Analysis
-
max time kernel
30s -
max time network
32s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
03-06-2024 13:16
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://cicada3301.org/
Resource
win11-20240508-en
General
-
Target
http://cicada3301.org/
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133618942227130519" chrome.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3940 chrome.exe 3940 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 3940 chrome.exe 3940 chrome.exe -
Suspicious use of AdjustPrivilegeToken 58 IoCs
description pid Process Token: SeShutdownPrivilege 3940 chrome.exe Token: SeCreatePagefilePrivilege 3940 chrome.exe Token: SeShutdownPrivilege 3940 chrome.exe Token: SeCreatePagefilePrivilege 3940 chrome.exe Token: SeShutdownPrivilege 3940 chrome.exe Token: SeCreatePagefilePrivilege 3940 chrome.exe Token: SeShutdownPrivilege 3940 chrome.exe Token: SeCreatePagefilePrivilege 3940 chrome.exe Token: SeShutdownPrivilege 3940 chrome.exe Token: SeCreatePagefilePrivilege 3940 chrome.exe Token: SeShutdownPrivilege 3940 chrome.exe Token: SeCreatePagefilePrivilege 3940 chrome.exe Token: SeShutdownPrivilege 3940 chrome.exe Token: SeCreatePagefilePrivilege 3940 chrome.exe Token: SeShutdownPrivilege 3940 chrome.exe Token: SeCreatePagefilePrivilege 3940 chrome.exe Token: SeShutdownPrivilege 3940 chrome.exe Token: SeCreatePagefilePrivilege 3940 chrome.exe Token: SeShutdownPrivilege 3940 chrome.exe Token: SeCreatePagefilePrivilege 3940 chrome.exe Token: SeShutdownPrivilege 3940 chrome.exe Token: SeCreatePagefilePrivilege 3940 chrome.exe Token: SeShutdownPrivilege 3940 chrome.exe Token: SeCreatePagefilePrivilege 3940 chrome.exe Token: SeShutdownPrivilege 3940 chrome.exe Token: SeCreatePagefilePrivilege 3940 chrome.exe Token: SeShutdownPrivilege 3940 chrome.exe Token: SeCreatePagefilePrivilege 3940 chrome.exe Token: SeShutdownPrivilege 3940 chrome.exe Token: SeCreatePagefilePrivilege 3940 chrome.exe Token: SeShutdownPrivilege 3940 chrome.exe Token: SeCreatePagefilePrivilege 3940 chrome.exe Token: SeShutdownPrivilege 3940 chrome.exe Token: SeCreatePagefilePrivilege 3940 chrome.exe Token: SeShutdownPrivilege 3940 chrome.exe Token: SeCreatePagefilePrivilege 3940 chrome.exe Token: SeShutdownPrivilege 3940 chrome.exe Token: SeCreatePagefilePrivilege 3940 chrome.exe Token: SeShutdownPrivilege 3940 chrome.exe Token: SeCreatePagefilePrivilege 3940 chrome.exe Token: SeShutdownPrivilege 3940 chrome.exe Token: SeCreatePagefilePrivilege 3940 chrome.exe Token: SeShutdownPrivilege 3940 chrome.exe Token: SeCreatePagefilePrivilege 3940 chrome.exe Token: SeShutdownPrivilege 3940 chrome.exe Token: SeCreatePagefilePrivilege 3940 chrome.exe Token: SeShutdownPrivilege 3940 chrome.exe Token: SeCreatePagefilePrivilege 3940 chrome.exe Token: SeShutdownPrivilege 3940 chrome.exe Token: SeCreatePagefilePrivilege 3940 chrome.exe Token: SeShutdownPrivilege 3940 chrome.exe Token: SeCreatePagefilePrivilege 3940 chrome.exe Token: SeShutdownPrivilege 3940 chrome.exe Token: SeCreatePagefilePrivilege 3940 chrome.exe Token: SeShutdownPrivilege 3940 chrome.exe Token: SeCreatePagefilePrivilege 3940 chrome.exe Token: SeShutdownPrivilege 3940 chrome.exe Token: SeCreatePagefilePrivilege 3940 chrome.exe -
Suspicious use of FindShellTrayWindow 27 IoCs
pid Process 3940 chrome.exe 3940 chrome.exe 3940 chrome.exe 3940 chrome.exe 3940 chrome.exe 3940 chrome.exe 3940 chrome.exe 3940 chrome.exe 3940 chrome.exe 3940 chrome.exe 3940 chrome.exe 3940 chrome.exe 3940 chrome.exe 3940 chrome.exe 3940 chrome.exe 3940 chrome.exe 3940 chrome.exe 3940 chrome.exe 3940 chrome.exe 3940 chrome.exe 3940 chrome.exe 3940 chrome.exe 3940 chrome.exe 3940 chrome.exe 3940 chrome.exe 3940 chrome.exe 3940 chrome.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 3940 chrome.exe 3940 chrome.exe 3940 chrome.exe 3940 chrome.exe 3940 chrome.exe 3940 chrome.exe 3940 chrome.exe 3940 chrome.exe 3940 chrome.exe 3940 chrome.exe 3940 chrome.exe 3940 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3940 wrote to memory of 996 3940 chrome.exe 80 PID 3940 wrote to memory of 996 3940 chrome.exe 80 PID 3940 wrote to memory of 3976 3940 chrome.exe 82 PID 3940 wrote to memory of 3976 3940 chrome.exe 82 PID 3940 wrote to memory of 3976 3940 chrome.exe 82 PID 3940 wrote to memory of 3976 3940 chrome.exe 82 PID 3940 wrote to memory of 3976 3940 chrome.exe 82 PID 3940 wrote to memory of 3976 3940 chrome.exe 82 PID 3940 wrote to memory of 3976 3940 chrome.exe 82 PID 3940 wrote to memory of 3976 3940 chrome.exe 82 PID 3940 wrote to memory of 3976 3940 chrome.exe 82 PID 3940 wrote to memory of 3976 3940 chrome.exe 82 PID 3940 wrote to memory of 3976 3940 chrome.exe 82 PID 3940 wrote to memory of 3976 3940 chrome.exe 82 PID 3940 wrote to memory of 3976 3940 chrome.exe 82 PID 3940 wrote to memory of 3976 3940 chrome.exe 82 PID 3940 wrote to memory of 3976 3940 chrome.exe 82 PID 3940 wrote to memory of 3976 3940 chrome.exe 82 PID 3940 wrote to memory of 3976 3940 chrome.exe 82 PID 3940 wrote to memory of 3976 3940 chrome.exe 82 PID 3940 wrote to memory of 3976 3940 chrome.exe 82 PID 3940 wrote to memory of 3976 3940 chrome.exe 82 PID 3940 wrote to memory of 3976 3940 chrome.exe 82 PID 3940 wrote to memory of 3976 3940 chrome.exe 82 PID 3940 wrote to memory of 3976 3940 chrome.exe 82 PID 3940 wrote to memory of 3976 3940 chrome.exe 82 PID 3940 wrote to memory of 3976 3940 chrome.exe 82 PID 3940 wrote to memory of 3976 3940 chrome.exe 82 PID 3940 wrote to memory of 3976 3940 chrome.exe 82 PID 3940 wrote to memory of 3976 3940 chrome.exe 82 PID 3940 wrote to memory of 3976 3940 chrome.exe 82 PID 3940 wrote to memory of 3976 3940 chrome.exe 82 PID 3940 wrote to memory of 3976 3940 chrome.exe 82 PID 3940 wrote to memory of 3380 3940 chrome.exe 83 PID 3940 wrote to memory of 3380 3940 chrome.exe 83 PID 3940 wrote to memory of 4672 3940 chrome.exe 84 PID 3940 wrote to memory of 4672 3940 chrome.exe 84 PID 3940 wrote to memory of 4672 3940 chrome.exe 84 PID 3940 wrote to memory of 4672 3940 chrome.exe 84 PID 3940 wrote to memory of 4672 3940 chrome.exe 84 PID 3940 wrote to memory of 4672 3940 chrome.exe 84 PID 3940 wrote to memory of 4672 3940 chrome.exe 84 PID 3940 wrote to memory of 4672 3940 chrome.exe 84 PID 3940 wrote to memory of 4672 3940 chrome.exe 84 PID 3940 wrote to memory of 4672 3940 chrome.exe 84 PID 3940 wrote to memory of 4672 3940 chrome.exe 84 PID 3940 wrote to memory of 4672 3940 chrome.exe 84 PID 3940 wrote to memory of 4672 3940 chrome.exe 84 PID 3940 wrote to memory of 4672 3940 chrome.exe 84 PID 3940 wrote to memory of 4672 3940 chrome.exe 84 PID 3940 wrote to memory of 4672 3940 chrome.exe 84 PID 3940 wrote to memory of 4672 3940 chrome.exe 84 PID 3940 wrote to memory of 4672 3940 chrome.exe 84 PID 3940 wrote to memory of 4672 3940 chrome.exe 84 PID 3940 wrote to memory of 4672 3940 chrome.exe 84 PID 3940 wrote to memory of 4672 3940 chrome.exe 84 PID 3940 wrote to memory of 4672 3940 chrome.exe 84 PID 3940 wrote to memory of 4672 3940 chrome.exe 84 PID 3940 wrote to memory of 4672 3940 chrome.exe 84 PID 3940 wrote to memory of 4672 3940 chrome.exe 84 PID 3940 wrote to memory of 4672 3940 chrome.exe 84 PID 3940 wrote to memory of 4672 3940 chrome.exe 84 PID 3940 wrote to memory of 4672 3940 chrome.exe 84 PID 3940 wrote to memory of 4672 3940 chrome.exe 84
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://cicada3301.org/1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff97304ab58,0x7ff97304ab68,0x7ff97304ab782⤵PID:996
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1576 --field-trial-handle=1812,i,11035264285186091292,12900640692956501201,131072 /prefetch:22⤵PID:3976
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=1812,i,11035264285186091292,12900640692956501201,131072 /prefetch:82⤵PID:3380
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2136 --field-trial-handle=1812,i,11035264285186091292,12900640692956501201,131072 /prefetch:82⤵PID:4672
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2912 --field-trial-handle=1812,i,11035264285186091292,12900640692956501201,131072 /prefetch:12⤵PID:412
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2960 --field-trial-handle=1812,i,11035264285186091292,12900640692956501201,131072 /prefetch:12⤵PID:2460
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4260 --field-trial-handle=1812,i,11035264285186091292,12900640692956501201,131072 /prefetch:82⤵PID:2312
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4424 --field-trial-handle=1812,i,11035264285186091292,12900640692956501201,131072 /prefetch:82⤵PID:2928
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:2244
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD579b4e7fe9ac6fbd061b455f0561f374d
SHA1a8b7526b1cf4363e1e79c6676542509e2b5c70d1
SHA2563b0463d48aa7ce86add92dd265c58d1a0a4be60b82fbf584fa4ccf707d74b77a
SHA5121e7e718bdf7491339f76f04042edadd68e3b9e04cf061741c5b4de8bf721626f0e38d136555dcebe27d57ececfe2adf16d9f2e3c9fd6bf8044b926c31e5eab09
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
7KB
MD5bdb73972e74db23b5b0c65de133e8dfc
SHA11bc9416cae0761df1392ae5dad4df0611d3724d2
SHA2561eca6b4d2e4cd087f78a8c8f32aafec383de08df8f76bb544b791abb86a3df86
SHA512949e357a5fdb7be34f74b696c5141ff615b7a9abf223d24c0b44090d3eb4173c01f1ad754620a56f611075fcfcca01ee1f13e21ffaba5e97dbec1b0774d8a640
-
Filesize
7KB
MD53fe5899fd5da33103c23361d9ffc5a75
SHA1c4b4e74643a139bbd515447a10e3d7347b34b619
SHA25616bbb5513e7d0fee8038e8bdbb32a85f7a655796294ffb769d5faf8833b1c512
SHA51233a32fbf84b827bf8a59b925e6ce51a91a3091505c5b2c3c23cf392eb54941150525fac036ae2e7f625862330a90ea10f68f7298a5084650aeffcdb5ba2d12e7
-
Filesize
129KB
MD506b9542a17333d19bd07dc817e70c669
SHA19ccc287d701fe2c47d4f314af1228135a9304f60
SHA25606bed119d8d920807417cfba9e4127113b060998c5752ef8b552e211a4855563
SHA5122ed9bc7b31fb4ffb91a82ce186c9e12a673448742f32fed38dc54dbb896b6918187a04fcfc215bcfe6141ab83c43853788cb172a19578900feaceac1e3b9e699
-
Filesize
129KB
MD52f6c6cbdc2489c79e9483bc2c6a03785
SHA1f016d16e5a1aa96332ab703d2ef02b4371c8be13
SHA25667b32bf2d1dee58725cf86215f1fb8dde3d85fed32115edc097738fea7958e38
SHA512da1ccdc9d05befed667baa5c410d93e7bc8608472eb199370fafc6ccd3bf6e417396ff69d6b32330303ef96b39d445082f143770da320cfa6c3e94ef9fb4d17d
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58