hxxp://rayne[.]ru

Analysis

max time kernel
66s
max time network
59s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
07/03/2023, 10:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://rayne.ru

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133226578380388140"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2020	chrome.exe
2020	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeCreatePagefilePrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeCreatePagefilePrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeCreatePagefilePrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeCreatePagefilePrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeCreatePagefilePrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeCreatePagefilePrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeCreatePagefilePrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeCreatePagefilePrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeCreatePagefilePrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeCreatePagefilePrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeCreatePagefilePrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeCreatePagefilePrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeCreatePagefilePrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeCreatePagefilePrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeCreatePagefilePrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeCreatePagefilePrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeCreatePagefilePrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeCreatePagefilePrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeCreatePagefilePrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeCreatePagefilePrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeCreatePagefilePrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeCreatePagefilePrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeCreatePagefilePrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeCreatePagefilePrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeCreatePagefilePrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeCreatePagefilePrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeCreatePagefilePrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeCreatePagefilePrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeCreatePagefilePrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeCreatePagefilePrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeCreatePagefilePrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeCreatePagefilePrivilege	2020	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 1636	2020	chrome.exe	66
PID 2020 wrote to memory of 1636	2020	chrome.exe	66
PID 2020 wrote to memory of 3560	2020	chrome.exe	68
PID 2020 wrote to memory of 3560	2020	chrome.exe	68
PID 2020 wrote to memory of 3560	2020	chrome.exe	68
PID 2020 wrote to memory of 3560	2020	chrome.exe	68
PID 2020 wrote to memory of 3560	2020	chrome.exe	68
PID 2020 wrote to memory of 3560	2020	chrome.exe	68
PID 2020 wrote to memory of 3560	2020	chrome.exe	68
PID 2020 wrote to memory of 3560	2020	chrome.exe	68
PID 2020 wrote to memory of 3560	2020	chrome.exe	68
PID 2020 wrote to memory of 3560	2020	chrome.exe	68
PID 2020 wrote to memory of 3560	2020	chrome.exe	68
PID 2020 wrote to memory of 3560	2020	chrome.exe	68
PID 2020 wrote to memory of 3560	2020	chrome.exe	68
PID 2020 wrote to memory of 3560	2020	chrome.exe	68
PID 2020 wrote to memory of 3560	2020	chrome.exe	68
PID 2020 wrote to memory of 3560	2020	chrome.exe	68
PID 2020 wrote to memory of 3560	2020	chrome.exe	68
PID 2020 wrote to memory of 3560	2020	chrome.exe	68
PID 2020 wrote to memory of 3560	2020	chrome.exe	68
PID 2020 wrote to memory of 3560	2020	chrome.exe	68
PID 2020 wrote to memory of 3560	2020	chrome.exe	68
PID 2020 wrote to memory of 3560	2020	chrome.exe	68
PID 2020 wrote to memory of 3560	2020	chrome.exe	68
PID 2020 wrote to memory of 3560	2020	chrome.exe	68
PID 2020 wrote to memory of 3560	2020	chrome.exe	68
PID 2020 wrote to memory of 3560	2020	chrome.exe	68
PID 2020 wrote to memory of 3560	2020	chrome.exe	68
PID 2020 wrote to memory of 3560	2020	chrome.exe	68
PID 2020 wrote to memory of 3560	2020	chrome.exe	68
PID 2020 wrote to memory of 3560	2020	chrome.exe	68
PID 2020 wrote to memory of 3560	2020	chrome.exe	68
PID 2020 wrote to memory of 3560	2020	chrome.exe	68
PID 2020 wrote to memory of 3560	2020	chrome.exe	68
PID 2020 wrote to memory of 3560	2020	chrome.exe	68
PID 2020 wrote to memory of 3560	2020	chrome.exe	68
PID 2020 wrote to memory of 3560	2020	chrome.exe	68
PID 2020 wrote to memory of 3560	2020	chrome.exe	68
PID 2020 wrote to memory of 3560	2020	chrome.exe	68
PID 2020 wrote to memory of 3888	2020	chrome.exe	69
PID 2020 wrote to memory of 3888	2020	chrome.exe	69
PID 2020 wrote to memory of 3884	2020	chrome.exe	70
PID 2020 wrote to memory of 3884	2020	chrome.exe	70
PID 2020 wrote to memory of 3884	2020	chrome.exe	70
PID 2020 wrote to memory of 3884	2020	chrome.exe	70
PID 2020 wrote to memory of 3884	2020	chrome.exe	70
PID 2020 wrote to memory of 3884	2020	chrome.exe	70
PID 2020 wrote to memory of 3884	2020	chrome.exe	70
PID 2020 wrote to memory of 3884	2020	chrome.exe	70
PID 2020 wrote to memory of 3884	2020	chrome.exe	70
PID 2020 wrote to memory of 3884	2020	chrome.exe	70
PID 2020 wrote to memory of 3884	2020	chrome.exe	70
PID 2020 wrote to memory of 3884	2020	chrome.exe	70
PID 2020 wrote to memory of 3884	2020	chrome.exe	70
PID 2020 wrote to memory of 3884	2020	chrome.exe	70
PID 2020 wrote to memory of 3884	2020	chrome.exe	70
PID 2020 wrote to memory of 3884	2020	chrome.exe	70
PID 2020 wrote to memory of 3884	2020	chrome.exe	70
PID 2020 wrote to memory of 3884	2020	chrome.exe	70
PID 2020 wrote to memory of 3884	2020	chrome.exe	70
PID 2020 wrote to memory of 3884	2020	chrome.exe	70
PID 2020 wrote to memory of 3884	2020	chrome.exe	70
PID 2020 wrote to memory of 3884	2020	chrome.exe	70

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://rayne.ru
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffc54139758,0x7ffc54139768,0x7ffc54139778
  2⤵
  PID:1636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1792,i,31386822875297857,17207773719351584964,131072 /prefetch:2
  2⤵
  PID:3560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1872 --field-trial-handle=1792,i,31386822875297857,17207773719351584964,131072 /prefetch:8
  2⤵
  PID:3888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2108 --field-trial-handle=1792,i,31386822875297857,17207773719351584964,131072 /prefetch:8
  2⤵
  PID:3884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2728 --field-trial-handle=1792,i,31386822875297857,17207773719351584964,131072 /prefetch:1
  2⤵
  PID:1936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2736 --field-trial-handle=1792,i,31386822875297857,17207773719351584964,131072 /prefetch:1
  2⤵
  PID:3008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4656 --field-trial-handle=1792,i,31386822875297857,17207773719351584964,131072 /prefetch:8
  2⤵
  PID:3924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4732 --field-trial-handle=1792,i,31386822875297857,17207773719351584964,131072 /prefetch:8
  2⤵
  PID:4812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=2404 --field-trial-handle=1792,i,31386822875297857,17207773719351584964,131072 /prefetch:1
  2⤵
  PID:4992

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\6deb5287-02ce-4273-ae5f-d93e12f024cc.tmp

Filesize
5KB

MD5
569d67a27fc3dcfdeaf5bc2b8cd96a1d

SHA1
c2fded8ce2cc99552e28df6654072c63e17ba9ab

SHA256
4a6b42697ca9cd431562f4544b10afc1dd80ca67b92b7354fbce6eb0b70a495c

SHA512
bd7ef575d284237650c1e261593fa077d410ba4c17b4d1e34e71b5e470b330b4afbd26a518c492e38055f772cdcfe92cf65dc6a1fb329eac05a67dbf74373ed0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
7ac7c04c541dcb8bae93d78e8f5a8d1d

SHA1
92b163d53d0b522180ceeaed00dcf3f99bf872a9

SHA256
1cd71c5756636de3e9692177caa214246099183bbdcafb2790f49b50640e4d7c

SHA512
61b580f5cb2f08f95a9d1e120ed7a38ae1eefca598a31b041dd0c793a685875f0fea2760bf1dd02ecf748b818054d6b8c3eb28c7f7e3d37aec633e04ec8e07d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
bde07a0e51520e51c5a41bde06c38c46

SHA1
965b0a5debf54ccbd996664435b7ffc0aa09bce9

SHA256
cb517aa44b20f61e68158960ee4830809fdb1a6508d37fac84e9746632fc43ab

SHA512
d4a844c0dd4a2100a53b40ab70eddb6873a46c48cc582cfef65dd17d97704b45ecc13260a3b90130bda2cc1692b60ac5850e19ba575a6dac1a2b28e1e46f4b71

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
143KB

MD5
c0f1938b11e693c77b63b4cc5c103f50

SHA1
64bdf0f194a88e6cd78f737e07798cc9b90a993f

SHA256
e8766fb1c6091809239918bcf3f50166f0fff6916d0cad416d31c79c3f4865ff

SHA512
5d7195641cdf9f1b18158bf50b9e9273482c56f2a5521841e0a9274fa7f59508fc785f15b1d393278688888790254ff090d309748ba0655c429a68b4ce139191

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
memory/3560-130-0x00007FFC5BC70000-0x00007FFC5BC71000-memory.dmp

Filesize
4KB

Download