hxxps://lemtrail[.]ameonskin[.]com/api/unsubscribe/cam_5AxHAy5ftwXj38cqE/Y2hyaXN0aW5hLmNvd2FyZEBzb2RleG8uY29t

General

Target

https://lemtrail.ameonskin.com/api/unsubscribe/cam_5AxHAy5ftwXj38cqE/Y2hyaXN0aW5hLmNvd2FyZEBzb2RleG8uY29t

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133237992955419028"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

3008 chrome.exe
3008 chrome.exe
1320 chrome.exe
1320 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

3008 chrome.exe
3008 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3008 wrote to memory of 3568	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3568	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3840	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3840	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3840	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3840	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3840	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3840	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3840	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3840	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3840	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3840	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3840	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3840	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3840	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3840	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3840	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3840	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3840	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3840	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3840	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3840	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3840	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3840	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3840	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3840	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3840	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3840	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3840	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3840	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3840	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3840	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3840	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3840	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3840	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3840	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3840	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3840	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3840	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3840	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3244	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3244	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 1500	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 1500	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 1500	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 1500	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 1500	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 1500	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 1500	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 1500	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 1500	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 1500	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 1500	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 1500	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 1500	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 1500	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 1500	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 1500	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 1500	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 1500	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 1500	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 1500	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 1500	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 1500	3008	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://lemtrail.ameonskin.com/api/unsubscribe/cam_5AxHAy5ftwXj38cqE/Y2hyaXN0aW5hLmNvd2FyZEBzb2RleG8uY29t
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8b16a9758,0x7ff8b16a9768,0x7ff8b16a9778
2⤵
PID:3568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1788 --field-trial-handle=1812,i,16255232962753217101,17022795022908894729,131072 /prefetch:2
2⤵
PID:3840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1812,i,16255232962753217101,17022795022908894729,131072 /prefetch:8
2⤵
PID:3244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2168 --field-trial-handle=1812,i,16255232962753217101,17022795022908894729,131072 /prefetch:8
2⤵
PID:1500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3240 --field-trial-handle=1812,i,16255232962753217101,17022795022908894729,131072 /prefetch:1
2⤵
PID:4864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3228 --field-trial-handle=1812,i,16255232962753217101,17022795022908894729,131072 /prefetch:1
2⤵
PID:4052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5076 --field-trial-handle=1812,i,16255232962753217101,17022795022908894729,131072 /prefetch:8
2⤵
PID:1512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 --field-trial-handle=1812,i,16255232962753217101,17022795022908894729,131072 /prefetch:8
2⤵
PID:5072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2876 --field-trial-handle=1812,i,16255232962753217101,17022795022908894729,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1320

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4488

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
b3474cf664bcc8abe21c2eeef5accc53

SHA1
d79fdc63bdbd3bce8c0f76019e352306005f82fc

SHA256
40685856aea47d26bd92033fbba511f1eda38b2085d7e5b998ad64875342e673

SHA512
ca86f2925c0a4a0149e4034beacbeda7dcc79ea583da16b243eae549ae891cc2988ef86b452e2b123dc4950bc5ee96aa341573307e666a8f4c530770730bfbac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
539B

MD5
a2ad4566a50f7d23ad658ca4c96f6d81

SHA1
1586a03380bb75a931142352c049e2398b3494f2

SHA256
1a52e5319df007a2dd171fe4d7e855cb40cc594b1d74c87f458c3b68d12781de

SHA512
245cac4df4a8f4ebb217415df4619418957dfc597e3a6a646daf4e7632d4b3a4a9d689991db088625cc3f585c2e562b5c38316d4f1331748a2ac6f11896a8973

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
f2aaac39c87fc605e63e4e604b8b5c3c

SHA1
9138a9253e238b8914740ff42ba3a37bdb217b9a

SHA256
dc25d47696278aa1124d4d2512ab1e6aaed7d5046442dd2d171c11a6d31d6250

SHA512
6462b4b218d6486956c5d66b095ae2e9361e8da30166edc27645c50c1cc5d17d03d5621a5966b6e4538b7602e0e314eeddae3875c15da6d0db562083d1f715b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
5192d198ac93f34b623bd9245584dbf8

SHA1
08619a1e547db77be9cfbc40201b43cd12d536e5

SHA256
fd72f5e49cfbb22d048a1b13efc0cd80ec4fc47d101779c23abf926d9a06a799

SHA512
67f04f6f6e14ec87edf76fb1f80172b3b1b00567811bad1a1cb5983036d183727b347094cf19b3fb04d449b7c3b1a66a3691a1286dc95f25fd3eb7a22b836c0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
8ad227af492d9038d8b81f865caf1a64

SHA1
72a81394378e85c8d552379c25c5678523ab2307

SHA256
f022f4f3d9f46361b56d389146741e06bb2850c307a871261b868048e6259910

SHA512
8e595f55965423c17adaf00615dadc7b239b0dd01fe9e25585c3e31db056609c5dbf3ed62d5fbe4cf98199c89b6c677ba681bee63e25eef10d335d4167ba7f77

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
143KB

MD5
1dfe5e2846ba524633ac73a97ba660c8

SHA1
4499ea44a51c1488ef6dfc82e5d16c6dd17cfa0b

SHA256
1db1f20cc5d1f3c9c188434d1a765dce22558f9ff01322ff108e605505b4e43f

SHA512
49753e85a2a54c5d06ab8067036ef91b9b5dc87c41b035c0b7c500f05d7accc927e8d1b953aaec94bde5c1ef75af0c4390f82a3bdbfd4fa2fc73fc03f2006d9d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
\??\pipe\crashpad_3008_SSYESQUEBCMBKPPP
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads