hxxps://nodeservicoscxg[.]is-a-bulls-fan[.]com/

Analysis

max time kernel
300s
max time network
299s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2024 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://nodeservicoscxg.is-a-bulls-fan.com/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133602608567044265"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2628	chrome.exe
2628	chrome.exe
1736	chrome.exe
1736	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeCreatePagefilePrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeCreatePagefilePrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeCreatePagefilePrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeCreatePagefilePrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeCreatePagefilePrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeCreatePagefilePrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeCreatePagefilePrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeCreatePagefilePrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeCreatePagefilePrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeCreatePagefilePrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeCreatePagefilePrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeCreatePagefilePrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeCreatePagefilePrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeCreatePagefilePrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeCreatePagefilePrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeCreatePagefilePrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeCreatePagefilePrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeCreatePagefilePrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeCreatePagefilePrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeCreatePagefilePrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeCreatePagefilePrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeCreatePagefilePrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeCreatePagefilePrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeCreatePagefilePrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeCreatePagefilePrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeCreatePagefilePrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeCreatePagefilePrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeCreatePagefilePrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeCreatePagefilePrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeCreatePagefilePrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeCreatePagefilePrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeCreatePagefilePrivilege	2628	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2628 wrote to memory of 4956	2628	chrome.exe	92
PID 2628 wrote to memory of 4956	2628	chrome.exe	92
PID 2628 wrote to memory of 2796	2628	chrome.exe	94
PID 2628 wrote to memory of 2796	2628	chrome.exe	94
PID 2628 wrote to memory of 2796	2628	chrome.exe	94
PID 2628 wrote to memory of 2796	2628	chrome.exe	94
PID 2628 wrote to memory of 2796	2628	chrome.exe	94
PID 2628 wrote to memory of 2796	2628	chrome.exe	94
PID 2628 wrote to memory of 2796	2628	chrome.exe	94
PID 2628 wrote to memory of 2796	2628	chrome.exe	94
PID 2628 wrote to memory of 2796	2628	chrome.exe	94
PID 2628 wrote to memory of 2796	2628	chrome.exe	94
PID 2628 wrote to memory of 2796	2628	chrome.exe	94
PID 2628 wrote to memory of 2796	2628	chrome.exe	94
PID 2628 wrote to memory of 2796	2628	chrome.exe	94
PID 2628 wrote to memory of 2796	2628	chrome.exe	94
PID 2628 wrote to memory of 2796	2628	chrome.exe	94
PID 2628 wrote to memory of 2796	2628	chrome.exe	94
PID 2628 wrote to memory of 2796	2628	chrome.exe	94
PID 2628 wrote to memory of 2796	2628	chrome.exe	94
PID 2628 wrote to memory of 2796	2628	chrome.exe	94
PID 2628 wrote to memory of 2796	2628	chrome.exe	94
PID 2628 wrote to memory of 2796	2628	chrome.exe	94
PID 2628 wrote to memory of 2796	2628	chrome.exe	94
PID 2628 wrote to memory of 2796	2628	chrome.exe	94
PID 2628 wrote to memory of 2796	2628	chrome.exe	94
PID 2628 wrote to memory of 2796	2628	chrome.exe	94
PID 2628 wrote to memory of 2796	2628	chrome.exe	94
PID 2628 wrote to memory of 2796	2628	chrome.exe	94
PID 2628 wrote to memory of 2796	2628	chrome.exe	94
PID 2628 wrote to memory of 2796	2628	chrome.exe	94
PID 2628 wrote to memory of 2796	2628	chrome.exe	94
PID 2628 wrote to memory of 2796	2628	chrome.exe	94
PID 2628 wrote to memory of 2796	2628	chrome.exe	94
PID 2628 wrote to memory of 2796	2628	chrome.exe	94
PID 2628 wrote to memory of 2796	2628	chrome.exe	94
PID 2628 wrote to memory of 2796	2628	chrome.exe	94
PID 2628 wrote to memory of 2796	2628	chrome.exe	94
PID 2628 wrote to memory of 2796	2628	chrome.exe	94
PID 2628 wrote to memory of 2796	2628	chrome.exe	94
PID 2628 wrote to memory of 3984	2628	chrome.exe	95
PID 2628 wrote to memory of 3984	2628	chrome.exe	95
PID 2628 wrote to memory of 2368	2628	chrome.exe	96
PID 2628 wrote to memory of 2368	2628	chrome.exe	96
PID 2628 wrote to memory of 2368	2628	chrome.exe	96
PID 2628 wrote to memory of 2368	2628	chrome.exe	96
PID 2628 wrote to memory of 2368	2628	chrome.exe	96
PID 2628 wrote to memory of 2368	2628	chrome.exe	96
PID 2628 wrote to memory of 2368	2628	chrome.exe	96
PID 2628 wrote to memory of 2368	2628	chrome.exe	96
PID 2628 wrote to memory of 2368	2628	chrome.exe	96
PID 2628 wrote to memory of 2368	2628	chrome.exe	96
PID 2628 wrote to memory of 2368	2628	chrome.exe	96
PID 2628 wrote to memory of 2368	2628	chrome.exe	96
PID 2628 wrote to memory of 2368	2628	chrome.exe	96
PID 2628 wrote to memory of 2368	2628	chrome.exe	96
PID 2628 wrote to memory of 2368	2628	chrome.exe	96
PID 2628 wrote to memory of 2368	2628	chrome.exe	96
PID 2628 wrote to memory of 2368	2628	chrome.exe	96
PID 2628 wrote to memory of 2368	2628	chrome.exe	96
PID 2628 wrote to memory of 2368	2628	chrome.exe	96
PID 2628 wrote to memory of 2368	2628	chrome.exe	96
PID 2628 wrote to memory of 2368	2628	chrome.exe	96
PID 2628 wrote to memory of 2368	2628	chrome.exe	96

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://nodeservicoscxg.is-a-bulls-fan.com/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff894c99758,0x7ff894c99768,0x7ff894c99778
  2⤵
  PID:4956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1704 --field-trial-handle=1808,i,14163001310277297706,13807638214225690638,131072 /prefetch:2
  2⤵
  PID:2796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1808,i,14163001310277297706,13807638214225690638,131072 /prefetch:8
  2⤵
  PID:3984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2240 --field-trial-handle=1808,i,14163001310277297706,13807638214225690638,131072 /prefetch:8
  2⤵
  PID:2368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3164 --field-trial-handle=1808,i,14163001310277297706,13807638214225690638,131072 /prefetch:1
  2⤵
  PID:3500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3180 --field-trial-handle=1808,i,14163001310277297706,13807638214225690638,131072 /prefetch:1
  2⤵
  PID:2384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4352 --field-trial-handle=1808,i,14163001310277297706,13807638214225690638,131072 /prefetch:8
  2⤵
  PID:2184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4436 --field-trial-handle=1808,i,14163001310277297706,13807638214225690638,131072 /prefetch:8
  2⤵
  PID:4068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4548 --field-trial-handle=1808,i,14163001310277297706,13807638214225690638,131072 /prefetch:1
  2⤵
  PID:4604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3436 --field-trial-handle=1808,i,14163001310277297706,13807638214225690638,131072 /prefetch:1
  2⤵
  PID:4908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4644 --field-trial-handle=1808,i,14163001310277297706,13807638214225690638,131072 /prefetch:1
  2⤵
  PID:3172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3720 --field-trial-handle=1808,i,14163001310277297706,13807638214225690638,131072 /prefetch:1
  2⤵
  PID:884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4368 --field-trial-handle=1808,i,14163001310277297706,13807638214225690638,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3324 --field-trial-handle=1808,i,14163001310277297706,13807638214225690638,131072 /prefetch:1
  2⤵
  PID:752

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3924 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
1⤵
PID:1600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
09004a2877ad9c5e97ca85138e97e303

SHA1
079e2e15300a5ed8834faccb2eae8015fcfa268b

SHA256
d308367f5e7f7503db8c56cb67a2e853b5cd080fd6baac4ea85546f0a8c0d4a4

SHA512
d0e2e212ab8b6166d9ecf7f60070d1486674c4cf90ed6e92e801230928537e541146470b8b126397507453986c5b7ee34526e6c6d87ab4549412714062525121

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
60013e7c8b0b5bee7e2838af2b8937da

SHA1
858e03be7dbf81dca06fed2c16fcde7c8ffdf2ad

SHA256
2b27e1bbda46e1853a4cc19e8ddab562cf0d0bea4edd271a9654fe227e1a1f5a

SHA512
7650e0f98a93c6800ba6b6629978f08a547abf7636414cd56052d51dacffa851ac56aec2e3b6e57e0433038464a03e50c0e130cc92d8aa429e6e72b82a0bfd51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f3ff7c51233568ab370abb8c1532e0a7

SHA1
22d03ea318c2fc31518871791d330a72d3bd95d1

SHA256
d1ed238ce471c134b5489c0fcd695054a5ff0d017745f0421dbd4c9f78c43bcb

SHA512
cba6fe39ad24be019672fc74a87538df72750802ce3f1318b39d90cd5aa217d36c7818a5e5c59a0e67838d2ff40542a87e9beed74ffdca78124427bea0116be1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
7e4ecdea52e467bc66d155fabcf4acd6

SHA1
dc74b7cdcec4f466f575d63aae2f27512a6d1ab0

SHA256
66b525038c7a2d2e2f9b8e3d2bd5986a84e904d476c6b665641ed7092df04463

SHA512
9729baefe64b1cea5e888d23520d5893524366d299a6620ba869f7c3fa437c26aa4d319a625d042b8de0531918631d4cb247cc41bfd641e7f53ab73d805b4f8a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit