hxxps://eth[.]meowrpc[.]com

Analysis

max time kernel
14s
max time network
11s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
05/10/2024, 03:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://eth.meowrpc.com

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133725735682422412"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2756	chrome.exe
2756	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2756	chrome.exe
Token: SeCreatePagefilePrivilege	2756	chrome.exe
Token: SeShutdownPrivilege	2756	chrome.exe
Token: SeCreatePagefilePrivilege	2756	chrome.exe
Token: SeShutdownPrivilege	2756	chrome.exe
Token: SeCreatePagefilePrivilege	2756	chrome.exe
Token: SeShutdownPrivilege	2756	chrome.exe
Token: SeCreatePagefilePrivilege	2756	chrome.exe
Token: SeShutdownPrivilege	2756	chrome.exe
Token: SeCreatePagefilePrivilege	2756	chrome.exe
Token: SeShutdownPrivilege	2756	chrome.exe
Token: SeCreatePagefilePrivilege	2756	chrome.exe
Token: SeShutdownPrivilege	2756	chrome.exe
Token: SeCreatePagefilePrivilege	2756	chrome.exe
Token: SeShutdownPrivilege	2756	chrome.exe
Token: SeCreatePagefilePrivilege	2756	chrome.exe
Token: SeShutdownPrivilege	2756	chrome.exe
Token: SeCreatePagefilePrivilege	2756	chrome.exe
Token: SeShutdownPrivilege	2756	chrome.exe
Token: SeCreatePagefilePrivilege	2756	chrome.exe
Token: SeShutdownPrivilege	2756	chrome.exe
Token: SeCreatePagefilePrivilege	2756	chrome.exe
Token: SeShutdownPrivilege	2756	chrome.exe
Token: SeCreatePagefilePrivilege	2756	chrome.exe
Token: SeShutdownPrivilege	2756	chrome.exe
Token: SeCreatePagefilePrivilege	2756	chrome.exe
Token: SeShutdownPrivilege	2756	chrome.exe
Token: SeCreatePagefilePrivilege	2756	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 4332	2756	chrome.exe	78
PID 2756 wrote to memory of 4332	2756	chrome.exe	78
PID 2756 wrote to memory of 4532	2756	chrome.exe	79
PID 2756 wrote to memory of 4532	2756	chrome.exe	79
PID 2756 wrote to memory of 4532	2756	chrome.exe	79
PID 2756 wrote to memory of 4532	2756	chrome.exe	79
PID 2756 wrote to memory of 4532	2756	chrome.exe	79
PID 2756 wrote to memory of 4532	2756	chrome.exe	79
PID 2756 wrote to memory of 4532	2756	chrome.exe	79
PID 2756 wrote to memory of 4532	2756	chrome.exe	79
PID 2756 wrote to memory of 4532	2756	chrome.exe	79
PID 2756 wrote to memory of 4532	2756	chrome.exe	79
PID 2756 wrote to memory of 4532	2756	chrome.exe	79
PID 2756 wrote to memory of 4532	2756	chrome.exe	79
PID 2756 wrote to memory of 4532	2756	chrome.exe	79
PID 2756 wrote to memory of 4532	2756	chrome.exe	79
PID 2756 wrote to memory of 4532	2756	chrome.exe	79
PID 2756 wrote to memory of 4532	2756	chrome.exe	79
PID 2756 wrote to memory of 4532	2756	chrome.exe	79
PID 2756 wrote to memory of 4532	2756	chrome.exe	79
PID 2756 wrote to memory of 4532	2756	chrome.exe	79
PID 2756 wrote to memory of 4532	2756	chrome.exe	79
PID 2756 wrote to memory of 4532	2756	chrome.exe	79
PID 2756 wrote to memory of 4532	2756	chrome.exe	79
PID 2756 wrote to memory of 4532	2756	chrome.exe	79
PID 2756 wrote to memory of 4532	2756	chrome.exe	79
PID 2756 wrote to memory of 4532	2756	chrome.exe	79
PID 2756 wrote to memory of 4532	2756	chrome.exe	79
PID 2756 wrote to memory of 4532	2756	chrome.exe	79
PID 2756 wrote to memory of 4532	2756	chrome.exe	79
PID 2756 wrote to memory of 4532	2756	chrome.exe	79
PID 2756 wrote to memory of 4532	2756	chrome.exe	79
PID 2756 wrote to memory of 2004	2756	chrome.exe	80
PID 2756 wrote to memory of 2004	2756	chrome.exe	80
PID 2756 wrote to memory of 1468	2756	chrome.exe	81
PID 2756 wrote to memory of 1468	2756	chrome.exe	81
PID 2756 wrote to memory of 1468	2756	chrome.exe	81
PID 2756 wrote to memory of 1468	2756	chrome.exe	81
PID 2756 wrote to memory of 1468	2756	chrome.exe	81
PID 2756 wrote to memory of 1468	2756	chrome.exe	81
PID 2756 wrote to memory of 1468	2756	chrome.exe	81
PID 2756 wrote to memory of 1468	2756	chrome.exe	81
PID 2756 wrote to memory of 1468	2756	chrome.exe	81
PID 2756 wrote to memory of 1468	2756	chrome.exe	81
PID 2756 wrote to memory of 1468	2756	chrome.exe	81
PID 2756 wrote to memory of 1468	2756	chrome.exe	81
PID 2756 wrote to memory of 1468	2756	chrome.exe	81
PID 2756 wrote to memory of 1468	2756	chrome.exe	81
PID 2756 wrote to memory of 1468	2756	chrome.exe	81
PID 2756 wrote to memory of 1468	2756	chrome.exe	81
PID 2756 wrote to memory of 1468	2756	chrome.exe	81
PID 2756 wrote to memory of 1468	2756	chrome.exe	81
PID 2756 wrote to memory of 1468	2756	chrome.exe	81
PID 2756 wrote to memory of 1468	2756	chrome.exe	81
PID 2756 wrote to memory of 1468	2756	chrome.exe	81
PID 2756 wrote to memory of 1468	2756	chrome.exe	81
PID 2756 wrote to memory of 1468	2756	chrome.exe	81
PID 2756 wrote to memory of 1468	2756	chrome.exe	81
PID 2756 wrote to memory of 1468	2756	chrome.exe	81
PID 2756 wrote to memory of 1468	2756	chrome.exe	81
PID 2756 wrote to memory of 1468	2756	chrome.exe	81
PID 2756 wrote to memory of 1468	2756	chrome.exe	81
PID 2756 wrote to memory of 1468	2756	chrome.exe	81
PID 2756 wrote to memory of 1468	2756	chrome.exe	81

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://eth.meowrpc.com
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff81377cc40,0x7ff81377cc4c,0x7ff81377cc58
  2⤵
  PID:4332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1828,i,9669082360111500905,7839942576761561994,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1820 /prefetch:2
  2⤵
  PID:4532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1380,i,9669082360111500905,7839942576761561994,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2108 /prefetch:3
  2⤵
  PID:2004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2172,i,9669082360111500905,7839942576761561994,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2348 /prefetch:8
  2⤵
  PID:1468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3084,i,9669082360111500905,7839942576761561994,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3128 /prefetch:1
  2⤵
  PID:764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3092,i,9669082360111500905,7839942576761561994,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:2592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4532,i,9669082360111500905,7839942576761561994,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4552 /prefetch:8
  2⤵
  PID:2304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4852,i,9669082360111500905,7839942576761561994,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4904 /prefetch:1
  2⤵
  PID:4572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=3196,i,9669082360111500905,7839942576761561994,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4936 /prefetch:1
  2⤵
  PID:4016

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
3526356d82653c03f807dbfe977cfefc

SHA1
f29cc95b1b34dc2c20b42ae712e48480a813e4b3

SHA256
4949d079f92c4a1667e3bf3bb155e09923f297874534777f50da195d9ba5cb1f

SHA512
709ec0d48dfc02fd2e5753ca06c0227a1fc4584e5f1f09964c1b4207dab6a56eac167317f8d5b203454602a5f59c6c090a91ccb364fdb3f32941e9f39294a67b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fbb64680a4db0a1b589821fd462bbbc6

SHA1
f155ce156d38346403d49e1d6410957202e26e44

SHA256
3e8976f76241467d677c4e9b21dcb7c912a9ac719fcd1436fb8416d1ffb0b6e5

SHA512
04c6628adc52b99949f7b59a0bb923fd75cc2865bcb0c74b17073bf90966ddffdef31a5b86ee4cd65303e2e6369da012d4081dcd03b657da98be54a613a5ebb1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
196KB

MD5
07425d96e96fb3afe076950d693d6211

SHA1
6fb3161c9a7cec53c2ab6ae72ccac62b41f7d782

SHA256
e8d36eb6b1e827debced3ff10ecb04d8fae3983c05bf1da337e3cec340d8ba53

SHA512
64df1c2f134acb24f25feb0e33dd0a7349ca45605273ae11336d1b8ef18a2b985c2acf099f9c511c8b0b807f27d678f823f2ec8aafb5a55acecefba91da25319

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
197KB

MD5
d3da4d4ffffc1c37c83468980996fa0c

SHA1
d4b471df021c4a56c4db244dcb33c8be7b8adba0

SHA256
7a35575756a02b55c583753cea13f89cfe8bfa12eeb5b916c00b3ac30bd6514d

SHA512
3c9efe3751e9caade638cb04d99ff23ef21aa19f085036fd88cce728662bb9ccabb28ab85ed554a58c9b2741463bd321093d7e42ff6793c409d6c8c613dea68e

Download Submit