hxxps://www[.]curseforge[.]com/minecraft/mc-mods/first-aid/download/3952683

General

Target

https://www.curseforge.com/minecraft/mc-mods/first-aid/download/3952683

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133608186188567408"	chrome.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

chrome.exechrome.exe

pid process

2396 chrome.exe
2396 chrome.exe
2396 chrome.exe
1572 chrome.exe
1572 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

2396 chrome.exe
2396 chrome.exe
2396 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeCreatePagefilePrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeCreatePagefilePrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeCreatePagefilePrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeCreatePagefilePrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeCreatePagefilePrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeCreatePagefilePrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeCreatePagefilePrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeCreatePagefilePrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeCreatePagefilePrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeCreatePagefilePrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeCreatePagefilePrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeCreatePagefilePrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeCreatePagefilePrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeCreatePagefilePrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeCreatePagefilePrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeCreatePagefilePrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeCreatePagefilePrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeCreatePagefilePrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeCreatePagefilePrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeCreatePagefilePrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeCreatePagefilePrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeCreatePagefilePrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeCreatePagefilePrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeCreatePagefilePrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeCreatePagefilePrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeCreatePagefilePrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeCreatePagefilePrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeCreatePagefilePrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeCreatePagefilePrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeCreatePagefilePrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeCreatePagefilePrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeCreatePagefilePrivilege	2396	chrome.exe

Suspicious use of FindShellTrayWindow 32 IoCs

Processes:

chrome.exe

pid	process
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

chrome.exe

pid	process
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2396 wrote to memory of 280	2396	chrome.exe	chrome.exe
PID 2396 wrote to memory of 280	2396	chrome.exe	chrome.exe
PID 2396 wrote to memory of 4916	2396	chrome.exe	chrome.exe
PID 2396 wrote to memory of 4916	2396	chrome.exe	chrome.exe
PID 2396 wrote to memory of 4916	2396	chrome.exe	chrome.exe
PID 2396 wrote to memory of 4916	2396	chrome.exe	chrome.exe
PID 2396 wrote to memory of 4916	2396	chrome.exe	chrome.exe
PID 2396 wrote to memory of 4916	2396	chrome.exe	chrome.exe
PID 2396 wrote to memory of 4916	2396	chrome.exe	chrome.exe
PID 2396 wrote to memory of 4916	2396	chrome.exe	chrome.exe
PID 2396 wrote to memory of 4916	2396	chrome.exe	chrome.exe
PID 2396 wrote to memory of 4916	2396	chrome.exe	chrome.exe
PID 2396 wrote to memory of 4916	2396	chrome.exe	chrome.exe
PID 2396 wrote to memory of 4916	2396	chrome.exe	chrome.exe
PID 2396 wrote to memory of 4916	2396	chrome.exe	chrome.exe
PID 2396 wrote to memory of 4916	2396	chrome.exe	chrome.exe
PID 2396 wrote to memory of 4916	2396	chrome.exe	chrome.exe
PID 2396 wrote to memory of 4916	2396	chrome.exe	chrome.exe
PID 2396 wrote to memory of 4916	2396	chrome.exe	chrome.exe
PID 2396 wrote to memory of 4916	2396	chrome.exe	chrome.exe
PID 2396 wrote to memory of 4916	2396	chrome.exe	chrome.exe
PID 2396 wrote to memory of 4916	2396	chrome.exe	chrome.exe
PID 2396 wrote to memory of 4916	2396	chrome.exe	chrome.exe
PID 2396 wrote to memory of 4916	2396	chrome.exe	chrome.exe
PID 2396 wrote to memory of 4916	2396	chrome.exe	chrome.exe
PID 2396 wrote to memory of 4916	2396	chrome.exe	chrome.exe
PID 2396 wrote to memory of 4916	2396	chrome.exe	chrome.exe
PID 2396 wrote to memory of 4916	2396	chrome.exe	chrome.exe
PID 2396 wrote to memory of 4916	2396	chrome.exe	chrome.exe
PID 2396 wrote to memory of 4916	2396	chrome.exe	chrome.exe
PID 2396 wrote to memory of 4916	2396	chrome.exe	chrome.exe
PID 2396 wrote to memory of 4916	2396	chrome.exe	chrome.exe
PID 2396 wrote to memory of 4916	2396	chrome.exe	chrome.exe
PID 2396 wrote to memory of 2304	2396	chrome.exe	chrome.exe
PID 2396 wrote to memory of 2304	2396	chrome.exe	chrome.exe
PID 2396 wrote to memory of 3556	2396	chrome.exe	chrome.exe
PID 2396 wrote to memory of 3556	2396	chrome.exe	chrome.exe
PID 2396 wrote to memory of 3556	2396	chrome.exe	chrome.exe
PID 2396 wrote to memory of 3556	2396	chrome.exe	chrome.exe
PID 2396 wrote to memory of 3556	2396	chrome.exe	chrome.exe
PID 2396 wrote to memory of 3556	2396	chrome.exe	chrome.exe
PID 2396 wrote to memory of 3556	2396	chrome.exe	chrome.exe
PID 2396 wrote to memory of 3556	2396	chrome.exe	chrome.exe
PID 2396 wrote to memory of 3556	2396	chrome.exe	chrome.exe
PID 2396 wrote to memory of 3556	2396	chrome.exe	chrome.exe
PID 2396 wrote to memory of 3556	2396	chrome.exe	chrome.exe
PID 2396 wrote to memory of 3556	2396	chrome.exe	chrome.exe
PID 2396 wrote to memory of 3556	2396	chrome.exe	chrome.exe
PID 2396 wrote to memory of 3556	2396	chrome.exe	chrome.exe
PID 2396 wrote to memory of 3556	2396	chrome.exe	chrome.exe
PID 2396 wrote to memory of 3556	2396	chrome.exe	chrome.exe
PID 2396 wrote to memory of 3556	2396	chrome.exe	chrome.exe
PID 2396 wrote to memory of 3556	2396	chrome.exe	chrome.exe
PID 2396 wrote to memory of 3556	2396	chrome.exe	chrome.exe
PID 2396 wrote to memory of 3556	2396	chrome.exe	chrome.exe
PID 2396 wrote to memory of 3556	2396	chrome.exe	chrome.exe
PID 2396 wrote to memory of 3556	2396	chrome.exe	chrome.exe
PID 2396 wrote to memory of 3556	2396	chrome.exe	chrome.exe
PID 2396 wrote to memory of 3556	2396	chrome.exe	chrome.exe
PID 2396 wrote to memory of 3556	2396	chrome.exe	chrome.exe
PID 2396 wrote to memory of 3556	2396	chrome.exe	chrome.exe
PID 2396 wrote to memory of 3556	2396	chrome.exe	chrome.exe
PID 2396 wrote to memory of 3556	2396	chrome.exe	chrome.exe
PID 2396 wrote to memory of 3556	2396	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.curseforge.com/minecraft/mc-mods/first-aid/download/3952683
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffdaa08ab58,0x7ffdaa08ab68,0x7ffdaa08ab78
2⤵
PID:280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1504 --field-trial-handle=1812,i,9454342995244181431,7684893011007719438,131072 /prefetch:2
2⤵
PID:4916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2028 --field-trial-handle=1812,i,9454342995244181431,7684893011007719438,131072 /prefetch:8
2⤵
PID:2304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2148 --field-trial-handle=1812,i,9454342995244181431,7684893011007719438,131072 /prefetch:8
2⤵
PID:3556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3020 --field-trial-handle=1812,i,9454342995244181431,7684893011007719438,131072 /prefetch:1
2⤵
PID:2156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3028 --field-trial-handle=1812,i,9454342995244181431,7684893011007719438,131072 /prefetch:1
2⤵
PID:2452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4016 --field-trial-handle=1812,i,9454342995244181431,7684893011007719438,131072 /prefetch:1
2⤵
PID:3592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4532 --field-trial-handle=1812,i,9454342995244181431,7684893011007719438,131072 /prefetch:8
2⤵
PID:404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4656 --field-trial-handle=1812,i,9454342995244181431,7684893011007719438,131072 /prefetch:8
2⤵
PID:4304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2648 --field-trial-handle=1812,i,9454342995244181431,7684893011007719438,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1572

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
fa375e56b007539d4174f4b7cadfd415

SHA1
fdb452cd1e2883bc40c0f9b0d3b0f11269f260c6

SHA256
5ca637c5981faf7cf4c2beaedfcd5f8f9a679b17b7651298be49efdbacf16f1b

SHA512
7da3098f3d30b76c8f89deb316c750aaf0b23df7d873386e7b4f26a635e9f4cd05d7e40563c8d5cad73de9b7ab22f364e6d1d37fac305b1a69b87dd8295932a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
7KB

MD5
51667b1daaf98422abb979dfae991a29

SHA1
26fe83dd334205df59218c3fe9b03b1845f3a555

SHA256
31a70898c5e009b943e4dd612821965b98352dc56eea52caa2cdd7ff5875745b

SHA512
e995e198d52fc68673f3169422fde382b8bb79903556c3974279e9cc5194a8108686666506aff6134f5b6e76a9b94dfa8b7b243825d04a37e3b7f2895638a28d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
09ee75da9872dd415360a25595c5f0c2

SHA1
d521e29690f49a3ebe763b302d1ba6e572ac57d0

SHA256
0b7cc66aefc278bb88ffec616c53f78a2231a827f50f2b61f29717b401cc0cb2

SHA512
ded30f75807b307a90c0862adfdd1491659b0203c918c27ff4999840bd7e85463ab8804cd0fdd602c28c5c563203561d8c1d995f0af4db30415b5fde58d2b688

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
a1989cf2706b3b7dfdbdb28da34085b3

SHA1
a0d0a1e8dda658d1264690a6b305d6b82b00cb22

SHA256
cb5f5f0570031dc758563ed24c4d8116ee2e4d9a9363013a0e7418f6aea6fc54

SHA512
64423de9e80a1479f2223b529f04bca25a3692544e452f2dc510dd4bfb47d0f88ab5d935b56273c983e02d9dff6a0c06b02c59925a2d3901019d43ba39d739d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
129KB

MD5
e3a5ee500adb7a19be1bbc0324a5d323

SHA1
528ff5a53474d1a210220404e73a80a00c164364

SHA256
aa734e05a21023e2bed522f35b4b7fa59eeece94c6af74ea36ab9303bc798564

SHA512
fd4be3f95af0637f98ad79ab679ee24050a31ab472185d6bf9393a5033704a81a253de75bc062f47502c0723aab540b37e2ae77b6441d3ff0b6db72871d6c8c8

Download Submit
\??\pipe\crashpad_2396_PGNMYSTQVYLELZYA

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads