hxxp://buddywatch[.]app

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
07/06/2024, 14:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://buddywatch.app

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133622439240528598"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4192	chrome.exe
4192	chrome.exe
4156	chrome.exe
4156	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4192 wrote to memory of 3508	4192	chrome.exe	83
PID 4192 wrote to memory of 3508	4192	chrome.exe	83
PID 4192 wrote to memory of 384	4192	chrome.exe	85
PID 4192 wrote to memory of 384	4192	chrome.exe	85
PID 4192 wrote to memory of 384	4192	chrome.exe	85
PID 4192 wrote to memory of 384	4192	chrome.exe	85
PID 4192 wrote to memory of 384	4192	chrome.exe	85
PID 4192 wrote to memory of 384	4192	chrome.exe	85
PID 4192 wrote to memory of 384	4192	chrome.exe	85
PID 4192 wrote to memory of 384	4192	chrome.exe	85
PID 4192 wrote to memory of 384	4192	chrome.exe	85
PID 4192 wrote to memory of 384	4192	chrome.exe	85
PID 4192 wrote to memory of 384	4192	chrome.exe	85
PID 4192 wrote to memory of 384	4192	chrome.exe	85
PID 4192 wrote to memory of 384	4192	chrome.exe	85
PID 4192 wrote to memory of 384	4192	chrome.exe	85
PID 4192 wrote to memory of 384	4192	chrome.exe	85
PID 4192 wrote to memory of 384	4192	chrome.exe	85
PID 4192 wrote to memory of 384	4192	chrome.exe	85
PID 4192 wrote to memory of 384	4192	chrome.exe	85
PID 4192 wrote to memory of 384	4192	chrome.exe	85
PID 4192 wrote to memory of 384	4192	chrome.exe	85
PID 4192 wrote to memory of 384	4192	chrome.exe	85
PID 4192 wrote to memory of 384	4192	chrome.exe	85
PID 4192 wrote to memory of 384	4192	chrome.exe	85
PID 4192 wrote to memory of 384	4192	chrome.exe	85
PID 4192 wrote to memory of 384	4192	chrome.exe	85
PID 4192 wrote to memory of 384	4192	chrome.exe	85
PID 4192 wrote to memory of 384	4192	chrome.exe	85
PID 4192 wrote to memory of 384	4192	chrome.exe	85
PID 4192 wrote to memory of 384	4192	chrome.exe	85
PID 4192 wrote to memory of 384	4192	chrome.exe	85
PID 4192 wrote to memory of 384	4192	chrome.exe	85
PID 4192 wrote to memory of 1868	4192	chrome.exe	86
PID 4192 wrote to memory of 1868	4192	chrome.exe	86
PID 4192 wrote to memory of 1560	4192	chrome.exe	87
PID 4192 wrote to memory of 1560	4192	chrome.exe	87
PID 4192 wrote to memory of 1560	4192	chrome.exe	87
PID 4192 wrote to memory of 1560	4192	chrome.exe	87
PID 4192 wrote to memory of 1560	4192	chrome.exe	87
PID 4192 wrote to memory of 1560	4192	chrome.exe	87
PID 4192 wrote to memory of 1560	4192	chrome.exe	87
PID 4192 wrote to memory of 1560	4192	chrome.exe	87
PID 4192 wrote to memory of 1560	4192	chrome.exe	87
PID 4192 wrote to memory of 1560	4192	chrome.exe	87
PID 4192 wrote to memory of 1560	4192	chrome.exe	87
PID 4192 wrote to memory of 1560	4192	chrome.exe	87
PID 4192 wrote to memory of 1560	4192	chrome.exe	87
PID 4192 wrote to memory of 1560	4192	chrome.exe	87
PID 4192 wrote to memory of 1560	4192	chrome.exe	87
PID 4192 wrote to memory of 1560	4192	chrome.exe	87
PID 4192 wrote to memory of 1560	4192	chrome.exe	87
PID 4192 wrote to memory of 1560	4192	chrome.exe	87
PID 4192 wrote to memory of 1560	4192	chrome.exe	87
PID 4192 wrote to memory of 1560	4192	chrome.exe	87
PID 4192 wrote to memory of 1560	4192	chrome.exe	87
PID 4192 wrote to memory of 1560	4192	chrome.exe	87
PID 4192 wrote to memory of 1560	4192	chrome.exe	87
PID 4192 wrote to memory of 1560	4192	chrome.exe	87
PID 4192 wrote to memory of 1560	4192	chrome.exe	87
PID 4192 wrote to memory of 1560	4192	chrome.exe	87
PID 4192 wrote to memory of 1560	4192	chrome.exe	87
PID 4192 wrote to memory of 1560	4192	chrome.exe	87
PID 4192 wrote to memory of 1560	4192	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://buddywatch.app
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff96032ab58,0x7ff96032ab68,0x7ff96032ab78
  2⤵
  PID:3508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1700 --field-trial-handle=2004,i,157568267597630347,172852014380061488,131072 /prefetch:2
  2⤵
  PID:384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1916 --field-trial-handle=2004,i,157568267597630347,172852014380061488,131072 /prefetch:8
  2⤵
  PID:1868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2268 --field-trial-handle=2004,i,157568267597630347,172852014380061488,131072 /prefetch:8
  2⤵
  PID:1560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2928 --field-trial-handle=2004,i,157568267597630347,172852014380061488,131072 /prefetch:1
  2⤵
  PID:640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2936 --field-trial-handle=2004,i,157568267597630347,172852014380061488,131072 /prefetch:1
  2⤵
  PID:4996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4304 --field-trial-handle=2004,i,157568267597630347,172852014380061488,131072 /prefetch:1
  2⤵
  PID:4812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4532 --field-trial-handle=2004,i,157568267597630347,172852014380061488,131072 /prefetch:1
  2⤵
  PID:3544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4652 --field-trial-handle=2004,i,157568267597630347,172852014380061488,131072 /prefetch:1
  2⤵
  PID:4080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4812 --field-trial-handle=2004,i,157568267597630347,172852014380061488,131072 /prefetch:1
  2⤵
  PID:4880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 --field-trial-handle=2004,i,157568267597630347,172852014380061488,131072 /prefetch:8
  2⤵
  PID:2068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5044 --field-trial-handle=2004,i,157568267597630347,172852014380061488,131072 /prefetch:8
  2⤵
  PID:2380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1644 --field-trial-handle=2004,i,157568267597630347,172852014380061488,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4156

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
744B

MD5
ef7150d717de4a7baf93e2309c932e52

SHA1
6cbe63e1d71790119a03c8863f8c620b40339cf1

SHA256
b0bb7bdfed8c996b2f9213270bf922df2141e7bfa8a25c0233fe5658e8fa056b

SHA512
80bb8ef11463dc1da78047cd7c323c72c6d8e647031972ec89a5addc3338ef05d227f16d13e8984cee01f895f1bf050b90ef1f67b86b1827d27b209a6e4988ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
aedb5a466790afbfae6038bc531832bf

SHA1
31463f304db9049938f5e069e736c23e454c9f5d

SHA256
e62e21ff7919c7c21a5ada72cf1cb1251730ea719b0d2614dcbf8251a3f9fd4c

SHA512
29bd94d7c6ba42b51c6f2fdbd6751ba60b156051c09b6434f0581cbad6962824900ff3091fbe34882e811b85916dea67f60415a34eca07d2db1ca5d089f66c13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
88f189e50d957b84f39e987018cb54a3

SHA1
e0975b99022296223a322af01e862ac0425473a5

SHA256
1ba8f2f0fc0977a7a156d0ae255fd533ada51ad48030de720be89b94150b2bc0

SHA512
0301d627ab53de53bccc92fb48ce237c75860da482046d6ecf99f0aeb0d48b54135232d217353e84b3e602d38f30a84bbd095dc07dad0472d6c3dcbf9648e4b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
8b5870fbb7b17b75ea253db19d76159a

SHA1
a069d1703f40f931fabcdd88530885d304bc23aa

SHA256
0d98f3f1c3efab5674b205c1726344d9c6735bd177e5a82a5d31613a2c3e7d61

SHA512
67197d32a110f82513e5f372b25cab9ce5fe97d989aa67cf1e990a52d287743b015f6e15eec9b52c2c1b8a55ffbec7f41af61d7e9094411573f55ca272c774e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
4848837018d954e279471b689cd733fe

SHA1
efeae82f35d38ca0e34e3a364da4a68708e66600

SHA256
73dc414e2f6fe780e97715cef187ffe217e767429cae96e7c7c092d684b737f9

SHA512
b44532a7ff2021cec76c545adeb0c0e2ab4390fe5ddfe28d74396b18890b87d5cca0981a118af40154d96e7f1956a40ffec5e38c972ae23f8f798a85d130f0f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
9e62fb30d5edb4d5f954b4c5189a806e

SHA1
4e6b6822f128ca4d32c2dee7a2c26f585e61a456

SHA256
7cd9dc32f41477fe45d6029a54dff4af2bbde3ef358bf81fb86ed717e13e9e3c

SHA512
9e6f08ff31693b79ffe5ab0df321e17d9a10986645e235f9cd54eb9f20b4326e0b0612a6c6ba78c97b1ff7a3f9a9cbb5a07f52ecbab05f51983c780e28243fd0

Download Submit