hxxps://ktcqol46io7vnpbp[.]kursusseojohn[.]com[:]8443/impact?n1jdho3iszzj78q1=caa@gazetadopovo[.]com[.]br

Analysis

max time kernel
36s
max time network
10s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
13-01-2025 18:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://ktcqol46io7vnpbp.kursusseojohn.com:8443/[email protected]

Score

7^/10

discovery phishing

Malware Config

Signatures

A potential corporate email address has been identified in the URL: [email protected]
phishing

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
700	chrome.exe
700	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
700	chrome.exe
700	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeCreatePagefilePrivilege	700	chrome.exe
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeCreatePagefilePrivilege	700	chrome.exe
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeCreatePagefilePrivilege	700	chrome.exe
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeCreatePagefilePrivilege	700	chrome.exe
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeCreatePagefilePrivilege	700	chrome.exe
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeCreatePagefilePrivilege	700	chrome.exe
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeCreatePagefilePrivilege	700	chrome.exe
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeCreatePagefilePrivilege	700	chrome.exe
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeCreatePagefilePrivilege	700	chrome.exe
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeCreatePagefilePrivilege	700	chrome.exe
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeCreatePagefilePrivilege	700	chrome.exe
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeCreatePagefilePrivilege	700	chrome.exe
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeCreatePagefilePrivilege	700	chrome.exe
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeCreatePagefilePrivilege	700	chrome.exe
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeCreatePagefilePrivilege	700	chrome.exe
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeCreatePagefilePrivilege	700	chrome.exe
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeCreatePagefilePrivilege	700	chrome.exe
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeCreatePagefilePrivilege	700	chrome.exe
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeCreatePagefilePrivilege	700	chrome.exe
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeCreatePagefilePrivilege	700	chrome.exe
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeCreatePagefilePrivilege	700	chrome.exe
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeCreatePagefilePrivilege	700	chrome.exe
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeCreatePagefilePrivilege	700	chrome.exe
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeCreatePagefilePrivilege	700	chrome.exe
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeCreatePagefilePrivilege	700	chrome.exe
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeCreatePagefilePrivilege	700	chrome.exe
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeCreatePagefilePrivilege	700	chrome.exe
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeCreatePagefilePrivilege	700	chrome.exe
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeCreatePagefilePrivilege	700	chrome.exe
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeCreatePagefilePrivilege	700	chrome.exe
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeCreatePagefilePrivilege	700	chrome.exe
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeCreatePagefilePrivilege	700	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 700 wrote to memory of 392	700	chrome.exe	79
PID 700 wrote to memory of 392	700	chrome.exe	79
PID 700 wrote to memory of 3368	700	chrome.exe	80
PID 700 wrote to memory of 3368	700	chrome.exe	80
PID 700 wrote to memory of 3368	700	chrome.exe	80
PID 700 wrote to memory of 3368	700	chrome.exe	80
PID 700 wrote to memory of 3368	700	chrome.exe	80
PID 700 wrote to memory of 3368	700	chrome.exe	80
PID 700 wrote to memory of 3368	700	chrome.exe	80
PID 700 wrote to memory of 3368	700	chrome.exe	80
PID 700 wrote to memory of 3368	700	chrome.exe	80
PID 700 wrote to memory of 3368	700	chrome.exe	80
PID 700 wrote to memory of 3368	700	chrome.exe	80
PID 700 wrote to memory of 3368	700	chrome.exe	80
PID 700 wrote to memory of 3368	700	chrome.exe	80
PID 700 wrote to memory of 3368	700	chrome.exe	80
PID 700 wrote to memory of 3368	700	chrome.exe	80
PID 700 wrote to memory of 3368	700	chrome.exe	80
PID 700 wrote to memory of 3368	700	chrome.exe	80
PID 700 wrote to memory of 3368	700	chrome.exe	80
PID 700 wrote to memory of 3368	700	chrome.exe	80
PID 700 wrote to memory of 3368	700	chrome.exe	80
PID 700 wrote to memory of 3368	700	chrome.exe	80
PID 700 wrote to memory of 3368	700	chrome.exe	80
PID 700 wrote to memory of 3368	700	chrome.exe	80
PID 700 wrote to memory of 3368	700	chrome.exe	80
PID 700 wrote to memory of 3368	700	chrome.exe	80
PID 700 wrote to memory of 3368	700	chrome.exe	80
PID 700 wrote to memory of 3368	700	chrome.exe	80
PID 700 wrote to memory of 3368	700	chrome.exe	80
PID 700 wrote to memory of 3368	700	chrome.exe	80
PID 700 wrote to memory of 3368	700	chrome.exe	80
PID 700 wrote to memory of 4824	700	chrome.exe	81
PID 700 wrote to memory of 4824	700	chrome.exe	81
PID 700 wrote to memory of 3008	700	chrome.exe	82
PID 700 wrote to memory of 3008	700	chrome.exe	82
PID 700 wrote to memory of 3008	700	chrome.exe	82
PID 700 wrote to memory of 3008	700	chrome.exe	82
PID 700 wrote to memory of 3008	700	chrome.exe	82
PID 700 wrote to memory of 3008	700	chrome.exe	82
PID 700 wrote to memory of 3008	700	chrome.exe	82
PID 700 wrote to memory of 3008	700	chrome.exe	82
PID 700 wrote to memory of 3008	700	chrome.exe	82
PID 700 wrote to memory of 3008	700	chrome.exe	82
PID 700 wrote to memory of 3008	700	chrome.exe	82
PID 700 wrote to memory of 3008	700	chrome.exe	82
PID 700 wrote to memory of 3008	700	chrome.exe	82
PID 700 wrote to memory of 3008	700	chrome.exe	82
PID 700 wrote to memory of 3008	700	chrome.exe	82
PID 700 wrote to memory of 3008	700	chrome.exe	82
PID 700 wrote to memory of 3008	700	chrome.exe	82
PID 700 wrote to memory of 3008	700	chrome.exe	82
PID 700 wrote to memory of 3008	700	chrome.exe	82
PID 700 wrote to memory of 3008	700	chrome.exe	82
PID 700 wrote to memory of 3008	700	chrome.exe	82
PID 700 wrote to memory of 3008	700	chrome.exe	82
PID 700 wrote to memory of 3008	700	chrome.exe	82
PID 700 wrote to memory of 3008	700	chrome.exe	82
PID 700 wrote to memory of 3008	700	chrome.exe	82
PID 700 wrote to memory of 3008	700	chrome.exe	82
PID 700 wrote to memory of 3008	700	chrome.exe	82
PID 700 wrote to memory of 3008	700	chrome.exe	82
PID 700 wrote to memory of 3008	700	chrome.exe	82
PID 700 wrote to memory of 3008	700	chrome.exe	82

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://ktcqol46io7vnpbp.kursusseojohn.com:8443/[email protected]
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ffdb52ecc40,0x7ffdb52ecc4c,0x7ffdb52ecc58
  2⤵
  PID:392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1924,i,12971271467738026315,5831584318590979834,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=1920 /prefetch:2
  2⤵
  PID:3368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2136,i,12971271467738026315,5831584318590979834,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=2200 /prefetch:3
  2⤵
  PID:4824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2244,i,12971271467738026315,5831584318590979834,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=2456 /prefetch:8
  2⤵
  PID:3008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3136,i,12971271467738026315,5831584318590979834,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:4588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3168,i,12971271467738026315,5831584318590979834,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:3668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4660,i,12971271467738026315,5831584318590979834,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=4048 /prefetch:8
  2⤵
  PID:2880

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2992

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
0c6f358475d36fa790679c177e1af8c1

SHA1
9f41d17ff2c30732327151eef8da0c7213405a16

SHA256
f2856bd2983f50c29f7c0f332b4436fa89f3d0901bd1062883337b2f39f6a1ec

SHA512
0d3e74461e8807b942414efcf053b6ccfcc935a0c8d810ffc5bffc7d135629adbdbb7116e6a9158838eb87c2f22658ac6f161e964b3687aaaa934a964970197b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\ec56e44a-6ac6-4027-830a-708ac6460356.tmp

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
1aaa23f5bd1717fd285e345ff0147bf3

SHA1
885e3cc4ad2828741bd77eee3d255a8f502370cc

SHA256
f47fb37a8b2d20393710cdd737313dd241f81c988f584215508776077b3e6bb8

SHA512
24a9b362a0237e2fc925c3db56ce514461f676721f51b9a2acb90eeec6b7626fdaceb6a8fc7e9d83cc39a07968ca8277950990c8441461425a01d3848b86d873

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
0f586c4615f4f749daff15bf4b8cd821

SHA1
6af233b7e97e77e6c1ed09ae1fedc31722f3d962

SHA256
6bafcc5b19d77ef13aa2931338564c2da5082f90e0645737334be508f0350371

SHA512
0a1e2b9e71e4419b36cf3e4cc0a6dc86de6e4b53deb57390a6bafb1fe7cab0b5b5a79037ab2a643cc33865ec5a502ad4f0211092cfbf314cca751d5a9b345742

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
118KB

MD5
af1050ba290d7e8628b357967d80d6c5

SHA1
81b74d160d7a3c129c03459d3cc6e996d1c595db

SHA256
be2754549262a4fccc120b9301674cfcf7a6f871afec16297c1e4ffba12d9783

SHA512
b8a6afee25b49e2f729d8cf637bd3aafbbefcc5e7f29854d39f62ea2d0d30d91e90f9150343b181cdab358c57301b19f03a76ca43479631c96de6b641dc4548f

Download Submit