hxxp://riflesurfing[.]xyz

General

Target

http://riflesurfing.xyz

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133637763851672149"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

1492 chrome.exe
1492 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

1492 chrome.exe
1492 chrome.exe
1492 chrome.exe
1492 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeCreatePagefilePrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeCreatePagefilePrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeCreatePagefilePrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeCreatePagefilePrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeCreatePagefilePrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeCreatePagefilePrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeCreatePagefilePrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeCreatePagefilePrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeCreatePagefilePrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeCreatePagefilePrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeCreatePagefilePrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeCreatePagefilePrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeCreatePagefilePrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeCreatePagefilePrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeCreatePagefilePrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeCreatePagefilePrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeCreatePagefilePrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeCreatePagefilePrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeCreatePagefilePrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeCreatePagefilePrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeCreatePagefilePrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeCreatePagefilePrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeCreatePagefilePrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeCreatePagefilePrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeCreatePagefilePrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeCreatePagefilePrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeCreatePagefilePrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeCreatePagefilePrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeCreatePagefilePrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeCreatePagefilePrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeCreatePagefilePrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeCreatePagefilePrivilege	1492	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1492 wrote to memory of 2912	1492	chrome.exe	chrome.exe
PID 1492 wrote to memory of 2912	1492	chrome.exe	chrome.exe
PID 1492 wrote to memory of 424	1492	chrome.exe	chrome.exe
PID 1492 wrote to memory of 424	1492	chrome.exe	chrome.exe
PID 1492 wrote to memory of 424	1492	chrome.exe	chrome.exe
PID 1492 wrote to memory of 424	1492	chrome.exe	chrome.exe
PID 1492 wrote to memory of 424	1492	chrome.exe	chrome.exe
PID 1492 wrote to memory of 424	1492	chrome.exe	chrome.exe
PID 1492 wrote to memory of 424	1492	chrome.exe	chrome.exe
PID 1492 wrote to memory of 424	1492	chrome.exe	chrome.exe
PID 1492 wrote to memory of 424	1492	chrome.exe	chrome.exe
PID 1492 wrote to memory of 424	1492	chrome.exe	chrome.exe
PID 1492 wrote to memory of 424	1492	chrome.exe	chrome.exe
PID 1492 wrote to memory of 424	1492	chrome.exe	chrome.exe
PID 1492 wrote to memory of 424	1492	chrome.exe	chrome.exe
PID 1492 wrote to memory of 424	1492	chrome.exe	chrome.exe
PID 1492 wrote to memory of 424	1492	chrome.exe	chrome.exe
PID 1492 wrote to memory of 424	1492	chrome.exe	chrome.exe
PID 1492 wrote to memory of 424	1492	chrome.exe	chrome.exe
PID 1492 wrote to memory of 424	1492	chrome.exe	chrome.exe
PID 1492 wrote to memory of 424	1492	chrome.exe	chrome.exe
PID 1492 wrote to memory of 424	1492	chrome.exe	chrome.exe
PID 1492 wrote to memory of 424	1492	chrome.exe	chrome.exe
PID 1492 wrote to memory of 424	1492	chrome.exe	chrome.exe
PID 1492 wrote to memory of 424	1492	chrome.exe	chrome.exe
PID 1492 wrote to memory of 424	1492	chrome.exe	chrome.exe
PID 1492 wrote to memory of 424	1492	chrome.exe	chrome.exe
PID 1492 wrote to memory of 424	1492	chrome.exe	chrome.exe
PID 1492 wrote to memory of 424	1492	chrome.exe	chrome.exe
PID 1492 wrote to memory of 424	1492	chrome.exe	chrome.exe
PID 1492 wrote to memory of 424	1492	chrome.exe	chrome.exe
PID 1492 wrote to memory of 424	1492	chrome.exe	chrome.exe
PID 1492 wrote to memory of 424	1492	chrome.exe	chrome.exe
PID 1492 wrote to memory of 2132	1492	chrome.exe	chrome.exe
PID 1492 wrote to memory of 2132	1492	chrome.exe	chrome.exe
PID 1492 wrote to memory of 3140	1492	chrome.exe	chrome.exe
PID 1492 wrote to memory of 3140	1492	chrome.exe	chrome.exe
PID 1492 wrote to memory of 3140	1492	chrome.exe	chrome.exe
PID 1492 wrote to memory of 3140	1492	chrome.exe	chrome.exe
PID 1492 wrote to memory of 3140	1492	chrome.exe	chrome.exe
PID 1492 wrote to memory of 3140	1492	chrome.exe	chrome.exe
PID 1492 wrote to memory of 3140	1492	chrome.exe	chrome.exe
PID 1492 wrote to memory of 3140	1492	chrome.exe	chrome.exe
PID 1492 wrote to memory of 3140	1492	chrome.exe	chrome.exe
PID 1492 wrote to memory of 3140	1492	chrome.exe	chrome.exe
PID 1492 wrote to memory of 3140	1492	chrome.exe	chrome.exe
PID 1492 wrote to memory of 3140	1492	chrome.exe	chrome.exe
PID 1492 wrote to memory of 3140	1492	chrome.exe	chrome.exe
PID 1492 wrote to memory of 3140	1492	chrome.exe	chrome.exe
PID 1492 wrote to memory of 3140	1492	chrome.exe	chrome.exe
PID 1492 wrote to memory of 3140	1492	chrome.exe	chrome.exe
PID 1492 wrote to memory of 3140	1492	chrome.exe	chrome.exe
PID 1492 wrote to memory of 3140	1492	chrome.exe	chrome.exe
PID 1492 wrote to memory of 3140	1492	chrome.exe	chrome.exe
PID 1492 wrote to memory of 3140	1492	chrome.exe	chrome.exe
PID 1492 wrote to memory of 3140	1492	chrome.exe	chrome.exe
PID 1492 wrote to memory of 3140	1492	chrome.exe	chrome.exe
PID 1492 wrote to memory of 3140	1492	chrome.exe	chrome.exe
PID 1492 wrote to memory of 3140	1492	chrome.exe	chrome.exe
PID 1492 wrote to memory of 3140	1492	chrome.exe	chrome.exe
PID 1492 wrote to memory of 3140	1492	chrome.exe	chrome.exe
PID 1492 wrote to memory of 3140	1492	chrome.exe	chrome.exe
PID 1492 wrote to memory of 3140	1492	chrome.exe	chrome.exe
PID 1492 wrote to memory of 3140	1492	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://riflesurfing.xyz
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffeeceab58,0x7fffeeceab68,0x7fffeeceab78
2⤵
PID:2912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1628 --field-trial-handle=1688,i,1175305171841553060,6284686054032713865,131072 /prefetch:2
2⤵
PID:424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1688,i,1175305171841553060,6284686054032713865,131072 /prefetch:8
2⤵
PID:2132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2256 --field-trial-handle=1688,i,1175305171841553060,6284686054032713865,131072 /prefetch:8
2⤵
PID:3140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2820 --field-trial-handle=1688,i,1175305171841553060,6284686054032713865,131072 /prefetch:1
2⤵
PID:3444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2824 --field-trial-handle=1688,i,1175305171841553060,6284686054032713865,131072 /prefetch:1
2⤵
PID:5040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4352 --field-trial-handle=1688,i,1175305171841553060,6284686054032713865,131072 /prefetch:8
2⤵
PID:5012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4520 --field-trial-handle=1688,i,1175305171841553060,6284686054032713865,131072 /prefetch:8
2⤵
PID:3716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4516 --field-trial-handle=1688,i,1175305171841553060,6284686054032713865,131072 /prefetch:1
2⤵
PID:1736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4180 --field-trial-handle=1688,i,1175305171841553060,6284686054032713865,131072 /prefetch:1
2⤵
PID:3668

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4152

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
10KB

MD5
8835a82deac244fbfeaab315cc37805d

SHA1
ec4e9c3339f8996cdfd1ae1d7dbb8af6665a148b

SHA256
1059c7a49ece3f464777387bc3745c63773b1840b3d47d734a5f31c09af1d9c0

SHA512
cdb723638002489eabae8d40a0cd14e572fb98c687beeb0e3968e2a5462a58369325ad9425a57c1df0e8e0c0c4ba1d1a87c72b755ed7ceb6dcbde4454f4501cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
9KB

MD5
b1c8ef525f1e06b2c042b0035785a736

SHA1
0709a9ba86c82e063c1aa232d2a43c1d62c616bb

SHA256
63c61048dfe80fea55de28d1abd4e1131fdd5975f478f94bbd64ba63818f1b53

SHA512
adff620aec41e67b7c5ac92012208a1b47d22b3bca6ddee88541854d0aeac160cfb849207d6e80b23457aa55a02b120e97a85d628b6fa9439e88064969f4b4be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
10KB

MD5
a93f972da703def924027544f33d6f3e

SHA1
6a1da4ccd14fd0ce4cbfd424da60d62be9e6d833

SHA256
093a5bc08a995447553b5d517918af6f9792f6f0e1dc3e9d00769c299cc85aa7

SHA512
17ad65c0af4de7c7611a4fe96802f46c3d6c77073d6124ece6050222be96dfee2413c5eea13d4cf43580f1e7ce08fc3349157acfc2d79a850e3ba1f3c98a5d00

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
10KB

MD5
68bf8c969beb758bbdff72035847c1ce

SHA1
245a4a28f29876a320840885d7b033abcd78def7

SHA256
85fecba6036c557b88fb4252d288d66d93b3d39a08e877364bf1b5cc35992b85

SHA512
85c3a9230044771c3acedcaa95b583c4cfbd50df155afa728eff56898ddde7514f614d2adf22cec7659d738a2ad6c176807d17c586bd476083bb3fc90fdffcdf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
138KB

MD5
dc23ab662a068bedad4a9b5e999dca8c

SHA1
d39744f173defa156eeb2bc3a69f7e0eac962c69

SHA256
c748d2297381b1fdfabfb0fb36dcc29cfc8e1382a156bd23bee0a19c0c91c721

SHA512
bf4738612260f22b58a721b09f50f4f1bee98217575fee18a6a7475132117d56d7fd356f33ffedb33559e3d2c5f0f494e1f6fa4aee8a459ea3d54bf6d5189ff4

Download Submit
\??\pipe\crashpad_1492_NKYFWJKHYZRAMUZH
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads