 1448 wrote to memory of 4632	1448	chrome.exe	75
PID 1448 wrote to memory of 4632	1448	chrome.exe	75
PID 1448 wrote to memory of 4632	1448	chrome.exe	75
PID 1448 wrote to memory of 4632	1448	chrome.exe	75
PID 1448 wrote to memory of 4632	1448	chrome.exe	75
PID 1448 wrote to memory of 4632	1448	chrome.exe	75
PID 1448 wrote to memory of 4632	1448	chrome.exe	75
PID 1448 wrote to memory of 4632	1448	chrome.exe	75
PID 1448 wrote to memory of 4632	1448	chrome.exe	75
PID 1448 wrote to memory of 4632	1448	chrome.exe	75
PID 1448 wrote to memory of 1340	1448	chrome.exe	76
PID 1448 wrote to memory of 1340	1448	chrome.exe	76
PID 1448 wrote to memory of 3060	1448	chrome.exe	77
PID 1448 wrote to memory of 3060	1448	chrome.exe	77
PID 1448 wrote to memory of 3060	1448	chrome.exe	77
PID 1448 wrote to memory of 3060	1448	chrome.exe	77
PID 1448 wrote to memory of 3060	1448	chrome.exe	77
PID 1448 wrote to memory of 3060	1448	chrome.exe	77
PID 1448 wrote to memory of 3060	1448	chrome.exe	77
PID 1448 wrote to memory of 3060	1448	chrome.exe	77
PID 1448 wrote to memory of 3060	1448	chrome.exe	77
PID 1448 wrote to memory of 3060	1448	chrome.exe	77
PID 1448 wrote to memory of 3060	1448	chrome.exe	77
PID 1448 wrote to memory of 3060	1448	chrome.exe	77
PID 1448 wrote to memory of 3060	1448	chrome.exe	77
PID 1448 wrote to memory of 3060	1448	chrome.exe	77
PID 1448 wrote to memory of 3060	1448	chrome.exe	77
PID 1448 wrote to memory of 3060	1448	chrome.exe	77
PID 1448 wrote to memory of 3060	1448	chrome.exe	77
PID 1448 wrote to memory of 3060	1448	chrome.exe	77
PID 1448 wrote to memory of 3060	1448	chrome.exe	77
PID 1448 wrote to memory of 3060	1448	chrome.exe	77
PID 1448 wrote to memory of 3060	1448	chrome.exe	77
PID 1448 wrote to memory of 3060	1448	chrome.exe	77

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://cloudflare-ipfs.com/ipfs/bafkreidwx525xvmzf2oxa77sgdhp2hsw5yxekmtehf3i2cczn76belwue4#[email protected]
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffeab689758,0x7ffeab689768,0x7ffeab689778
  2⤵
  PID:2304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1520 --field-trial-handle=1704,i,7808108719355432994,4553452628910944478,131072 /prefetch:2
  2⤵
  PID:4632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1808 --field-trial-handle=1704,i,7808108719355432994,4553452628910944478,131072 /prefetch:8
  2⤵
  PID:1340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2068 --field-trial-handle=1704,i,7808108719355432994,4553452628910944478,131072 /prefetch:8
  2⤵
  PID:3060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2800 --field-trial-handle=1704,i,7808108719355432994,4553452628910944478,131072 /prefetch:1
  2⤵
  PID:5052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2808 --field-trial-handle=1704,i,7808108719355432994,4553452628910944478,131072 /prefetch:1
  2⤵
  PID:4488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4704 --field-trial-handle=1704,i,7808108719355432994,4553452628910944478,131072 /prefetch:1
  2⤵
  PID:2184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4844 --field-trial-handle=1704,i,7808108719355432994,4553452628910944478,131072 /prefetch:8
  2⤵
  PID:4976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4896 --field-trial-handle=1704,i,7808108719355432994,4553452628910944478,131072 /prefetch:8
  2⤵
  PID:660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4468 --field-trial-handle=1704,i,7808108719355432994,4553452628910944478,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3980

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
75a42fd391ccb89c705e55c1545f6d74

SHA1
1d3b6732230cba3a1d80236a00e135a2994f9300

SHA256
71838c134320c368a5f1b7aa6f825d1e13d45e658cdd7c624307072ab95a859d

SHA512
d1cf455ea472b4f4587082e63254e5c50e8e9348f9adc5277a2e18c1176693c7d468eeb3752fabb2b1e5bb2370e976802ec9c34552f89cc6c445139385996ddc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
c145cb2d1e952f6dcd973b8e62f168cb

SHA1
ea030ab50713ba4aed554a9f58a6eea2c1c932c2

SHA256
084bdbf0a3af35537ef71cc088e8238d7997c5a09f80b3c813dcecd97630709b

SHA512
aa59d4f31430e3ce17eeeab9cd22f5e61bc7a02cc55c264622294134ef9eb90f49c2354ae2ee42bab349655e50dd082558c841396992c1feca1801ce0e204acc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
6aa0a6c40d312178353fb18c1197421f

SHA1
55c191962458c5a118758f5827353a091779e2ed

SHA256
9ec436f7d223bbb5166b2a2666d6b503860eaeae7add586d41291584eb5f46e8

SHA512
863702c10ac6794f19501888d17a24d397a8a77ce734054bee1fc92adfe6d2a9672e4c8f952b116ce6433926109941e1359207df8d060e7b7eef29e6f350fd4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
4532f2185e2ebe4fdb3143a6ec79c33c

SHA1
980230815ae46816ce79e59bacc08c60f3f2a212

SHA256
a36d3181fa0fd170968348fc418f7dd413d3672d861096cb77f0ef1a28543218

SHA512
c6522eb83bfd5bae0e4103ddf313da07985b838dbc93b391104751b8946cc98d239cc1f546752c95a6d59ee48659045f2f36b02ebc57cc16b8746bccfabbc451

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e8f2fd23fcc76efa00098604503bca3c

SHA1
dac2740ed789e346ff47c1eca93c45973ee3e60e

SHA256
4f4cf39fdc224fd7ccd98c6da6b0699beb445fdbaf0e4dd0a6c8d5d0b860134f

SHA512
e0514103019e493368c91326dac4021ef29d6b9eece045cdb1fa82d272d9c9bb2b805c32a923e570b2aad16d2d62b211ea921950c1e902a4a23a42c5935bfe75

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
69e39de8702616812ed746f6336ee362

SHA1
afffa12c621238b4c8cf274a1e24db879347bde9

SHA256
7289f6c1fc0e1dc70341828a557edf81777023273d3677c35ddd71c3970f0e5f

SHA512
7fbf066ad05ead9b1c23bf682e48de8de3971ad15929ddb9a7cd2dd27499e0bfebcf2d6c521d8ef182d8ae6052852f248580966475ce79a4ac94e840441e2f6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
6e53914999ec5b59bd03c335062e3710

SHA1
bebe0cd4d575f637364070a71e26d8f9449e8405

SHA256
2679bb3a8c023a1ad677462f381646b02eb31e55365fc41cfddcba9276502044

SHA512
ed8ee6c3e9a38816a041ebfccda08163d397452a2f01ed2e8d5b785d3eb6d7d7d822f31f0b1e8c42905fbe2d9bc0ec716ead268d7d9c199bbec20613852e609f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit