hxxps://tulotero[.]es/

Analysis

max time kernel
14s
max time network
27s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
19/11/2024, 12:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://tulotero.es/

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133764928006522547"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2584844841-1405471295-1760131749-1000\{97DF6090-B045-4A11-9BCF-66C25BD57D5E}	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2352	chrome.exe
2352	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2352	chrome.exe
Token: SeCreatePagefilePrivilege	2352	chrome.exe
Token: SeShutdownPrivilege	2352	chrome.exe
Token: SeCreatePagefilePrivilege	2352	chrome.exe
Token: SeShutdownPrivilege	2352	chrome.exe
Token: SeCreatePagefilePrivilege	2352	chrome.exe
Token: SeShutdownPrivilege	2352	chrome.exe
Token: SeCreatePagefilePrivilege	2352	chrome.exe
Token: SeShutdownPrivilege	2352	chrome.exe
Token: SeCreatePagefilePrivilege	2352	chrome.exe
Token: SeShutdownPrivilege	2352	chrome.exe
Token: SeCreatePagefilePrivilege	2352	chrome.exe
Token: SeShutdownPrivilege	2352	chrome.exe
Token: SeCreatePagefilePrivilege	2352	chrome.exe
Token: SeShutdownPrivilege	2352	chrome.exe
Token: SeCreatePagefilePrivilege	2352	chrome.exe
Token: SeShutdownPrivilege	2352	chrome.exe
Token: SeCreatePagefilePrivilege	2352	chrome.exe
Token: SeShutdownPrivilege	2352	chrome.exe
Token: SeCreatePagefilePrivilege	2352	chrome.exe
Token: SeShutdownPrivilege	2352	chrome.exe
Token: SeCreatePagefilePrivilege	2352	chrome.exe
Token: SeShutdownPrivilege	2352	chrome.exe
Token: SeCreatePagefilePrivilege	2352	chrome.exe
Token: SeShutdownPrivilege	2352	chrome.exe
Token: SeCreatePagefilePrivilege	2352	chrome.exe
Token: SeShutdownPrivilege	2352	chrome.exe
Token: SeCreatePagefilePrivilege	2352	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe
2352	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 2116	2352	chrome.exe	79
PID 2352 wrote to memory of 2116	2352	chrome.exe	79
PID 2352 wrote to memory of 1600	2352	chrome.exe	80
PID 2352 wrote to memory of 1600	2352	chrome.exe	80
PID 2352 wrote to memory of 1600	2352	chrome.exe	80
PID 2352 wrote to memory of 1600	2352	chrome.exe	80
PID 2352 wrote to memory of 1600	2352	chrome.exe	80
PID 2352 wrote to memory of 1600	2352	chrome.exe	80
PID 2352 wrote to memory of 1600	2352	chrome.exe	80
PID 2352 wrote to memory of 1600	2352	chrome.exe	80
PID 2352 wrote to memory of 1600	2352	chrome.exe	80
PID 2352 wrote to memory of 1600	2352	chrome.exe	80
PID 2352 wrote to memory of 1600	2352	chrome.exe	80
PID 2352 wrote to memory of 1600	2352	chrome.exe	80
PID 2352 wrote to memory of 1600	2352	chrome.exe	80
PID 2352 wrote to memory of 1600	2352	chrome.exe	80
PID 2352 wrote to memory of 1600	2352	chrome.exe	80
PID 2352 wrote to memory of 1600	2352	chrome.exe	80
PID 2352 wrote to memory of 1600	2352	chrome.exe	80
PID 2352 wrote to memory of 1600	2352	chrome.exe	80
PID 2352 wrote to memory of 1600	2352	chrome.exe	80
PID 2352 wrote to memory of 1600	2352	chrome.exe	80
PID 2352 wrote to memory of 1600	2352	chrome.exe	80
PID 2352 wrote to memory of 1600	2352	chrome.exe	80
PID 2352 wrote to memory of 1600	2352	chrome.exe	80
PID 2352 wrote to memory of 1600	2352	chrome.exe	80
PID 2352 wrote to memory of 1600	2352	chrome.exe	80
PID 2352 wrote to memory of 1600	2352	chrome.exe	80
PID 2352 wrote to memory of 1600	2352	chrome.exe	80
PID 2352 wrote to memory of 1600	2352	chrome.exe	80
PID 2352 wrote to memory of 1600	2352	chrome.exe	80
PID 2352 wrote to memory of 1600	2352	chrome.exe	80
PID 2352 wrote to memory of 2320	2352	chrome.exe	81
PID 2352 wrote to memory of 2320	2352	chrome.exe	81
PID 2352 wrote to memory of 1864	2352	chrome.exe	82
PID 2352 wrote to memory of 1864	2352	chrome.exe	82
PID 2352 wrote to memory of 1864	2352	chrome.exe	82
PID 2352 wrote to memory of 1864	2352	chrome.exe	82
PID 2352 wrote to memory of 1864	2352	chrome.exe	82
PID 2352 wrote to memory of 1864	2352	chrome.exe	82
PID 2352 wrote to memory of 1864	2352	chrome.exe	82
PID 2352 wrote to memory of 1864	2352	chrome.exe	82
PID 2352 wrote to memory of 1864	2352	chrome.exe	82
PID 2352 wrote to memory of 1864	2352	chrome.exe	82
PID 2352 wrote to memory of 1864	2352	chrome.exe	82
PID 2352 wrote to memory of 1864	2352	chrome.exe	82
PID 2352 wrote to memory of 1864	2352	chrome.exe	82
PID 2352 wrote to memory of 1864	2352	chrome.exe	82
PID 2352 wrote to memory of 1864	2352	chrome.exe	82
PID 2352 wrote to memory of 1864	2352	chrome.exe	82
PID 2352 wrote to memory of 1864	2352	chrome.exe	82
PID 2352 wrote to memory of 1864	2352	chrome.exe	82
PID 2352 wrote to memory of 1864	2352	chrome.exe	82
PID 2352 wrote to memory of 1864	2352	chrome.exe	82
PID 2352 wrote to memory of 1864	2352	chrome.exe	82
PID 2352 wrote to memory of 1864	2352	chrome.exe	82
PID 2352 wrote to memory of 1864	2352	chrome.exe	82
PID 2352 wrote to memory of 1864	2352	chrome.exe	82
PID 2352 wrote to memory of 1864	2352	chrome.exe	82
PID 2352 wrote to memory of 1864	2352	chrome.exe	82
PID 2352 wrote to memory of 1864	2352	chrome.exe	82
PID 2352 wrote to memory of 1864	2352	chrome.exe	82
PID 2352 wrote to memory of 1864	2352	chrome.exe	82
PID 2352 wrote to memory of 1864	2352	chrome.exe	82

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://tulotero.es/
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe945acc40,0x7ffe945acc4c,0x7ffe945acc58
  2⤵
  PID:2116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1800,i,11629288037660052231,320834224760678381,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1796 /prefetch:2
  2⤵
  PID:1600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2024,i,11629288037660052231,320834224760678381,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2112 /prefetch:3
  2⤵
  PID:2320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2164,i,11629288037660052231,320834224760678381,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2176 /prefetch:8
  2⤵
  PID:1864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3064,i,11629288037660052231,320834224760678381,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3112 /prefetch:1
  2⤵
  PID:1980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3076,i,11629288037660052231,320834224760678381,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4380,i,11629288037660052231,320834224760678381,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4404 /prefetch:1
  2⤵
  PID:2076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4556,i,11629288037660052231,320834224760678381,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4448 /prefetch:1
  2⤵
  PID:3748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=4696,i,11629288037660052231,320834224760678381,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4688 /prefetch:8
  2⤵
  PID:2200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4676,i,11629288037660052231,320834224760678381,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4852 /prefetch:8
  2⤵
  - Modifies registry class
  PID:3880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5436,i,11629288037660052231,320834224760678381,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5444 /prefetch:8
  2⤵
  PID:4864

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
dcba21f06bc8a37c5b51d403ee800b30

SHA1
9a7f56084d568797e31fabad77cb5932828e96d3

SHA256
fa49322f2d2ca0be31e8a78f60d301a97accb34e4e1e68825f78fc671117297c

SHA512
65ea883dc2822e603994e4d3a509d4227cf548f0a7d11350d9f462cbf69d5bebb0079a9f774ff9dfca98b724f972a2058292a92319f5ec9bee666337ea73815f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\Origins\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
c9d9b30378ff5e023997f988f0b0c059

SHA1
2645b8e090d9722afa9b651fc8e556ba228a8432

SHA256
ea39ee41055180a97caa6d6e858cefb39a70c4eb24bf8c7b491a4cacf17b3073

SHA512
2c89284d3463967a9c31033416332d48fc2ca566dd5b011d1922b200f8564cccb4ab21d386e026d5ba0274bdaca1e5c79de38ab121d87c3bfb87217e7791b7bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
10e6dac1bf14e7844cacc4e465fad3be

SHA1
98ee718f76f37c2ff06e92e0b3d2390237bf50b7

SHA256
5f6f890027d1cad5e83ec4bfbd70905945bf249f98ea1ddd1e5922dc16983084

SHA512
a99c60168f27e99b809c599a367442ffa64886fe86bc7ba72f3c7a5634d8815184b41aa77d59aa916d6f7e1dffa30628f6270fd0932f68c6cc121e7754d6178c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\3\CacheStorage\index.txt

Filesize
77B

MD5
75651e7584b5ef52857e9d351b16f38c

SHA1
433046ff086eafb2471ac696dec240009bd1de91

SHA256
48b3ef4a5430d952abc89c63b39081d1a6c9d2d6de1eec5198f5dbdebafb3274

SHA512
3016a8999e14854cc29773d0d1437466c71ef008ad6348b47b8e5aaa128f0a61b28e4dca3afc80363c0c7fca94a8216860530883578459bc26d8711b20e5dca1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\3\CacheStorage\index.txt~RFe579b75.TMP

Filesize
141B

MD5
945331d92729546bbc944f8487814a17

SHA1
9580049c2a0de5f80cb94183eff6bbc8d58a4371

SHA256
53a31e41cfca01740c4a35cf82ef89be1fc1a52d193d42e010119ea8503fc70c

SHA512
4889d72f776c0cbce5f29169437fc10de3f862dffa34c9cbe77fc07b0921084b5238bdc2e6d697d1ede7fa9d074cb0157faca9ad2393f3d9ac02b9ee928c2e5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
2bec3955683af52497eb4a044a028f80

SHA1
aa2a007f02789e6c24b3a9c067b9712473b186ec

SHA256
a559af1594819fda6375654b70f49fd74c04e62d2282d6765c0bb4fc197c7b13

SHA512
0c3b08e46e2561662a74f07d81958e6ae8f333b5bec3b690addb2d5d7ccdbe6d09ba2906cb59eea3770d55286da2e9d2329097d0f99d216786ff897b8e0cb637

Download Submit