hxxp://kw[.]phaseranarch[.]com

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
21/05/2024, 13:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://kw.phaseranarch.com

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133607708864571095"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
816	chrome.exe
816	chrome.exe
2688	chrome.exe
2688	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
816	chrome.exe
816	chrome.exe
816	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 816 wrote to memory of 340	816	chrome.exe	83
PID 816 wrote to memory of 340	816	chrome.exe	83
PID 816 wrote to memory of 1888	816	chrome.exe	84
PID 816 wrote to memory of 1888	816	chrome.exe	84
PID 816 wrote to memory of 1888	816	chrome.exe	84
PID 816 wrote to memory of 1888	816	chrome.exe	84
PID 816 wrote to memory of 1888	816	chrome.exe	84
PID 816 wrote to memory of 1888	816	chrome.exe	84
PID 816 wrote to memory of 1888	816	chrome.exe	84
PID 816 wrote to memory of 1888	816	chrome.exe	84
PID 816 wrote to memory of 1888	816	chrome.exe	84
PID 816 wrote to memory of 1888	816	chrome.exe	84
PID 816 wrote to memory of 1888	816	chrome.exe	84
PID 816 wrote to memory of 1888	816	chrome.exe	84
PID 816 wrote to memory of 1888	816	chrome.exe	84
PID 816 wrote to memory of 1888	816	chrome.exe	84
PID 816 wrote to memory of 1888	816	chrome.exe	84
PID 816 wrote to memory of 1888	816	chrome.exe	84
PID 816 wrote to memory of 1888	816	chrome.exe	84
PID 816 wrote to memory of 1888	816	chrome.exe	84
PID 816 wrote to memory of 1888	816	chrome.exe	84
PID 816 wrote to memory of 1888	816	chrome.exe	84
PID 816 wrote to memory of 1888	816	chrome.exe	84
PID 816 wrote to memory of 1888	816	chrome.exe	84
PID 816 wrote to memory of 1888	816	chrome.exe	84
PID 816 wrote to memory of 1888	816	chrome.exe	84
PID 816 wrote to memory of 1888	816	chrome.exe	84
PID 816 wrote to memory of 1888	816	chrome.exe	84
PID 816 wrote to memory of 1888	816	chrome.exe	84
PID 816 wrote to memory of 1888	816	chrome.exe	84
PID 816 wrote to memory of 1888	816	chrome.exe	84
PID 816 wrote to memory of 1888	816	chrome.exe	84
PID 816 wrote to memory of 1888	816	chrome.exe	84
PID 816 wrote to memory of 1696	816	chrome.exe	85
PID 816 wrote to memory of 1696	816	chrome.exe	85
PID 816 wrote to memory of 4092	816	chrome.exe	86
PID 816 wrote to memory of 4092	816	chrome.exe	86
PID 816 wrote to memory of 4092	816	chrome.exe	86
PID 816 wrote to memory of 4092	816	chrome.exe	86
PID 816 wrote to memory of 4092	816	chrome.exe	86
PID 816 wrote to memory of 4092	816	chrome.exe	86
PID 816 wrote to memory of 4092	816	chrome.exe	86
PID 816 wrote to memory of 4092	816	chrome.exe	86
PID 816 wrote to memory of 4092	816	chrome.exe	86
PID 816 wrote to memory of 4092	816	chrome.exe	86
PID 816 wrote to memory of 4092	816	chrome.exe	86
PID 816 wrote to memory of 4092	816	chrome.exe	86
PID 816 wrote to memory of 4092	816	chrome.exe	86
PID 816 wrote to memory of 4092	816	chrome.exe	86
PID 816 wrote to memory of 4092	816	chrome.exe	86
PID 816 wrote to memory of 4092	816	chrome.exe	86
PID 816 wrote to memory of 4092	816	chrome.exe	86
PID 816 wrote to memory of 4092	816	chrome.exe	86
PID 816 wrote to memory of 4092	816	chrome.exe	86
PID 816 wrote to memory of 4092	816	chrome.exe	86
PID 816 wrote to memory of 4092	816	chrome.exe	86
PID 816 wrote to memory of 4092	816	chrome.exe	86
PID 816 wrote to memory of 4092	816	chrome.exe	86
PID 816 wrote to memory of 4092	816	chrome.exe	86
PID 816 wrote to memory of 4092	816	chrome.exe	86
PID 816 wrote to memory of 4092	816	chrome.exe	86
PID 816 wrote to memory of 4092	816	chrome.exe	86
PID 816 wrote to memory of 4092	816	chrome.exe	86
PID 816 wrote to memory of 4092	816	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://kw.phaseranarch.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9aba4ab58,0x7ff9aba4ab68,0x7ff9aba4ab78
  2⤵
  PID:340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1660 --field-trial-handle=1932,i,12055235821580073892,3408065322915097313,131072 /prefetch:2
  2⤵
  PID:1888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1916 --field-trial-handle=1932,i,12055235821580073892,3408065322915097313,131072 /prefetch:8
  2⤵
  PID:1696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2192 --field-trial-handle=1932,i,12055235821580073892,3408065322915097313,131072 /prefetch:8
  2⤵
  PID:4092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2976 --field-trial-handle=1932,i,12055235821580073892,3408065322915097313,131072 /prefetch:1
  2⤵
  PID:4632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2988 --field-trial-handle=1932,i,12055235821580073892,3408065322915097313,131072 /prefetch:1
  2⤵
  PID:2328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4004 --field-trial-handle=1932,i,12055235821580073892,3408065322915097313,131072 /prefetch:1
  2⤵
  PID:3480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3284 --field-trial-handle=1932,i,12055235821580073892,3408065322915097313,131072 /prefetch:8
  2⤵
  PID:2032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4576 --field-trial-handle=1932,i,12055235821580073892,3408065322915097313,131072 /prefetch:8
  2⤵
  PID:4820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1048 --field-trial-handle=1932,i,12055235821580073892,3408065322915097313,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2688

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
50d6b7a26dbce6b1189a870fb12c5a38

SHA1
76c10e247660a75327f1b71382678107808cf4f0

SHA256
c38df0d8726268aea55a0a8f872e410fb1054060809b60b3f66e8f8cd5b656c8

SHA512
bcbc2156ec5419e95e26578a46c6aa089c5724eece28cb417156adb064cb072f38e1c5bc0ccfcef811c97c3c554c3e5261c99c077df955354b2da3c56ca06a11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
09612d44078de32ee971b3bc3d030be7

SHA1
fbf7a1ec565565fb54952977a5eee72bdd88dd84

SHA256
65c0b7e3523ef9683ee086f0e9191c1b632107067ca762405c6c1c8d93380e46

SHA512
1af06211ae89c8254ed6e99f3d8887b476ecae1a270c000d007630453cf13f5aef12e66e6f70734f5d21121ac5ca59e763d6badd66ef38a90f0f52649c790d3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
d606dc1767e30507a6a35ad8f4c55663

SHA1
62f9d76fb947ffc64cad8a8a023155287740d759

SHA256
1525b4ee64777291a1ef024a51cfa3247b65a0cf7062fae498a27b95e8e75b8e

SHA512
c77dd183036cb4eef6584a3c79024313f92578bc9f3656b1d80c5e9f89e582b897ac9bac95e1ec55234e8e5c02e9e7e34a7c5803e2e67e53ae4b23ec65ddb675

Download Submit