hxxps://github[.]com/addi00000/empyrean

Analysis

max time kernel
1199s
max time network
1085s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
13/07/2024, 21:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/addi00000/empyrean

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
25	camo.githubusercontent.com
26	camo.githubusercontent.com
27	camo.githubusercontent.com
28	raw.githubusercontent.com
18	camo.githubusercontent.com
22	camo.githubusercontent.com
23	camo.githubusercontent.com
24	camo.githubusercontent.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133653797225882955"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3368	chrome.exe
3368	chrome.exe
4176	chrome.exe
4176	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3368	chrome.exe
3368	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3368 wrote to memory of 2356	3368	chrome.exe	73
PID 3368 wrote to memory of 2356	3368	chrome.exe	73
PID 3368 wrote to memory of 4140	3368	chrome.exe	75
PID 3368 wrote to memory of 4140	3368	chrome.exe	75
PID 3368 wrote to memory of 4140	3368	chrome.exe	75
PID 3368 wrote to memory of 4140	3368	chrome.exe	75
PID 3368 wrote to memory of 4140	3368	chrome.exe	75
PID 3368 wrote to memory of 4140	3368	chrome.exe	75
PID 3368 wrote to memory of 4140	3368	chrome.exe	75
PID 3368 wrote to memory of 4140	3368	chrome.exe	75
PID 3368 wrote to memory of 4140	3368	chrome.exe	75
PID 3368 wrote to memory of 4140	3368	chrome.exe	75
PID 3368 wrote to memory of 4140	3368	chrome.exe	75
PID 3368 wrote to memory of 4140	3368	chrome.exe	75
PID 3368 wrote to memory of 4140	3368	chrome.exe	75
PID 3368 wrote to memory of 4140	3368	chrome.exe	75
PID 3368 wrote to memory of 4140	3368	chrome.exe	75
PID 3368 wrote to memory of 4140	3368	chrome.exe	75
PID 3368 wrote to memory of 4140	3368	chrome.exe	75
PID 3368 wrote to memory of 4140	3368	chrome.exe	75
PID 3368 wrote to memory of 4140	3368	chrome.exe	75
PID 3368 wrote to memory of 4140	3368	chrome.exe	75
PID 3368 wrote to memory of 4140	3368	chrome.exe	75
PID 3368 wrote to memory of 4140	3368	chrome.exe	75
PID 3368 wrote to memory of 4140	3368	chrome.exe	75
PID 3368 wrote to memory of 4140	3368	chrome.exe	75
PID 3368 wrote to memory of 4140	3368	chrome.exe	75
PID 3368 wrote to memory of 4140	3368	chrome.exe	75
PID 3368 wrote to memory of 4140	3368	chrome.exe	75
PID 3368 wrote to memory of 4140	3368	chrome.exe	75
PID 3368 wrote to memory of 4140	3368	chrome.exe	75
PID 3368 wrote to memory of 4140	3368	chrome.exe	75
PID 3368 wrote to memory of 4140	3368	chrome.exe	75
PID 3368 wrote to memory of 4140	3368	chrome.exe	75
PID 3368 wrote to memory of 4140	3368	chrome.exe	75
PID 3368 wrote to memory of 4140	3368	chrome.exe	75
PID 3368 wrote to memory of 4140	3368	chrome.exe	75
PID 3368 wrote to memory of 4140	3368	chrome.exe	75
PID 3368 wrote to memory of 4140	3368	chrome.exe	75
PID 3368 wrote to memory of 4140	3368	chrome.exe	75
PID 3368 wrote to memory of 4860	3368	chrome.exe	76
PID 3368 wrote to memory of 4860	3368	chrome.exe	76
PID 3368 wrote to memory of 212	3368	chrome.exe	77
PID 3368 wrote to memory of 212	3368	chrome.exe	77
PID 3368 wrote to memory of 212	3368	chrome.exe	77
PID 3368 wrote to memory of 212	3368	chrome.exe	77
PID 3368 wrote to memory of 212	3368	chrome.exe	77
PID 3368 wrote to memory of 212	3368	chrome.exe	77
PID 3368 wrote to memory of 212	3368	chrome.exe	77
PID 3368 wrote to memory of 212	3368	chrome.exe	77
PID 3368 wrote to memory of 212	3368	chrome.exe	77
PID 3368 wrote to memory of 212	3368	chrome.exe	77
PID 3368 wrote to memory of 212	3368	chrome.exe	77
PID 3368 wrote to memory of 212	3368	chrome.exe	77
PID 3368 wrote to memory of 212	3368	chrome.exe	77
PID 3368 wrote to memory of 212	3368	chrome.exe	77
PID 3368 wrote to memory of 212	3368	chrome.exe	77
PID 3368 wrote to memory of 212	3368	chrome.exe	77
PID 3368 wrote to memory of 212	3368	chrome.exe	77
PID 3368 wrote to memory of 212	3368	chrome.exe	77
PID 3368 wrote to memory of 212	3368	chrome.exe	77
PID 3368 wrote to memory of 212	3368	chrome.exe	77
PID 3368 wrote to memory of 212	3368	chrome.exe	77
PID 3368 wrote to memory of 212	3368	chrome.exe	77

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/addi00000/empyrean
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff965119758,0x7ff965119768,0x7ff965119778
  2⤵
  PID:2356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1520 --field-trial-handle=1844,i,8850170780550892047,11525683044796390718,131072 /prefetch:2
  2⤵
  PID:4140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1784 --field-trial-handle=1844,i,8850170780550892047,11525683044796390718,131072 /prefetch:8
  2⤵
  PID:4860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1980 --field-trial-handle=1844,i,8850170780550892047,11525683044796390718,131072 /prefetch:8
  2⤵
  PID:212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2944 --field-trial-handle=1844,i,8850170780550892047,11525683044796390718,131072 /prefetch:1
  2⤵
  PID:2260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2960 --field-trial-handle=1844,i,8850170780550892047,11525683044796390718,131072 /prefetch:1
  2⤵
  PID:216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4816 --field-trial-handle=1844,i,8850170780550892047,11525683044796390718,131072 /prefetch:8
  2⤵
  PID:3848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4748 --field-trial-handle=1844,i,8850170780550892047,11525683044796390718,131072 /prefetch:8
  2⤵
  PID:2908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4828 --field-trial-handle=1844,i,8850170780550892047,11525683044796390718,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4176

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
c99cabe82a0b40c7ac2c9f576016e808

SHA1
ab23881658fd1bffa6182fe2e43803bee93bcd8b

SHA256
acfb0be9ecdeed9f5c40b1906880bdcb4a7f472c47767f1c52fc0cebb8bafc5e

SHA512
13c4e74bf590b37b1d15200015972490c23d23a9d3b5b8e35884a8689d4f55d17825927d1eb102e4700fbbb8f459c06347e833127bc9b7d006e5b6e9b1f47ba5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
a3a094aa2fc3cb7b9656070359bd4295

SHA1
8416d7e080f59442bbba713f2a0144ae9a4f36f5

SHA256
42bb7ca305c0f857c762675d55bf4f4a2655613ef616e6aaefc8d066d53bea15

SHA512
f5e9d973e5e074d9ae11d9c4d091f33cd7670d71841d3211b995b5fedd551ed43269e31047f03208e4fa455016b48635ccc9135235ed9475d111a8e80d2cd58e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
51be54cd2724bfcd5928b66fe9c3300f

SHA1
96376b7944e628423c891acafe824053973605b0

SHA256
5cdee27af0b8079b1a996a68092548e80294ef290fc9860b3dcd486d5e3d86e6

SHA512
43b87654add8cf6717aa3a5b3515327cc0702de8624fb852485ab5a2c605a1007c8f3d9b6bba765cfb19c8bab41ba537d3e3c7516903cbcda257e424ffab3cc9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f22c52e5ae586267fc00dbf4b6ef52b8

SHA1
282948cac9d4fe6b28ff6da46142c1a18819051b

SHA256
b77238665f5b2fb8242a970026f60b1fe451ca2b5a11d5f9d53ce4cc903055b4

SHA512
38ed1af9072ce0bcb3a4708890d87db8519495368d0fe600f204ad2ecea020f49ac1150f51e9404b8bc0dc71d308a459436802c9de8de3672ce5726a0b09d21b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
1a2f1e259af1fea6472ca83884477ed2

SHA1
b085f40f3c6bce684e57fe38b8499d2811308581

SHA256
9c4c683c3f645992145bce22b53877cd12c78facbc88dab7280d86ee5683d5ff

SHA512
f861add45a32ec1e3bb1598197233224f802e2e875f8c638f9c36a65c83d009cf01f187f1ad4106f4279abfe2b3503994b409765e61fe359eed7fb78e8d6fe2b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
c49c1b34e77ba30f4d2f8ce4842fd2c7

SHA1
f39fdbaf926165d8c9474735e808634d76ea1328

SHA256
4e6dd7979396a1880ea37551fecfcfbd8c6867d1cdfba54074c20f4ab9c187f4

SHA512
3c145a2fb9c24aea2160bab22477cff44c40fd59d74cdf3fb329f08ec18cb38be4ba8725ad2e157096d4f2bffd4ebd5e08e04b78340d8c83c46dd25bee7cd1a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
8194d784553977e19c3dfa3585778746

SHA1
1942aca963653556548fcb7c31d4bc545d9e85f7

SHA256
496443404b91e57765d87d2c8a8e50b6793b57919354ea4c2506c6000675b413

SHA512
79a16713b264f792ea6c63f7303d4d6dbaf4c9a85d7cde40b6ba34463d34c606cd9ee955e05cdfc131892e5d5c53d6344e7bc2953cde93f11c53ec1e23572a68

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit