hxxps://www[.]einvoicing[.]strabag[.]com/

Analysis

max time kernel
149s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
19/03/2023, 14:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.einvoicing.strabag.com/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133237143477599432"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4544	chrome.exe
4544	chrome.exe
4772	chrome.exe
4772	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4544	chrome.exe
4544	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4544 wrote to memory of 3124	4544	chrome.exe	86
PID 4544 wrote to memory of 3124	4544	chrome.exe	86
PID 4544 wrote to memory of 3696	4544	chrome.exe	87
PID 4544 wrote to memory of 3696	4544	chrome.exe	87
PID 4544 wrote to memory of 3696	4544	chrome.exe	87
PID 4544 wrote to memory of 3696	4544	chrome.exe	87
PID 4544 wrote to memory of 3696	4544	chrome.exe	87
PID 4544 wrote to memory of 3696	4544	chrome.exe	87
PID 4544 wrote to memory of 3696	4544	chrome.exe	87
PID 4544 wrote to memory of 3696	4544	chrome.exe	87
PID 4544 wrote to memory of 3696	4544	chrome.exe	87
PID 4544 wrote to memory of 3696	4544	chrome.exe	87
PID 4544 wrote to memory of 3696	4544	chrome.exe	87
PID 4544 wrote to memory of 3696	4544	chrome.exe	87
PID 4544 wrote to memory of 3696	4544	chrome.exe	87
PID 4544 wrote to memory of 3696	4544	chrome.exe	87
PID 4544 wrote to memory of 3696	4544	chrome.exe	87
PID 4544 wrote to memory of 3696	4544	chrome.exe	87
PID 4544 wrote to memory of 3696	4544	chrome.exe	87
PID 4544 wrote to memory of 3696	4544	chrome.exe	87
PID 4544 wrote to memory of 3696	4544	chrome.exe	87
PID 4544 wrote to memory of 3696	4544	chrome.exe	87
PID 4544 wrote to memory of 3696	4544	chrome.exe	87
PID 4544 wrote to memory of 3696	4544	chrome.exe	87
PID 4544 wrote to memory of 3696	4544	chrome.exe	87
PID 4544 wrote to memory of 3696	4544	chrome.exe	87
PID 4544 wrote to memory of 3696	4544	chrome.exe	87
PID 4544 wrote to memory of 3696	4544	chrome.exe	87
PID 4544 wrote to memory of 3696	4544	chrome.exe	87
PID 4544 wrote to memory of 3696	4544	chrome.exe	87
PID 4544 wrote to memory of 3696	4544	chrome.exe	87
PID 4544 wrote to memory of 3696	4544	chrome.exe	87
PID 4544 wrote to memory of 3696	4544	chrome.exe	87
PID 4544 wrote to memory of 3696	4544	chrome.exe	87
PID 4544 wrote to memory of 3696	4544	chrome.exe	87
PID 4544 wrote to memory of 3696	4544	chrome.exe	87
PID 4544 wrote to memory of 3696	4544	chrome.exe	87
PID 4544 wrote to memory of 3696	4544	chrome.exe	87
PID 4544 wrote to memory of 3696	4544	chrome.exe	87
PID 4544 wrote to memory of 3696	4544	chrome.exe	87
PID 4544 wrote to memory of 224	4544	chrome.exe	88
PID 4544 wrote to memory of 224	4544	chrome.exe	88
PID 4544 wrote to memory of 4668	4544	chrome.exe	89
PID 4544 wrote to memory of 4668	4544	chrome.exe	89
PID 4544 wrote to memory of 4668	4544	chrome.exe	89
PID 4544 wrote to memory of 4668	4544	chrome.exe	89
PID 4544 wrote to memory of 4668	4544	chrome.exe	89
PID 4544 wrote to memory of 4668	4544	chrome.exe	89
PID 4544 wrote to memory of 4668	4544	chrome.exe	89
PID 4544 wrote to memory of 4668	4544	chrome.exe	89
PID 4544 wrote to memory of 4668	4544	chrome.exe	89
PID 4544 wrote to memory of 4668	4544	chrome.exe	89
PID 4544 wrote to memory of 4668	4544	chrome.exe	89
PID 4544 wrote to memory of 4668	4544	chrome.exe	89
PID 4544 wrote to memory of 4668	4544	chrome.exe	89
PID 4544 wrote to memory of 4668	4544	chrome.exe	89
PID 4544 wrote to memory of 4668	4544	chrome.exe	89
PID 4544 wrote to memory of 4668	4544	chrome.exe	89
PID 4544 wrote to memory of 4668	4544	chrome.exe	89
PID 4544 wrote to memory of 4668	4544	chrome.exe	89
PID 4544 wrote to memory of 4668	4544	chrome.exe	89
PID 4544 wrote to memory of 4668	4544	chrome.exe	89
PID 4544 wrote to memory of 4668	4544	chrome.exe	89
PID 4544 wrote to memory of 4668	4544	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://www.einvoicing.strabag.com/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc9e729758,0x7ffc9e729768,0x7ffc9e729778
  2⤵
  PID:3124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1804 --field-trial-handle=1820,i,9541862843009192526,10532648200451351270,131072 /prefetch:2
  2⤵
  PID:3696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1820,i,9541862843009192526,10532648200451351270,131072 /prefetch:8
  2⤵
  PID:224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2232 --field-trial-handle=1820,i,9541862843009192526,10532648200451351270,131072 /prefetch:8
  2⤵
  PID:4668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3140 --field-trial-handle=1820,i,9541862843009192526,10532648200451351270,131072 /prefetch:1
  2⤵
  PID:652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3152 --field-trial-handle=1820,i,9541862843009192526,10532648200451351270,131072 /prefetch:1
  2⤵
  PID:996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 --field-trial-handle=1820,i,9541862843009192526,10532648200451351270,131072 /prefetch:8
  2⤵
  PID:2004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4824 --field-trial-handle=1820,i,9541862843009192526,10532648200451351270,131072 /prefetch:8
  2⤵
  PID:1616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4764 --field-trial-handle=1820,i,9541862843009192526,10532648200451351270,131072 /prefetch:8
  2⤵
  PID:3492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4548 --field-trial-handle=1820,i,9541862843009192526,10532648200451351270,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4772

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2464

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
4c771489735ff0803efd3947a7a517b5

SHA1
f449bbfdd567fa8263064783bec2edfaa4f03e7b

SHA256
6eab8d524df8eaff233b081a787b7edfbef1a92493546d9f50c247c037404c0a

SHA512
82cc89b91c375a916bf8466391a4f48e29b57dfd23a48666245714c9a6d9cc1b10bfcd29ca09b502449ab551be032c196b13aa69a36ee1c9c541599d50a402cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
d2894c2ea563573d05eeaa68a87e0a48

SHA1
9b2302e16b446d156ebde10ab974b9e469c4c7fc

SHA256
6ed4f79007d409ddd027ad7f3ff6d4ab225cb38098cfea7fe4c2b0df404b5044

SHA512
19d72c9fb8606500e8f13375b554d88803c91ddeef5c77da63904942f94a6c42ced1098fe33f8189f37db98f304d2b2d0632965ceafe0589713471d1779cd7a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
706B

MD5
0523c9dcc7952f3cd88f2c8882d6fce4

SHA1
0a6f361d8d88d20939663ea9af055b667dfd692d

SHA256
74dd83e2d2157e5ed6556b1f907e3f01d3e518c418ba756b5f507a048aa81ba4

SHA512
56a24a110664b18aa3152ec3e5c6e074cdb2a2cac91eff166e058bab97c051ee4177752d5291b398400198df0a007d7c7827f05615a35cfc1b46bb95073e3b84

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
873B

MD5
7f44296c20b49da597b25cd68fce98fa

SHA1
513f2870eaa8566b766640d19237ffe9785648bb

SHA256
4a0433943cb0a1c4609f789b33ec3f14a69513946cd7d87e409a4898d8930b61

SHA512
0f78bcfc062d20649908d02311f61910abfebe75dd6308b9e5100b172405c01f39658b1557f2592c0843daba8605373ab9c0867eb1ca06b046fd6390bd581fe3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
cd2797ec17a12b1a6b3806730129bf73

SHA1
d4ad5ac92afc97ba53f7445288684c533d9ed133

SHA256
1a1a4b3eadba52a7664348126471e17c7bb8c9ca9c4e1a61da017a03405bb67d

SHA512
0037fad63e31f3700c921ffcb25f10a6f16a7b48dba638ef5b9f17373bae6c455117186b67bfc584c17c23960b8be441f24d4e6b40970f19ec0edb23dbeb0d54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e8d2175ea86394e182aea27dcc07588a

SHA1
73482a4953d033a1686ba895b787e1cc0185c413

SHA256
7290d6199947651dd2fc78733f16d3c1f78e5889b7ef8fd13179c71c404d6074

SHA512
e2a41e41239a11f13e536891f73eadf240000130854f34d914a6451654df7b29a8a85ee5c08bc0fac48b013b68ac04342469efdc833f07b9a8630abc89a1aa18

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
f0a70702a1493f71e21a5b12cf6401f3

SHA1
eaa079b9c64daedfb5fe377b1f76701d612ba06a

SHA256
6d637785efa4ff67739d4e20081d011ba07aecac1efd2256d892d2d07ef0f01f

SHA512
48f315eacca251d8459966df77c45317411e27441ba13879e97b36a8a67d2531ea674cafe4e4597198857a2d9f9bbda988531bd646ca94ea8bdcb806309c0c15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
143KB

MD5
6a98ef206635b2a5ff830b71fa6cadea

SHA1
076ee138307592f5d21d426830725d6d2eab2be6

SHA256
b3377ad86e34d0377b982d171334b763502f4aff0cb8372b024715aedbf6b974

SHA512
d96c087bbf3cf06671da44f67af307c13a1895a0eb5afbee393425f848012081003b1d928c8ad0cee291f9752e07a47c9f60b583937e44a5877cf432b745adf2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit