hxxp://vergwtex[.]cbg[.]ru

General

Target

http://vergwtex.cbg.ru

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133608162410867336"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

372 chrome.exe
372 chrome.exe
456 chrome.exe
456 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

372 chrome.exe
372 chrome.exe
372 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeCreatePagefilePrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeCreatePagefilePrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeCreatePagefilePrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeCreatePagefilePrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeCreatePagefilePrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeCreatePagefilePrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeCreatePagefilePrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeCreatePagefilePrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeCreatePagefilePrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeCreatePagefilePrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeCreatePagefilePrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeCreatePagefilePrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeCreatePagefilePrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeCreatePagefilePrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeCreatePagefilePrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeCreatePagefilePrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeCreatePagefilePrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeCreatePagefilePrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeCreatePagefilePrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeCreatePagefilePrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeCreatePagefilePrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeCreatePagefilePrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeCreatePagefilePrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeCreatePagefilePrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeCreatePagefilePrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeCreatePagefilePrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeCreatePagefilePrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeCreatePagefilePrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeCreatePagefilePrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeCreatePagefilePrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeCreatePagefilePrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeCreatePagefilePrivilege	372	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 372 wrote to memory of 1072	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 1072	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 4452	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 4452	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 4452	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 4452	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 4452	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 4452	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 4452	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 4452	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 4452	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 4452	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 4452	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 4452	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 4452	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 4452	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 4452	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 4452	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 4452	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 4452	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 4452	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 4452	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 4452	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 4452	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 4452	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 4452	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 4452	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 4452	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 4452	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 4452	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 4452	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 4452	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 4452	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 4452	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 4452	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 4452	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 4452	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 4452	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 4452	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 4452	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 3724	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 3724	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 3972	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 3972	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 3972	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 3972	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 3972	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 3972	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 3972	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 3972	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 3972	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 3972	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 3972	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 3972	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 3972	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 3972	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 3972	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 3972	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 3972	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 3972	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 3972	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 3972	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 3972	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 3972	372	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://vergwtex.cbg.ru
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaee4a9758,0x7ffaee4a9768,0x7ffaee4a9778
2⤵
PID:1072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1656 --field-trial-handle=1876,i,2145342458612512751,11429402729924173569,131072 /prefetch:2
2⤵
PID:4452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1876,i,2145342458612512751,11429402729924173569,131072 /prefetch:8
2⤵
PID:3724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2208 --field-trial-handle=1876,i,2145342458612512751,11429402729924173569,131072 /prefetch:8
2⤵
PID:3972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2976 --field-trial-handle=1876,i,2145342458612512751,11429402729924173569,131072 /prefetch:1
2⤵
PID:4860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3008 --field-trial-handle=1876,i,2145342458612512751,11429402729924173569,131072 /prefetch:1
2⤵
PID:4916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3740 --field-trial-handle=1876,i,2145342458612512751,11429402729924173569,131072 /prefetch:1
2⤵
PID:1752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4852 --field-trial-handle=1876,i,2145342458612512751,11429402729924173569,131072 /prefetch:8
2⤵
PID:3652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4696 --field-trial-handle=1876,i,2145342458612512751,11429402729924173569,131072 /prefetch:8
2⤵
PID:4028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3436 --field-trial-handle=1876,i,2145342458612512751,11429402729924173569,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:456

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4136 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
1⤵
PID:1984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\0e7d4346-fb30-454c-8a70-a24877b1406c.tmp

Filesize
5KB

MD5
70125a607d676b30e79b04e43ad873dd

SHA1
2adc6f7c18a5b4ce81e492ff1d1e0db0dba33e1b

SHA256
5b0c2c58dbd0cec8c8115b229d4402ed187ff753781d67ee9371bb2a9248143c

SHA512
78980dd5a5c117ac807df43f8a292731010efa56efe2fc92b90266694edc30a97ca8ed80d81b6e22eeed7b28774e2185edaaba8307e72e89fef1a6adada54630

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
932B

MD5
adf1112484364766e2865a44dcdee8d5

SHA1
105affe4a551a609a6fbc318c8c663ddd85fdf2d

SHA256
06711fb7587aabcdab732ecdb6f211a096b8165e607cdc6346a16e63807a90a7

SHA512
db9ced2143ba14754c5e12b99a4458b7dead755c6e8f4878245ec8518908521933747fad8deccc2544aa0d8aff2928c48b68336a5a4325a35fdacfbcb5127f9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
3adc605fbdb4e2a1165c649a31d3281f

SHA1
eb4a5488bbd760bda0a4784a684eb599ca6917df

SHA256
3504636f21e24c7bccb0399dc1835c4b66e377677adf6a02ad257bb5843e7d7f

SHA512
a0ef28007e33041c4a4bdc62bfa95409752410661ec3d7bccb8cdbefe2ae7de64d2329feec7ea2689ea7d18b5e7029e8a83858200e7962b0fdca960e78c99cf1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
2973305facc3ae96869614053c596fd0

SHA1
59b21a588f02acedfa1d022ad31b48d92e2b8f6e

SHA256
5dba57bf36c5d31947890bfcafbeb315b01a70a17a162877160fe9460d78ff62

SHA512
d931221033733092d8926631367643d91580da4f3b55772f282470e7bf1e97f8082614bbfa65bba79068a0c48962fd25006f09834380830deaf2f6b74988cc44

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
357b805e20deafdcc2917bcd4dfa1ad4

SHA1
506bf8c74941e757f0599fe6ea38e0916fab2588

SHA256
f8a8ff4a562f455b7d59515a42bb5e0792d0264dc2effa983bc80c7218f158ad

SHA512
d40c155a5cf95e3a1bcad58c555faf4208e5c243d512fe3c2abc1819da4381ca78a7091f5ebdbd335c982e1cf294a9ddb3d0f98127c0b74ad3ef4dd752178896

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
\??\pipe\crashpad_372_FRQJWQQTDHLVVJIC

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads