hxxp://rwikipedia[.]org

Resubmissions

27/06/2024, 23:16

240627-29a5eaxelc 1

27/06/2024, 23:14

240627-28fcqszejl 1

27/06/2024, 23:13

240627-27qgbaxdmb 1

Analysis

max time kernel
30s
max time network
36s
platform
windows10-2004_x64
resource
win10v2004-20240508-uk
resource tags

arch:x64arch:x86image:win10v2004-20240508-uklocale:uk-uaos:windows10-2004-x64systemwindows
submitted
27/06/2024, 23:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://rwikipedia.org

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133640038209735731"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3028	chrome.exe
3028	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe

Suspicious use of AdjustPrivilegeToken 54 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 4920	3028	chrome.exe	81
PID 3028 wrote to memory of 4920	3028	chrome.exe	81
PID 3028 wrote to memory of 3996	3028	chrome.exe	82
PID 3028 wrote to memory of 3996	3028	chrome.exe	82
PID 3028 wrote to memory of 3996	3028	chrome.exe	82
PID 3028 wrote to memory of 3996	3028	chrome.exe	82
PID 3028 wrote to memory of 3996	3028	chrome.exe	82
PID 3028 wrote to memory of 3996	3028	chrome.exe	82
PID 3028 wrote to memory of 3996	3028	chrome.exe	82
PID 3028 wrote to memory of 3996	3028	chrome.exe	82
PID 3028 wrote to memory of 3996	3028	chrome.exe	82
PID 3028 wrote to memory of 3996	3028	chrome.exe	82
PID 3028 wrote to memory of 3996	3028	chrome.exe	82
PID 3028 wrote to memory of 3996	3028	chrome.exe	82
PID 3028 wrote to memory of 3996	3028	chrome.exe	82
PID 3028 wrote to memory of 3996	3028	chrome.exe	82
PID 3028 wrote to memory of 3996	3028	chrome.exe	82
PID 3028 wrote to memory of 3996	3028	chrome.exe	82
PID 3028 wrote to memory of 3996	3028	chrome.exe	82
PID 3028 wrote to memory of 3996	3028	chrome.exe	82
PID 3028 wrote to memory of 3996	3028	chrome.exe	82
PID 3028 wrote to memory of 3996	3028	chrome.exe	82
PID 3028 wrote to memory of 3996	3028	chrome.exe	82
PID 3028 wrote to memory of 3996	3028	chrome.exe	82
PID 3028 wrote to memory of 3996	3028	chrome.exe	82
PID 3028 wrote to memory of 3996	3028	chrome.exe	82
PID 3028 wrote to memory of 3996	3028	chrome.exe	82
PID 3028 wrote to memory of 3996	3028	chrome.exe	82
PID 3028 wrote to memory of 3996	3028	chrome.exe	82
PID 3028 wrote to memory of 3996	3028	chrome.exe	82
PID 3028 wrote to memory of 3996	3028	chrome.exe	82
PID 3028 wrote to memory of 3996	3028	chrome.exe	82
PID 3028 wrote to memory of 3996	3028	chrome.exe	82
PID 3028 wrote to memory of 2456	3028	chrome.exe	83
PID 3028 wrote to memory of 2456	3028	chrome.exe	83
PID 3028 wrote to memory of 2796	3028	chrome.exe	84
PID 3028 wrote to memory of 2796	3028	chrome.exe	84
PID 3028 wrote to memory of 2796	3028	chrome.exe	84
PID 3028 wrote to memory of 2796	3028	chrome.exe	84
PID 3028 wrote to memory of 2796	3028	chrome.exe	84
PID 3028 wrote to memory of 2796	3028	chrome.exe	84
PID 3028 wrote to memory of 2796	3028	chrome.exe	84
PID 3028 wrote to memory of 2796	3028	chrome.exe	84
PID 3028 wrote to memory of 2796	3028	chrome.exe	84
PID 3028 wrote to memory of 2796	3028	chrome.exe	84
PID 3028 wrote to memory of 2796	3028	chrome.exe	84
PID 3028 wrote to memory of 2796	3028	chrome.exe	84
PID 3028 wrote to memory of 2796	3028	chrome.exe	84
PID 3028 wrote to memory of 2796	3028	chrome.exe	84
PID 3028 wrote to memory of 2796	3028	chrome.exe	84
PID 3028 wrote to memory of 2796	3028	chrome.exe	84
PID 3028 wrote to memory of 2796	3028	chrome.exe	84
PID 3028 wrote to memory of 2796	3028	chrome.exe	84
PID 3028 wrote to memory of 2796	3028	chrome.exe	84
PID 3028 wrote to memory of 2796	3028	chrome.exe	84
PID 3028 wrote to memory of 2796	3028	chrome.exe	84
PID 3028 wrote to memory of 2796	3028	chrome.exe	84
PID 3028 wrote to memory of 2796	3028	chrome.exe	84
PID 3028 wrote to memory of 2796	3028	chrome.exe	84
PID 3028 wrote to memory of 2796	3028	chrome.exe	84
PID 3028 wrote to memory of 2796	3028	chrome.exe	84
PID 3028 wrote to memory of 2796	3028	chrome.exe	84
PID 3028 wrote to memory of 2796	3028	chrome.exe	84
PID 3028 wrote to memory of 2796	3028	chrome.exe	84

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://rwikipedia.org
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff3c04ab58,0x7fff3c04ab68,0x7fff3c04ab78
  2⤵
  PID:4920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1744 --field-trial-handle=1932,i,15698555257653384609,8801960434425462234,131072 /prefetch:2
  2⤵
  PID:3996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1932,i,15698555257653384609,8801960434425462234,131072 /prefetch:8
  2⤵
  PID:2456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1712 --field-trial-handle=1932,i,15698555257653384609,8801960434425462234,131072 /prefetch:8
  2⤵
  PID:2796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2968 --field-trial-handle=1932,i,15698555257653384609,8801960434425462234,131072 /prefetch:1
  2⤵
  PID:3192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2976 --field-trial-handle=1932,i,15698555257653384609,8801960434425462234,131072 /prefetch:1
  2⤵
  PID:1084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4400 --field-trial-handle=1932,i,15698555257653384609,8801960434425462234,131072 /prefetch:8
  2⤵
  PID:2988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4708 --field-trial-handle=1932,i,15698555257653384609,8801960434425462234,131072 /prefetch:8
  2⤵
  PID:2804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4636 --field-trial-handle=1932,i,15698555257653384609,8801960434425462234,131072 /prefetch:1
  2⤵
  PID:2792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4732 --field-trial-handle=1932,i,15698555257653384609,8801960434425462234,131072 /prefetch:1
  2⤵
  PID:1948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4904 --field-trial-handle=1932,i,15698555257653384609,8801960434425462234,131072 /prefetch:1
  2⤵
  PID:332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4552 --field-trial-handle=1932,i,15698555257653384609,8801960434425462234,131072 /prefetch:1
  2⤵
  PID:3868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4680 --field-trial-handle=1932,i,15698555257653384609,8801960434425462234,131072 /prefetch:1
  2⤵
  PID:4916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5824 --field-trial-handle=1932,i,15698555257653384609,8801960434425462234,131072 /prefetch:1
  2⤵
  PID:2700

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
811B

MD5
c8b08ca54cf870331df8d09557a34c78

SHA1
93cc4f72604f614fd2ad168f1d034923c63e69a8

SHA256
b4bbc5ed7e8bba943e628cab11a77426707d432d969cfdfc7fc49757c74276ed

SHA512
10b527dea0839269db514d13dea895a478fa942cacbe80d2d98210ff5caba909f930c16030a1c4529f28056f0329230040352417118b5f0ed63a2165d4d8cb1d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
425e91690aeadf57cd1dbde105df7796

SHA1
2cad7777af3c2509ca2f5b0be4cb8ee1ff95e5f3

SHA256
9e58ec97baa28cfd4da54725871c0de60432aec6e0cefbfb88cad7f4059791ad

SHA512
fb3e6e9167b95b47365806fb452e7f180b98fdc195993a3876e30b2c7db2d871fb59449cc0ad7aadb890a9b136a13068102a8a33d3168a89390cc4bb40e54442

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
256378c4b0725db90aaa287b709e54c1

SHA1
9d7df95599ddc94b868566c3ebf548f360f86e28

SHA256
c1cf9b934149d084e1a8198a557f1c907abe96090159e1b9c81b5e6d0bf7f5e1

SHA512
f87d54418363792d567c8b0f72f346c4b2119b445cfe8bb9472127b1649a415025ef3460704bf54853cee47d33f9cd73b7a02318481c7c559ea798fa261e3ebd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
556932b70bdeb1756af6b7f6eabc315c

SHA1
6feb9d04dcf5a5b93328e51d58f5568a3e1ab675

SHA256
2661b523bfca770fe83a7e9ef9b6a5bb1373aa1be82e321c0a5c780628afb855

SHA512
fe3ec0c70dbfaa24e64661f2343a9413c76baa542565d928afc14af860604fb900f7a1c3caa663bf91cfa14adc1191fd74693b0ebc52e0e8da0947846716e91d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
3034eda7eda5f647f926621d1059471c

SHA1
b329a9ead45a5fe2fd688b928855a9ac52247920

SHA256
57dbdd3f2ccd9e19df25e135d5489a68ee4aea6a9fac3ec964343758c4a8b36d

SHA512
935336e5ccda100a281b18b1f5966475460a90323e90efbb047e584b659670a3a961b6a8ef4529345a436ac095386ab5d44716fbbf9381f67fefbee088f3cced

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit