Analysis
-
max time kernel
149s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
22/07/2024, 20:06
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://kaavericoffee.com/wp-content/cms/?p=qmdf07GjLG
Resource
win10v2004-20240709-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
https://kaavericoffee.com/wp-content/cms/?p=qmdf07GjLG
Score
5/10
Malware Config
Signatures
-
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF chrome.exe File created \??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF chrome.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133661523996467393" chrome.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3068 chrome.exe 3068 chrome.exe 3692 chrome.exe 3692 chrome.exe 3692 chrome.exe 3692 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 3068 chrome.exe 3068 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3068 chrome.exe Token: SeCreatePagefilePrivilege 3068 chrome.exe Token: SeShutdownPrivilege 3068 chrome.exe Token: SeCreatePagefilePrivilege 3068 chrome.exe Token: SeShutdownPrivilege 3068 chrome.exe Token: SeCreatePagefilePrivilege 3068 chrome.exe Token: SeShutdownPrivilege 3068 chrome.exe Token: SeCreatePagefilePrivilege 3068 chrome.exe Token: SeShutdownPrivilege 3068 chrome.exe Token: SeCreatePagefilePrivilege 3068 chrome.exe Token: SeShutdownPrivilege 3068 chrome.exe Token: SeCreatePagefilePrivilege 3068 chrome.exe Token: SeShutdownPrivilege 3068 chrome.exe Token: SeCreatePagefilePrivilege 3068 chrome.exe Token: SeShutdownPrivilege 3068 chrome.exe Token: SeCreatePagefilePrivilege 3068 chrome.exe Token: SeShutdownPrivilege 3068 chrome.exe Token: SeCreatePagefilePrivilege 3068 chrome.exe Token: SeShutdownPrivilege 3068 chrome.exe Token: SeCreatePagefilePrivilege 3068 chrome.exe Token: SeShutdownPrivilege 3068 chrome.exe Token: SeCreatePagefilePrivilege 3068 chrome.exe Token: SeShutdownPrivilege 3068 chrome.exe Token: SeCreatePagefilePrivilege 3068 chrome.exe Token: SeShutdownPrivilege 3068 chrome.exe Token: SeCreatePagefilePrivilege 3068 chrome.exe Token: SeShutdownPrivilege 3068 chrome.exe Token: SeCreatePagefilePrivilege 3068 chrome.exe Token: SeShutdownPrivilege 3068 chrome.exe Token: SeCreatePagefilePrivilege 3068 chrome.exe Token: SeShutdownPrivilege 3068 chrome.exe Token: SeCreatePagefilePrivilege 3068 chrome.exe Token: SeShutdownPrivilege 3068 chrome.exe Token: SeCreatePagefilePrivilege 3068 chrome.exe Token: SeShutdownPrivilege 3068 chrome.exe Token: SeCreatePagefilePrivilege 3068 chrome.exe Token: SeShutdownPrivilege 3068 chrome.exe Token: SeCreatePagefilePrivilege 3068 chrome.exe Token: SeShutdownPrivilege 3068 chrome.exe Token: SeCreatePagefilePrivilege 3068 chrome.exe Token: SeShutdownPrivilege 3068 chrome.exe Token: SeCreatePagefilePrivilege 3068 chrome.exe Token: SeShutdownPrivilege 3068 chrome.exe Token: SeCreatePagefilePrivilege 3068 chrome.exe Token: SeShutdownPrivilege 3068 chrome.exe Token: SeCreatePagefilePrivilege 3068 chrome.exe Token: SeShutdownPrivilege 3068 chrome.exe Token: SeCreatePagefilePrivilege 3068 chrome.exe Token: SeShutdownPrivilege 3068 chrome.exe Token: SeCreatePagefilePrivilege 3068 chrome.exe Token: SeShutdownPrivilege 3068 chrome.exe Token: SeCreatePagefilePrivilege 3068 chrome.exe Token: SeShutdownPrivilege 3068 chrome.exe Token: SeCreatePagefilePrivilege 3068 chrome.exe Token: SeShutdownPrivilege 3068 chrome.exe Token: SeCreatePagefilePrivilege 3068 chrome.exe Token: SeShutdownPrivilege 3068 chrome.exe Token: SeCreatePagefilePrivilege 3068 chrome.exe Token: SeShutdownPrivilege 3068 chrome.exe Token: SeCreatePagefilePrivilege 3068 chrome.exe Token: SeShutdownPrivilege 3068 chrome.exe Token: SeCreatePagefilePrivilege 3068 chrome.exe Token: SeShutdownPrivilege 3068 chrome.exe Token: SeCreatePagefilePrivilege 3068 chrome.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 3068 chrome.exe 3068 chrome.exe 3068 chrome.exe 3068 chrome.exe 3068 chrome.exe 3068 chrome.exe 3068 chrome.exe 3068 chrome.exe 3068 chrome.exe 3068 chrome.exe 3068 chrome.exe 3068 chrome.exe 3068 chrome.exe 3068 chrome.exe 3068 chrome.exe 3068 chrome.exe 3068 chrome.exe 3068 chrome.exe 3068 chrome.exe 3068 chrome.exe 3068 chrome.exe 3068 chrome.exe 3068 chrome.exe 3068 chrome.exe 3068 chrome.exe 3068 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3068 chrome.exe 3068 chrome.exe 3068 chrome.exe 3068 chrome.exe 3068 chrome.exe 3068 chrome.exe 3068 chrome.exe 3068 chrome.exe 3068 chrome.exe 3068 chrome.exe 3068 chrome.exe 3068 chrome.exe 3068 chrome.exe 3068 chrome.exe 3068 chrome.exe 3068 chrome.exe 3068 chrome.exe 3068 chrome.exe 3068 chrome.exe 3068 chrome.exe 3068 chrome.exe 3068 chrome.exe 3068 chrome.exe 3068 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3068 wrote to memory of 4192 3068 chrome.exe 86 PID 3068 wrote to memory of 4192 3068 chrome.exe 86 PID 3068 wrote to memory of 4936 3068 chrome.exe 87 PID 3068 wrote to memory of 4936 3068 chrome.exe 87 PID 3068 wrote to memory of 4936 3068 chrome.exe 87 PID 3068 wrote to memory of 4936 3068 chrome.exe 87 PID 3068 wrote to memory of 4936 3068 chrome.exe 87 PID 3068 wrote to memory of 4936 3068 chrome.exe 87 PID 3068 wrote to memory of 4936 3068 chrome.exe 87 PID 3068 wrote to memory of 4936 3068 chrome.exe 87 PID 3068 wrote to memory of 4936 3068 chrome.exe 87 PID 3068 wrote to memory of 4936 3068 chrome.exe 87 PID 3068 wrote to memory of 4936 3068 chrome.exe 87 PID 3068 wrote to memory of 4936 3068 chrome.exe 87 PID 3068 wrote to memory of 4936 3068 chrome.exe 87 PID 3068 wrote to memory of 4936 3068 chrome.exe 87 PID 3068 wrote to memory of 4936 3068 chrome.exe 87 PID 3068 wrote to memory of 4936 3068 chrome.exe 87 PID 3068 wrote to memory of 4936 3068 chrome.exe 87 PID 3068 wrote to memory of 4936 3068 chrome.exe 87 PID 3068 wrote to memory of 4936 3068 chrome.exe 87 PID 3068 wrote to memory of 4936 3068 chrome.exe 87 PID 3068 wrote to memory of 4936 3068 chrome.exe 87 PID 3068 wrote to memory of 4936 3068 chrome.exe 87 PID 3068 wrote to memory of 4936 3068 chrome.exe 87 PID 3068 wrote to memory of 4936 3068 chrome.exe 87 PID 3068 wrote to memory of 4936 3068 chrome.exe 87 PID 3068 wrote to memory of 4936 3068 chrome.exe 87 PID 3068 wrote to memory of 4936 3068 chrome.exe 87 PID 3068 wrote to memory of 4936 3068 chrome.exe 87 PID 3068 wrote to memory of 4936 3068 chrome.exe 87 PID 3068 wrote to memory of 4936 3068 chrome.exe 87 PID 3068 wrote to memory of 3680 3068 chrome.exe 88 PID 3068 wrote to memory of 3680 3068 chrome.exe 88 PID 3068 wrote to memory of 4560 3068 chrome.exe 89 PID 3068 wrote to memory of 4560 3068 chrome.exe 89 PID 3068 wrote to memory of 4560 3068 chrome.exe 89 PID 3068 wrote to memory of 4560 3068 chrome.exe 89 PID 3068 wrote to memory of 4560 3068 chrome.exe 89 PID 3068 wrote to memory of 4560 3068 chrome.exe 89 PID 3068 wrote to memory of 4560 3068 chrome.exe 89 PID 3068 wrote to memory of 4560 3068 chrome.exe 89 PID 3068 wrote to memory of 4560 3068 chrome.exe 89 PID 3068 wrote to memory of 4560 3068 chrome.exe 89 PID 3068 wrote to memory of 4560 3068 chrome.exe 89 PID 3068 wrote to memory of 4560 3068 chrome.exe 89 PID 3068 wrote to memory of 4560 3068 chrome.exe 89 PID 3068 wrote to memory of 4560 3068 chrome.exe 89 PID 3068 wrote to memory of 4560 3068 chrome.exe 89 PID 3068 wrote to memory of 4560 3068 chrome.exe 89 PID 3068 wrote to memory of 4560 3068 chrome.exe 89 PID 3068 wrote to memory of 4560 3068 chrome.exe 89 PID 3068 wrote to memory of 4560 3068 chrome.exe 89 PID 3068 wrote to memory of 4560 3068 chrome.exe 89 PID 3068 wrote to memory of 4560 3068 chrome.exe 89 PID 3068 wrote to memory of 4560 3068 chrome.exe 89 PID 3068 wrote to memory of 4560 3068 chrome.exe 89 PID 3068 wrote to memory of 4560 3068 chrome.exe 89 PID 3068 wrote to memory of 4560 3068 chrome.exe 89 PID 3068 wrote to memory of 4560 3068 chrome.exe 89 PID 3068 wrote to memory of 4560 3068 chrome.exe 89 PID 3068 wrote to memory of 4560 3068 chrome.exe 89 PID 3068 wrote to memory of 4560 3068 chrome.exe 89 PID 3068 wrote to memory of 4560 3068 chrome.exe 89
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://kaavericoffee.com/wp-content/cms/?p=qmdf07GjLG1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe97d9cc40,0x7ffe97d9cc4c,0x7ffe97d9cc582⤵PID:4192
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1656,i,9777557129870421807,1733512296905313983,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=1844 /prefetch:22⤵PID:4936
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1848,i,9777557129870421807,1733512296905313983,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2032 /prefetch:32⤵PID:3680
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2212,i,9777557129870421807,1733512296905313983,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2340 /prefetch:82⤵PID:4560
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,9777557129870421807,1733512296905313983,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3136 /prefetch:12⤵PID:4608
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,9777557129870421807,1733512296905313983,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3180 /prefetch:12⤵PID:444
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4328,i,9777557129870421807,1733512296905313983,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4648 /prefetch:82⤵PID:2064
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4724,i,9777557129870421807,1733512296905313983,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4440 /prefetch:82⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:3692
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"1⤵PID:4708
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:3984
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
649B
MD5ae260b02ec91a3ae3e53860dd34b35d7
SHA14a96e013c096048f3c9b00fad3b0e6845e628494
SHA25631ca3a70dc9d3d3ba17edf92f4c3fca35e0eaab98d2cafdf131aba037abcbf80
SHA51249000d97f3cd438016c54b0ae10e0f55b25aad57825bf4167da194e658feb901725b30d29105524c2bc0b6ca87dbb2fac7ce618fd99d854b2e7c5570da2492c8
-
Filesize
1KB
MD5c9ec55e65fd458edd74e65a0b4483718
SHA1982ad801a703370512ddeb8ad1920265ceb8fa97
SHA256128954afe58b1d03f9b3c598f237a8ae071f07cee0d0a9110807e52db3a8a7c1
SHA512608255ed1d773de9c26761557a3bcbc9d70e894887ea56612057a12c410d8a4b197f8f8bc4f18391a3416d3fc94e895a7aece73eb95d3d3770c45c5faaf2c6d7
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
9KB
MD541a9dab1d7ab4fdaf52aacad1b8f1faf
SHA1c1020f92351d5341cdb21b426b7d6f4a4a1c76ff
SHA2562dad840565741b2d6bf08ec9e5ed1573e86f1494670144962568957748a19d0b
SHA512c990cc26befeb21e337a360864ce8a26af6c1f22222799cf61459dbf9a0860a5b6a6b69898d58cffe296b844cdb100a10990d1566d45eee0018a0f5c2fd9d4b9
-
Filesize
9KB
MD5c735354a16c768a480fc596657f0c55e
SHA134fc39473ba2ce4a6a216c456e7edcac900ba71f
SHA256bb7ffb99d0c65166c34be6dbee691958e6cfa08dbf529c3fb5dbe3a63832660d
SHA512b43a669bd728833db5b5460dafc54d1901bfde3ad54a24f52604f89b28e68b2d0440137237bdbe620433cf04c459185e39783c7bc7d62abaa2b0b619b35e3fed
-
Filesize
9KB
MD5996f76bb24bb1f375afa3469e4742ba7
SHA1824cca1058e6cb317c4ecb75ed059656e134b7f8
SHA256a7c30f1663f1eed586c4bf1473dbb53fc2d7993d69fbd6beed003a4d07c0a6d2
SHA5125c0ea565919c1a0a1a86596fd2182856144b98ec8d456857873eedf21b9a022c5a0fd997526f95ce26308d0e9d5b464089f5cebf4d46917dddc00c1112ed0d40
-
Filesize
9KB
MD5146c02da9309e6d90f1a1d04ef0a4284
SHA1d45dc6e7382ac3924ce4c8dcfb51e0c980d69dd2
SHA256d6b0ea04ce830da61088d9f7ed4a9f059babbbf4d32ebb6a96c9a40da1c5e2a6
SHA512beb5d0bfd56e551c61abf3c0cde84aa65f7bab67cd7416b0617990ec8db000fc2397dd551081f8cd609743950ffbfa1e3a5912ecaefd005489cfbb007083ff4c
-
Filesize
9KB
MD51ad75e5d75c697e28ad0b9f17e65de9d
SHA180fe204e0875168eacf9ad29b300804055732949
SHA2568be72da629231b10b58eceacf1329071076c799b6f2a49d43e48247d644604b8
SHA51209cd6c036b5560e99b7f1b67e28b39d83badf960afc0cf9a8351c6d94ebc9af0d27d2689c86ca38dfe8fda33ef4c4725823edee5b475cb3b5c2b0e39538ce30b
-
Filesize
9KB
MD5d92705b269fb77358841f9fc64ac2165
SHA1145e96bc9f3ad71be429edb9842834cf0755ecb5
SHA256d36e83d8526a743c773326485578d5055c9039ad16bd204383d6976c28941e5d
SHA5127ec5ebd331a8ed2f7036608d9cb33a2de6b7d97ffada6347def0b7e94ccdfb9277644be17582f981d454f1d4f6f59695bc09c682db328aec51abf86566184b68
-
Filesize
92KB
MD56add336683de382b94475db57a4f6b7d
SHA1769e588e65f7d437751a8ff1a4f1834eb499566b
SHA25616e1eeea8800d53401f1665db7b29351991de3af74eaacd856d3d9d458f2cf91
SHA512bf588ade35e5bca8dc55a75180ad8f81df421e289bc0f95b3ebe799bb86673cce40853b1afa1633744cdaac2add495cde1a1c029a23907b9c1ce3190bfd9bbd1
-
Filesize
92KB
MD54e9174ec989e5331feb548cdb80731cd
SHA1ab9b9005996fd2e0a5ad5667cb160930e17b5fe7
SHA256db47a8beddf700eb0b9f0828aea8625bfbc0ed3bde465c0858866f7c98f0b46e
SHA512595889058c1b85cbf66e08845303890f70ed9c3947299b43fb3577d6a107f548893877b7fd5a36ce62728eeae4cf875b58277e278ed12ade155938e60eb25492