hxxp://www[.]richfriend[.]co[.]kr

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29-05-2024 02:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://www.richfriend.co.kr

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133614241354762951"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4296	chrome.exe
4296	chrome.exe
592	chrome.exe
592	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4296 wrote to memory of 4540	4296	chrome.exe	83
PID 4296 wrote to memory of 4540	4296	chrome.exe	83
PID 4296 wrote to memory of 2368	4296	chrome.exe	85
PID 4296 wrote to memory of 2368	4296	chrome.exe	85
PID 4296 wrote to memory of 2368	4296	chrome.exe	85
PID 4296 wrote to memory of 2368	4296	chrome.exe	85
PID 4296 wrote to memory of 2368	4296	chrome.exe	85
PID 4296 wrote to memory of 2368	4296	chrome.exe	85
PID 4296 wrote to memory of 2368	4296	chrome.exe	85
PID 4296 wrote to memory of 2368	4296	chrome.exe	85
PID 4296 wrote to memory of 2368	4296	chrome.exe	85
PID 4296 wrote to memory of 2368	4296	chrome.exe	85
PID 4296 wrote to memory of 2368	4296	chrome.exe	85
PID 4296 wrote to memory of 2368	4296	chrome.exe	85
PID 4296 wrote to memory of 2368	4296	chrome.exe	85
PID 4296 wrote to memory of 2368	4296	chrome.exe	85
PID 4296 wrote to memory of 2368	4296	chrome.exe	85
PID 4296 wrote to memory of 2368	4296	chrome.exe	85
PID 4296 wrote to memory of 2368	4296	chrome.exe	85
PID 4296 wrote to memory of 2368	4296	chrome.exe	85
PID 4296 wrote to memory of 2368	4296	chrome.exe	85
PID 4296 wrote to memory of 2368	4296	chrome.exe	85
PID 4296 wrote to memory of 2368	4296	chrome.exe	85
PID 4296 wrote to memory of 2368	4296	chrome.exe	85
PID 4296 wrote to memory of 2368	4296	chrome.exe	85
PID 4296 wrote to memory of 2368	4296	chrome.exe	85
PID 4296 wrote to memory of 2368	4296	chrome.exe	85
PID 4296 wrote to memory of 2368	4296	chrome.exe	85
PID 4296 wrote to memory of 2368	4296	chrome.exe	85
PID 4296 wrote to memory of 2368	4296	chrome.exe	85
PID 4296 wrote to memory of 2368	4296	chrome.exe	85
PID 4296 wrote to memory of 2368	4296	chrome.exe	85
PID 4296 wrote to memory of 2368	4296	chrome.exe	85
PID 4296 wrote to memory of 3572	4296	chrome.exe	86
PID 4296 wrote to memory of 3572	4296	chrome.exe	86
PID 4296 wrote to memory of 2816	4296	chrome.exe	87
PID 4296 wrote to memory of 2816	4296	chrome.exe	87
PID 4296 wrote to memory of 2816	4296	chrome.exe	87
PID 4296 wrote to memory of 2816	4296	chrome.exe	87
PID 4296 wrote to memory of 2816	4296	chrome.exe	87
PID 4296 wrote to memory of 2816	4296	chrome.exe	87
PID 4296 wrote to memory of 2816	4296	chrome.exe	87
PID 4296 wrote to memory of 2816	4296	chrome.exe	87
PID 4296 wrote to memory of 2816	4296	chrome.exe	87
PID 4296 wrote to memory of 2816	4296	chrome.exe	87
PID 4296 wrote to memory of 2816	4296	chrome.exe	87
PID 4296 wrote to memory of 2816	4296	chrome.exe	87
PID 4296 wrote to memory of 2816	4296	chrome.exe	87
PID 4296 wrote to memory of 2816	4296	chrome.exe	87
PID 4296 wrote to memory of 2816	4296	chrome.exe	87
PID 4296 wrote to memory of 2816	4296	chrome.exe	87
PID 4296 wrote to memory of 2816	4296	chrome.exe	87
PID 4296 wrote to memory of 2816	4296	chrome.exe	87
PID 4296 wrote to memory of 2816	4296	chrome.exe	87
PID 4296 wrote to memory of 2816	4296	chrome.exe	87
PID 4296 wrote to memory of 2816	4296	chrome.exe	87
PID 4296 wrote to memory of 2816	4296	chrome.exe	87
PID 4296 wrote to memory of 2816	4296	chrome.exe	87
PID 4296 wrote to memory of 2816	4296	chrome.exe	87
PID 4296 wrote to memory of 2816	4296	chrome.exe	87
PID 4296 wrote to memory of 2816	4296	chrome.exe	87
PID 4296 wrote to memory of 2816	4296	chrome.exe	87
PID 4296 wrote to memory of 2816	4296	chrome.exe	87
PID 4296 wrote to memory of 2816	4296	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://www.richfriend.co.kr
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff6dc7ab58,0x7fff6dc7ab68,0x7fff6dc7ab78
  2⤵
  PID:4540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1596 --field-trial-handle=1968,i,11696061258004257706,8773623252438368488,131072 /prefetch:2
  2⤵
  PID:2368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2020 --field-trial-handle=1968,i,11696061258004257706,8773623252438368488,131072 /prefetch:8
  2⤵
  PID:3572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2216 --field-trial-handle=1968,i,11696061258004257706,8773623252438368488,131072 /prefetch:8
  2⤵
  PID:2816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2996 --field-trial-handle=1968,i,11696061258004257706,8773623252438368488,131072 /prefetch:1
  2⤵
  PID:2424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3000 --field-trial-handle=1968,i,11696061258004257706,8773623252438368488,131072 /prefetch:1
  2⤵
  PID:3188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3808 --field-trial-handle=1968,i,11696061258004257706,8773623252438368488,131072 /prefetch:1
  2⤵
  PID:4708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3240 --field-trial-handle=1968,i,11696061258004257706,8773623252438368488,131072 /prefetch:1
  2⤵
  PID:2956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4356 --field-trial-handle=1968,i,11696061258004257706,8773623252438368488,131072 /prefetch:8
  2⤵
  PID:2380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4452 --field-trial-handle=1968,i,11696061258004257706,8773623252438368488,131072 /prefetch:8
  2⤵
  PID:4604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4200 --field-trial-handle=1968,i,11696061258004257706,8773623252438368488,131072 /prefetch:1
  2⤵
  PID:2128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=1568 --field-trial-handle=1968,i,11696061258004257706,8773623252438368488,131072 /prefetch:1
  2⤵
  PID:3008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4752 --field-trial-handle=1968,i,11696061258004257706,8773623252438368488,131072 /prefetch:1
  2⤵
  PID:4552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3220 --field-trial-handle=1968,i,11696061258004257706,8773623252438368488,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:592

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
d0076377a6261af46431a7681bc8b234

SHA1
6fa3b931475ec2a2d8159c60e9037adf16d2f640

SHA256
6d330b4c1eb2c67cde041a1635878ff8dd79d2b405304d93a1c721a90ae195f6

SHA512
d5b5de010a8c4b1ece48278023fbeae9a0b80be061ae85993a7a82a7f384efeac1052bc91c5dcbfefb670f3e6af42d8563a59c773542948e244d688275f78bc5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
dca43f4cb7543a31537a8d4fcbd26250

SHA1
5932653c966588f0e60ee61346123eadbbde3ecf

SHA256
500587966846623c7bf3d0500bd0bb821469c1dd34dec0d44377aeb67cc656d8

SHA512
f2d75c20901ff9fac94e686d2f294ba7ec5d444aaf180489099de406bfa311a030ceb6eb4c542021f45cdacc8ab37d1f9925d7ad311d1bab9535a7f1196c7b44

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
129KB

MD5
070e363454ca1b7a1dc4250c798e6665

SHA1
67237099ecf2096e118c87bbdd42acc744e53f92

SHA256
d7a30434dd4cde16eae12a2ba2afdf0b54a120fd06de77903dc207a52a03faee

SHA512
e34f11a5184fe87552c7a815ad6934415b478516a88fdbfe3cfced7d3ce5daa79d63f4ff76d668b20118a22d03412ccb0b35c9d7db9605c01b07091b28e309b2

Download Submit