hxxp://www[.]watchempire[.]com[.]kh/

Resubmissions

23/05/2024, 07:09

240523-hyxdqaha96 1

23/05/2024, 07:06

240523-hxahkaha51 1

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23/05/2024, 07:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://www.watchempire.com.kh/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133609216412065824"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4076	chrome.exe
4076	chrome.exe
1760	chrome.exe
1760	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4076	chrome.exe
Token: SeCreatePagefilePrivilege	4076	chrome.exe
Token: SeShutdownPrivilege	4076	chrome.exe
Token: SeCreatePagefilePrivilege	4076	chrome.exe
Token: SeShutdownPrivilege	4076	chrome.exe
Token: SeCreatePagefilePrivilege	4076	chrome.exe
Token: SeShutdownPrivilege	4076	chrome.exe
Token: SeCreatePagefilePrivilege	4076	chrome.exe
Token: SeShutdownPrivilege	4076	chrome.exe
Token: SeCreatePagefilePrivilege	4076	chrome.exe
Token: SeShutdownPrivilege	4076	chrome.exe
Token: SeCreatePagefilePrivilege	4076	chrome.exe
Token: SeShutdownPrivilege	4076	chrome.exe
Token: SeCreatePagefilePrivilege	4076	chrome.exe
Token: SeShutdownPrivilege	4076	chrome.exe
Token: SeCreatePagefilePrivilege	4076	chrome.exe
Token: SeShutdownPrivilege	4076	chrome.exe
Token: SeCreatePagefilePrivilege	4076	chrome.exe
Token: SeShutdownPrivilege	4076	chrome.exe
Token: SeCreatePagefilePrivilege	4076	chrome.exe
Token: SeShutdownPrivilege	4076	chrome.exe
Token: SeCreatePagefilePrivilege	4076	chrome.exe
Token: SeShutdownPrivilege	4076	chrome.exe
Token: SeCreatePagefilePrivilege	4076	chrome.exe
Token: SeShutdownPrivilege	4076	chrome.exe
Token: SeCreatePagefilePrivilege	4076	chrome.exe
Token: SeShutdownPrivilege	4076	chrome.exe
Token: SeCreatePagefilePrivilege	4076	chrome.exe
Token: SeShutdownPrivilege	4076	chrome.exe
Token: SeCreatePagefilePrivilege	4076	chrome.exe
Token: SeShutdownPrivilege	4076	chrome.exe
Token: SeCreatePagefilePrivilege	4076	chrome.exe
Token: SeShutdownPrivilege	4076	chrome.exe
Token: SeCreatePagefilePrivilege	4076	chrome.exe
Token: SeShutdownPrivilege	4076	chrome.exe
Token: SeCreatePagefilePrivilege	4076	chrome.exe
Token: SeShutdownPrivilege	4076	chrome.exe
Token: SeCreatePagefilePrivilege	4076	chrome.exe
Token: SeShutdownPrivilege	4076	chrome.exe
Token: SeCreatePagefilePrivilege	4076	chrome.exe
Token: SeShutdownPrivilege	4076	chrome.exe
Token: SeCreatePagefilePrivilege	4076	chrome.exe
Token: SeShutdownPrivilege	4076	chrome.exe
Token: SeCreatePagefilePrivilege	4076	chrome.exe
Token: SeShutdownPrivilege	4076	chrome.exe
Token: SeCreatePagefilePrivilege	4076	chrome.exe
Token: SeShutdownPrivilege	4076	chrome.exe
Token: SeCreatePagefilePrivilege	4076	chrome.exe
Token: SeShutdownPrivilege	4076	chrome.exe
Token: SeCreatePagefilePrivilege	4076	chrome.exe
Token: SeShutdownPrivilege	4076	chrome.exe
Token: SeCreatePagefilePrivilege	4076	chrome.exe
Token: SeShutdownPrivilege	4076	chrome.exe
Token: SeCreatePagefilePrivilege	4076	chrome.exe
Token: SeShutdownPrivilege	4076	chrome.exe
Token: SeCreatePagefilePrivilege	4076	chrome.exe
Token: SeShutdownPrivilege	4076	chrome.exe
Token: SeCreatePagefilePrivilege	4076	chrome.exe
Token: SeShutdownPrivilege	4076	chrome.exe
Token: SeCreatePagefilePrivilege	4076	chrome.exe
Token: SeShutdownPrivilege	4076	chrome.exe
Token: SeCreatePagefilePrivilege	4076	chrome.exe
Token: SeShutdownPrivilege	4076	chrome.exe
Token: SeCreatePagefilePrivilege	4076	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4076 wrote to memory of 1636	4076	chrome.exe	82
PID 4076 wrote to memory of 1636	4076	chrome.exe	82
PID 4076 wrote to memory of 2828	4076	chrome.exe	83
PID 4076 wrote to memory of 2828	4076	chrome.exe	83
PID 4076 wrote to memory of 2828	4076	chrome.exe	83
PID 4076 wrote to memory of 2828	4076	chrome.exe	83
PID 4076 wrote to memory of 2828	4076	chrome.exe	83
PID 4076 wrote to memory of 2828	4076	chrome.exe	83
PID 4076 wrote to memory of 2828	4076	chrome.exe	83
PID 4076 wrote to memory of 2828	4076	chrome.exe	83
PID 4076 wrote to memory of 2828	4076	chrome.exe	83
PID 4076 wrote to memory of 2828	4076	chrome.exe	83
PID 4076 wrote to memory of 2828	4076	chrome.exe	83
PID 4076 wrote to memory of 2828	4076	chrome.exe	83
PID 4076 wrote to memory of 2828	4076	chrome.exe	83
PID 4076 wrote to memory of 2828	4076	chrome.exe	83
PID 4076 wrote to memory of 2828	4076	chrome.exe	83
PID 4076 wrote to memory of 2828	4076	chrome.exe	83
PID 4076 wrote to memory of 2828	4076	chrome.exe	83
PID 4076 wrote to memory of 2828	4076	chrome.exe	83
PID 4076 wrote to memory of 2828	4076	chrome.exe	83
PID 4076 wrote to memory of 2828	4076	chrome.exe	83
PID 4076 wrote to memory of 2828	4076	chrome.exe	83
PID 4076 wrote to memory of 2828	4076	chrome.exe	83
PID 4076 wrote to memory of 2828	4076	chrome.exe	83
PID 4076 wrote to memory of 2828	4076	chrome.exe	83
PID 4076 wrote to memory of 2828	4076	chrome.exe	83
PID 4076 wrote to memory of 2828	4076	chrome.exe	83
PID 4076 wrote to memory of 2828	4076	chrome.exe	83
PID 4076 wrote to memory of 2828	4076	chrome.exe	83
PID 4076 wrote to memory of 2828	4076	chrome.exe	83
PID 4076 wrote to memory of 2828	4076	chrome.exe	83
PID 4076 wrote to memory of 2828	4076	chrome.exe	83
PID 4076 wrote to memory of 4352	4076	chrome.exe	84
PID 4076 wrote to memory of 4352	4076	chrome.exe	84
PID 4076 wrote to memory of 4008	4076	chrome.exe	85
PID 4076 wrote to memory of 4008	4076	chrome.exe	85
PID 4076 wrote to memory of 4008	4076	chrome.exe	85
PID 4076 wrote to memory of 4008	4076	chrome.exe	85
PID 4076 wrote to memory of 4008	4076	chrome.exe	85
PID 4076 wrote to memory of 4008	4076	chrome.exe	85
PID 4076 wrote to memory of 4008	4076	chrome.exe	85
PID 4076 wrote to memory of 4008	4076	chrome.exe	85
PID 4076 wrote to memory of 4008	4076	chrome.exe	85
PID 4076 wrote to memory of 4008	4076	chrome.exe	85
PID 4076 wrote to memory of 4008	4076	chrome.exe	85
PID 4076 wrote to memory of 4008	4076	chrome.exe	85
PID 4076 wrote to memory of 4008	4076	chrome.exe	85
PID 4076 wrote to memory of 4008	4076	chrome.exe	85
PID 4076 wrote to memory of 4008	4076	chrome.exe	85
PID 4076 wrote to memory of 4008	4076	chrome.exe	85
PID 4076 wrote to memory of 4008	4076	chrome.exe	85
PID 4076 wrote to memory of 4008	4076	chrome.exe	85
PID 4076 wrote to memory of 4008	4076	chrome.exe	85
PID 4076 wrote to memory of 4008	4076	chrome.exe	85
PID 4076 wrote to memory of 4008	4076	chrome.exe	85
PID 4076 wrote to memory of 4008	4076	chrome.exe	85
PID 4076 wrote to memory of 4008	4076	chrome.exe	85
PID 4076 wrote to memory of 4008	4076	chrome.exe	85
PID 4076 wrote to memory of 4008	4076	chrome.exe	85
PID 4076 wrote to memory of 4008	4076	chrome.exe	85
PID 4076 wrote to memory of 4008	4076	chrome.exe	85
PID 4076 wrote to memory of 4008	4076	chrome.exe	85
PID 4076 wrote to memory of 4008	4076	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://www.watchempire.com.kh/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbbb3aab58,0x7ffbbb3aab68,0x7ffbbb3aab78
  2⤵
  PID:1636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1680 --field-trial-handle=1836,i,12856499994160200593,2526732851957205689,131072 /prefetch:2
  2⤵
  PID:2828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 --field-trial-handle=1836,i,12856499994160200593,2526732851957205689,131072 /prefetch:8
  2⤵
  PID:4352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2228 --field-trial-handle=1836,i,12856499994160200593,2526732851957205689,131072 /prefetch:8
  2⤵
  PID:4008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2968 --field-trial-handle=1836,i,12856499994160200593,2526732851957205689,131072 /prefetch:1
  2⤵
  PID:3776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2984 --field-trial-handle=1836,i,12856499994160200593,2526732851957205689,131072 /prefetch:1
  2⤵
  PID:3924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4120 --field-trial-handle=1836,i,12856499994160200593,2526732851957205689,131072 /prefetch:1
  2⤵
  PID:4428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4560 --field-trial-handle=1836,i,12856499994160200593,2526732851957205689,131072 /prefetch:1
  2⤵
  PID:4856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4900 --field-trial-handle=1836,i,12856499994160200593,2526732851957205689,131072 /prefetch:8
  2⤵
  PID:2808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2984 --field-trial-handle=1836,i,12856499994160200593,2526732851957205689,131072 /prefetch:8
  2⤵
  PID:2848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1632 --field-trial-handle=1836,i,12856499994160200593,2526732851957205689,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1760

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000029

Filesize
39KB

MD5
208660e59533c6cbf0f0d3942373a069

SHA1
69fac0e5ef12664276aec6efa7eff539ecdbee15

SHA256
660839800a01134379a4231838eb2371762de76447f6bce3bb1be506e672fa04

SHA512
94bda4960a19a0291c1dcf479c38bedbcdbdf67854b6749dbe03161bcf47411b09a760f14266672ff7ea069305f7313bd6614116deabd3017db098e1d334d3c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002b

Filesize
56KB

MD5
69962c604013e2ef8fba0459e2e8a224

SHA1
49013a094a0f9465ddcd79424ae71442d4616e65

SHA256
c24865c39f8fc42fe8416f2b8e8cab680a3c0a957392750c96c2d78f1768da53

SHA512
ab04edf4da9583a78373ecabda230f916255e8e8f125d20ba4ed8d628ea71b1cccc9584b9ab59acc45f361cb640f741884a464d9ae5f3535102308b10af8133f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
672B

MD5
596b6242f7b051b2d452e5f31ab37345

SHA1
8b13deb25a85a534db420918ea92afe14250d1bb

SHA256
0eb0ffb02cdc2e8a53422a149cb2d0de0308836067acda18cbb086140e593cff

SHA512
0a19913ff0281257f9ad32f6a484249ab373e911e1202019ab58eb978d9611627cf885ce34af0ca79af519c1d8edaab959dcaa7fa093d6d0f631a00f070c4944

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
d61946a7e6bb1fc18b72409fa1518160

SHA1
4aef7234a7c0453151e624d00d3b78cef8e35555

SHA256
826899137b04d09f973730ef5b6aa8e4e95aff3955244e6a148ec224283e52fa

SHA512
41467c2a43249aacb4b8ca52cdfbfebffcc90eee5b5f0917754741c2d993d849595f795669bb31059d115805877519890230b54714f165c20321f2b36912d1d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
4ab8b43275c5df48ebed957f4d2f9483

SHA1
ccf1bfd2cd2f9b5fe8005c1d9e95e06c5c59a838

SHA256
c4938698cd308a3fed9a9020b0d40fb509f82eb69e3e2f4817e9aa7c08991ca7

SHA512
1613cc8177b507dcbb5a73cc64b2616f84f88cb63eb750a095b390fbbadef6540e9fea45c353fb10ddac8f891ed9d9222b5e3996fdb7a8e6db5a1da93cfd11f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
802c8ca0ba320d2cbcb4b54f95674002

SHA1
48ddbd1f7f154e08a7a1b532ef7aa9920b50e52f

SHA256
5087ac1da692aabd3029da6fd3a31dc7a87e5155609a069f84b89a61ef0081c1

SHA512
73b9cbfaca2472f62f42c6f9b3893df4074888798242b36ff6b4c52c054d754b38886faf236dde5c1ec5f6c25d85b559044a69ca9aab8c5857ac2300363ec3c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
cd83e05afe071724031a2816024605a5

SHA1
80688c039462b8e887b10a15ea0eff25d5dc86e6

SHA256
529a246fae60e5f469287297f0d691756508fb734d7b1909f126097177c0b0bd

SHA512
e4b60cc2c8704f115f25dfbe88f8592090127eb665a2ad65576398bfaa50020e3d2403bc429de8c6eebd563b6896c5a22a6a9acb52145d751acbef1e65d60aea

Download Submit