hxxp://eixrsjzzih63e69f174ab76[.]apibcos[.]ru

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
02-03-2023 21:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://eixrsjzzih63e69f174ab76.apibcos.ru

Score

5^/10

microsoft phishing

Malware Config

Signatures

Detected potential entity reuse from brand microsoft.
phishing microsoft

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133222714882963048"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3192	chrome.exe
3192	chrome.exe
4660	chrome.exe
4660	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3192	chrome.exe
3192	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3192 wrote to memory of 3764	3192	chrome.exe	86
PID 3192 wrote to memory of 3764	3192	chrome.exe	86
PID 3192 wrote to memory of 3224	3192	chrome.exe	87
PID 3192 wrote to memory of 3224	3192	chrome.exe	87
PID 3192 wrote to memory of 3224	3192	chrome.exe	87
PID 3192 wrote to memory of 3224	3192	chrome.exe	87
PID 3192 wrote to memory of 3224	3192	chrome.exe	87
PID 3192 wrote to memory of 3224	3192	chrome.exe	87
PID 3192 wrote to memory of 3224	3192	chrome.exe	87
PID 3192 wrote to memory of 3224	3192	chrome.exe	87
PID 3192 wrote to memory of 3224	3192	chrome.exe	87
PID 3192 wrote to memory of 3224	3192	chrome.exe	87
PID 3192 wrote to memory of 3224	3192	chrome.exe	87
PID 3192 wrote to memory of 3224	3192	chrome.exe	87
PID 3192 wrote to memory of 3224	3192	chrome.exe	87
PID 3192 wrote to memory of 3224	3192	chrome.exe	87
PID 3192 wrote to memory of 3224	3192	chrome.exe	87
PID 3192 wrote to memory of 3224	3192	chrome.exe	87
PID 3192 wrote to memory of 3224	3192	chrome.exe	87
PID 3192 wrote to memory of 3224	3192	chrome.exe	87
PID 3192 wrote to memory of 3224	3192	chrome.exe	87
PID 3192 wrote to memory of 3224	3192	chrome.exe	87
PID 3192 wrote to memory of 3224	3192	chrome.exe	87
PID 3192 wrote to memory of 3224	3192	chrome.exe	87
PID 3192 wrote to memory of 3224	3192	chrome.exe	87
PID 3192 wrote to memory of 3224	3192	chrome.exe	87
PID 3192 wrote to memory of 3224	3192	chrome.exe	87
PID 3192 wrote to memory of 3224	3192	chrome.exe	87
PID 3192 wrote to memory of 3224	3192	chrome.exe	87
PID 3192 wrote to memory of 3224	3192	chrome.exe	87
PID 3192 wrote to memory of 3224	3192	chrome.exe	87
PID 3192 wrote to memory of 3224	3192	chrome.exe	87
PID 3192 wrote to memory of 3224	3192	chrome.exe	87
PID 3192 wrote to memory of 3224	3192	chrome.exe	87
PID 3192 wrote to memory of 3224	3192	chrome.exe	87
PID 3192 wrote to memory of 3224	3192	chrome.exe	87
PID 3192 wrote to memory of 3224	3192	chrome.exe	87
PID 3192 wrote to memory of 3224	3192	chrome.exe	87
PID 3192 wrote to memory of 3224	3192	chrome.exe	87
PID 3192 wrote to memory of 3224	3192	chrome.exe	87
PID 3192 wrote to memory of 1492	3192	chrome.exe	88
PID 3192 wrote to memory of 1492	3192	chrome.exe	88
PID 3192 wrote to memory of 2628	3192	chrome.exe	89
PID 3192 wrote to memory of 2628	3192	chrome.exe	89
PID 3192 wrote to memory of 2628	3192	chrome.exe	89
PID 3192 wrote to memory of 2628	3192	chrome.exe	89
PID 3192 wrote to memory of 2628	3192	chrome.exe	89
PID 3192 wrote to memory of 2628	3192	chrome.exe	89
PID 3192 wrote to memory of 2628	3192	chrome.exe	89
PID 3192 wrote to memory of 2628	3192	chrome.exe	89
PID 3192 wrote to memory of 2628	3192	chrome.exe	89
PID 3192 wrote to memory of 2628	3192	chrome.exe	89
PID 3192 wrote to memory of 2628	3192	chrome.exe	89
PID 3192 wrote to memory of 2628	3192	chrome.exe	89
PID 3192 wrote to memory of 2628	3192	chrome.exe	89
PID 3192 wrote to memory of 2628	3192	chrome.exe	89
PID 3192 wrote to memory of 2628	3192	chrome.exe	89
PID 3192 wrote to memory of 2628	3192	chrome.exe	89
PID 3192 wrote to memory of 2628	3192	chrome.exe	89
PID 3192 wrote to memory of 2628	3192	chrome.exe	89
PID 3192 wrote to memory of 2628	3192	chrome.exe	89
PID 3192 wrote to memory of 2628	3192	chrome.exe	89
PID 3192 wrote to memory of 2628	3192	chrome.exe	89
PID 3192 wrote to memory of 2628	3192	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://eixrsjzzih63e69f174ab76.apibcos.ru
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa756d9758,0x7ffa756d9768,0x7ffa756d9778
  2⤵
  PID:3764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1808 --field-trial-handle=1796,i,4405866351913058942,12540532154257434008,131072 /prefetch:2
  2⤵
  PID:3224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1796,i,4405866351913058942,12540532154257434008,131072 /prefetch:8
  2⤵
  PID:1492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1796,i,4405866351913058942,12540532154257434008,131072 /prefetch:8
  2⤵
  PID:2628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3100 --field-trial-handle=1796,i,4405866351913058942,12540532154257434008,131072 /prefetch:1
  2⤵
  PID:872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3108 --field-trial-handle=1796,i,4405866351913058942,12540532154257434008,131072 /prefetch:1
  2⤵
  PID:916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5124 --field-trial-handle=1796,i,4405866351913058942,12540532154257434008,131072 /prefetch:8
  2⤵
  PID:3984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5296 --field-trial-handle=1796,i,4405866351913058942,12540532154257434008,131072 /prefetch:8
  2⤵
  PID:4596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 --field-trial-handle=1796,i,4405866351913058942,12540532154257434008,131072 /prefetch:8
  2⤵
  PID:3920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5052 --field-trial-handle=1796,i,4405866351913058942,12540532154257434008,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4660

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2336

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
f47ddb2c05b7a00ec2072b5a49e97f80

SHA1
808f92e986ebb0d096f59ecb0b900d63f837ef64

SHA256
0e2456b6cba464d22a13837e4e04a48594667c9398b6542dacfefe5d6eb94400

SHA512
f0ec5781d44d60ca4ad9f2767855b3e9fcf8389d8d490fce97949fafea3445b5adb549af3729108088a1835e4ab46d6ae357116b4f9b6f4f02efcaa62d46a77b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
ca3685f5dbfa24c06051eb9f75fe3b14

SHA1
befad5171952441d504d71212bbcb5805fefe88b

SHA256
161fbda6a42fc3f7bbc12c95c4c030ca7f1f490b39c38ea4eae677b1683e8e25

SHA512
2f210711e94a7ec36ae60bc5b93088de0f5cc6fd7d81cd7c160ec202a9811242ba20946d8b0c3c1e8b3b57f7db9f716fa6dcfe71f468d3230afde759e7bacea7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
bf52b19405a12cf0488182bc80e9ce59

SHA1
ba8bcb9f30b52cdb382338961d50afa252604cda

SHA256
bd4e4c1f67d0198177b908522d5c0bb9ef8597360e6046adeed683a02d8bd7c7

SHA512
e41c11486ad2009b994dbc58e260393090f79c08a8d756c09a5a2e55d30905021b06b6e6b4d62b82b7689df14acb9f063ece7b2e2b3e10892a3a150b52977711

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
8e11433fb7ac0748e4802b64a70530fb

SHA1
107778d6b448f360a33f04ed761f8ae4a02b1cbb

SHA256
567e30513319cac27350ef0b38abe59da2ea0fd6e1c949a02f399edf2a499205

SHA512
c29a0a935af74e2fab5d1ee0358ded8814484e05b6723305b815e0dd341716ff09464e5f459a854444bdc3d5320ecee612e8acd3e258514323b0047bd8656cdc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
142KB

MD5
318bf681fd4b527cc3554ad72cdcdd13

SHA1
79f53316c82737a4cead878905dc10d25d0b137b

SHA256
bb38bf13ea624c269d41268041a6ee31db7f546cf8920301c7d512dfc338e463

SHA512
1bdc32dee2a4e91b8ef23e2ade54b9851dda49ccee3845131e26288f1a2baf35ce0b805c01440ad35e3ed132576783b4bfc203d3774bf5feead47e6ea89272e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
memory/3224-137-0x00007FFA91D60000-0x00007FFA91D61000-memory.dmp

Filesize
4KB

Download
memory/3984-178-0x00007FFA91C10000-0x00007FFA91C11000-memory.dmp

Filesize
4KB

Download
memory/3984-179-0x00007FFA92AE0000-0x00007FFA92AE1000-memory.dmp

Filesize
4KB

Download
memory/4660-238-0x000001CCE3050000-0x000001CCE3051000-memory.dmp

Filesize
4KB

Download
memory/4660-237-0x000001CCE3050000-0x000001CCE3051000-memory.dmp

Filesize
4KB

Download
memory/4660-239-0x000001CCE3050000-0x000001CCE3051000-memory.dmp

Filesize
4KB

Download
memory/4660-244-0x000001CCE3050000-0x000001CCE3051000-memory.dmp

Filesize
4KB

Download
memory/4660-243-0x000001CCE3050000-0x000001CCE3051000-memory.dmp

Filesize
4KB

Download
memory/4660-246-0x000001CCE3050000-0x000001CCE3051000-memory.dmp

Filesize
4KB

Download
memory/4660-245-0x000001CCE3050000-0x000001CCE3051000-memory.dmp

Filesize
4KB

Download
memory/4660-248-0x000001CCE3050000-0x000001CCE3051000-memory.dmp

Filesize
4KB

Download
memory/4660-247-0x000001CCE3050000-0x000001CCE3051000-memory.dmp

Filesize
4KB

Download
memory/4660-249-0x000001CCE3050000-0x000001CCE3051000-memory.dmp

Filesize
4KB

Download