hxxps://tracker[.]club-os[.]com/campaign/click?msgId=d738c6bd137e6a03157c6c728cbc659e734fc398&test=false&target=hxxps://omeindia[.]com/Uyn4HW2/cgi/?uid=john@dysonesaloies[.]com

Analysis

max time kernel
57s
max time network
59s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
23-05-2024 18:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://tracker.club-os.com/campaign/click?msgId=d738c6bd137e6a03157c6c728cbc659e734fc398&test=false&target=https://omeindia.com/Uyn4HW2/cgi/[email protected]

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

Processes:

chrome.exe

description ioc process

File opened for modification C:\Windows\SystemTemp chrome.exe

description	ioc	process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133609621424328892"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

948 chrome.exe
948 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

948 chrome.exe
948 chrome.exe
948 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeCreatePagefilePrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeCreatePagefilePrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeCreatePagefilePrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeCreatePagefilePrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeCreatePagefilePrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeCreatePagefilePrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeCreatePagefilePrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeCreatePagefilePrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeCreatePagefilePrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeCreatePagefilePrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeCreatePagefilePrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeCreatePagefilePrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeCreatePagefilePrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeCreatePagefilePrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeCreatePagefilePrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeCreatePagefilePrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeCreatePagefilePrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeCreatePagefilePrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeCreatePagefilePrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeCreatePagefilePrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeCreatePagefilePrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeCreatePagefilePrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeCreatePagefilePrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeCreatePagefilePrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeCreatePagefilePrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeCreatePagefilePrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeCreatePagefilePrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeCreatePagefilePrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeCreatePagefilePrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeCreatePagefilePrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeCreatePagefilePrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeCreatePagefilePrivilege	948	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

chrome.exe

pid	process
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 948 wrote to memory of 1484	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 1484	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 4220	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 4220	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 4220	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 4220	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 4220	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 4220	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 4220	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 4220	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 4220	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 4220	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 4220	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 4220	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 4220	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 4220	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 4220	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 4220	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 4220	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 4220	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 4220	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 4220	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 4220	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 4220	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 4220	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 4220	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 4220	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 4220	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 4220	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 4220	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 4220	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 4220	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 4592	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 4592	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 4024	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 4024	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 4024	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 4024	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 4024	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 4024	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 4024	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 4024	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 4024	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 4024	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 4024	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 4024	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 4024	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 4024	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 4024	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 4024	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 4024	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 4024	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 4024	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 4024	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 4024	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 4024	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 4024	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 4024	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 4024	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 4024	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 4024	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 4024	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 4024	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 4024	948	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://tracker.club-os.com/campaign/click?msgId=d738c6bd137e6a03157c6c728cbc659e734fc398&test=false&target=https://omeindia.com/Uyn4HW2/cgi/[email protected]
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff95eb8cc40,0x7ff95eb8cc4c,0x7ff95eb8cc58
2⤵
PID:1484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1796,i,10098711174020248727,9378126363224373377,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1792 /prefetch:2
2⤵
PID:4220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2044,i,10098711174020248727,9378126363224373377,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2076 /prefetch:3
2⤵
PID:4592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2172,i,10098711174020248727,9378126363224373377,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2356 /prefetch:8
2⤵
PID:4024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3056,i,10098711174020248727,9378126363224373377,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3140 /prefetch:1
2⤵
PID:4708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3064,i,10098711174020248727,9378126363224373377,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3164 /prefetch:1
2⤵
PID:4248

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4084,i,10098711174020248727,9378126363224373377,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3528 /prefetch:1
2⤵
PID:5020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3164,i,10098711174020248727,9378126363224373377,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4696 /prefetch:8
2⤵
PID:3496

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:4704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3328

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
Filesize
649B

MD5
765ea4c0c71c572b3a9932f5035bd9d3

SHA1
d70d6cb880f2b4a1a099ee36f97f52cb2820dfc1

SHA256
64f8565bcee635b12d5a4a02e890997cf94cf0bc2ff473eedb12f1fdc8558707

SHA512
e6f96b54b176d15f788738067aa768921e6534b11309d1a23792b80c963a8dd664d4cca1d94cfa7879f3a970bfb5c22c298ff5e0f2d33c8dca7ac0d389608e82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
120B

MD5
9cf66dd7f97f472ff20ca1c659a18189

SHA1
eba950cfe5d042affb994bfade87ca0a6411ce7b

SHA256
d9edbab9f12240e3f2cf1c5e96f00615039ecce8f2591e7d2ff844e42ad79722

SHA512
3f98c5c1523deca5855e9740e45415b73da3b90f91bff99350c98eab125dfc347cf57904809cd858ac63db74f7ac1532e730860e258a6a0cdb8989d8d84f19c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
9KB

MD5
5fa3db35b787867f8935ef75cbe53972

SHA1
369290c6fdfea1b93f6eeffb29aa931a854c7f5d

SHA256
c625baf7c55718167b7249330083cf75b53281753f90265f5f43b7597a484a21

SHA512
c702ba7158140572875496fca240dc8ba769aebc604b24e8132edf2c7658d080e1439b58bbede85bb06e96deaadcfd89079cdbccf5a76672bd50b8fb07415af6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
9KB

MD5
36034b3c2452afd1b7c4cb57b8a84189

SHA1
0d8dab1746385ccffb77c6530c6266280305087c

SHA256
ad60cc77524fa14b540691cc12cc76a8bd955e1a68d5f3b1d112aa809c2a5211

SHA512
ce094bf2d535af7123af46273f160a6ee97f24807de2b67b7d5ad87c35ca0394c63fb2d44a85ab1308315beb06202cb28e8acdffa7ab9379638d9a37abcace05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
9KB

MD5
cf11490c155da3f77de8e3bc0b55fdb4

SHA1
76e6044f17532e94644403ae8277122936b79324

SHA256
db8fcb63ec9e5e0b12f552aa5d490c870a2e74259b5a0ce27e5085d9ef4a3be7

SHA512
de57f81bb3f73656e4711b1fc1bd96adb3a46d682077b6e81385f8189d7cb5b2864c90beeea6f806f72c2a22d3ea943298ea6a1bcabf460c7f0241e66658772d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
9KB

MD5
c795432dbf521c3bb42e541ccb0744a3

SHA1
57367b0dc3d69d41f8dadde5ebb3b74993557561

SHA256
45b9ffbb9e9310871d9d821d36904bc2ff65a322d413a696c89473f13fcd9cdc

SHA512
436989e6762f1aa5bfd73241b4f13fbb2753042da4048041cca960ecfad7b171eed4fff14a1cd872ea08528327b8c80b81067959ed49b769ef05671efe88bda4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
77KB

MD5
42109a6a4e7894a39774e91126d301b7

SHA1
1edefda18bb30042ff6a745583ccf4e479d472d6

SHA256
b866f459012f620473290c6087d71050b7b576d1c8c4c82d4652741abc2407b0

SHA512
536ba8eaab66abb67a5f141d280028cd930d1adbff35c984641711391a12f5f3866f13e6c886a9a7e5cdba45b52ddeea53c790f4416d4d7bd3a3fb3a81f71e84

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
77KB

MD5
477b6cd25144e7b77b0f94727ae2677a

SHA1
0a68ba069585be5bed2bddb2720a8bd9cbedb493

SHA256
7657a47ed1837cb8a713416ca21ccefed20f5a537a38149a6170a3c56ace2999

SHA512
77784b919d729f2e76c23e9fc8a17bc028ece6088ffa25ab16634a25a57aebb370e63dcd5517a09db21597b072eb98b68df343aed0a627537ff1022caaceabf0

Download Submit
\??\pipe\crashpad_948_MVXYMOJZBTTBWGZD
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit