hxxps://cdn[.]pixelbin[.]io/v2/polished=grass-b48032/original/leain[.]html#mh@motc[.]qa

General

Target

https://cdn.pixelbin.io/v2/polished=grass-b48032/original/leain.html#[email protected]

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133240351843419725"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

4744 chrome.exe
4744 chrome.exe
400 chrome.exe
400 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

4744 chrome.exe
4744 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	4744	chrome.exe
Token: SeCreatePagefilePrivilege	4744	chrome.exe
Token: SeShutdownPrivilege	4744	chrome.exe
Token: SeCreatePagefilePrivilege	4744	chrome.exe
Token: SeShutdownPrivilege	4744	chrome.exe
Token: SeCreatePagefilePrivilege	4744	chrome.exe
Token: SeShutdownPrivilege	4744	chrome.exe
Token: SeCreatePagefilePrivilege	4744	chrome.exe
Token: SeShutdownPrivilege	4744	chrome.exe
Token: SeCreatePagefilePrivilege	4744	chrome.exe
Token: SeShutdownPrivilege	4744	chrome.exe
Token: SeCreatePagefilePrivilege	4744	chrome.exe
Token: SeShutdownPrivilege	4744	chrome.exe
Token: SeCreatePagefilePrivilege	4744	chrome.exe
Token: SeShutdownPrivilege	4744	chrome.exe
Token: SeCreatePagefilePrivilege	4744	chrome.exe
Token: SeShutdownPrivilege	4744	chrome.exe
Token: SeCreatePagefilePrivilege	4744	chrome.exe
Token: SeShutdownPrivilege	4744	chrome.exe
Token: SeCreatePagefilePrivilege	4744	chrome.exe
Token: SeShutdownPrivilege	4744	chrome.exe
Token: SeCreatePagefilePrivilege	4744	chrome.exe
Token: SeShutdownPrivilege	4744	chrome.exe
Token: SeCreatePagefilePrivilege	4744	chrome.exe
Token: SeShutdownPrivilege	4744	chrome.exe
Token: SeCreatePagefilePrivilege	4744	chrome.exe
Token: SeShutdownPrivilege	4744	chrome.exe
Token: SeCreatePagefilePrivilege	4744	chrome.exe
Token: SeShutdownPrivilege	4744	chrome.exe
Token: SeCreatePagefilePrivilege	4744	chrome.exe
Token: SeShutdownPrivilege	4744	chrome.exe
Token: SeCreatePagefilePrivilege	4744	chrome.exe
Token: SeShutdownPrivilege	4744	chrome.exe
Token: SeCreatePagefilePrivilege	4744	chrome.exe
Token: SeShutdownPrivilege	4744	chrome.exe
Token: SeCreatePagefilePrivilege	4744	chrome.exe
Token: SeShutdownPrivilege	4744	chrome.exe
Token: SeCreatePagefilePrivilege	4744	chrome.exe
Token: SeShutdownPrivilege	4744	chrome.exe
Token: SeCreatePagefilePrivilege	4744	chrome.exe
Token: SeShutdownPrivilege	4744	chrome.exe
Token: SeCreatePagefilePrivilege	4744	chrome.exe
Token: SeShutdownPrivilege	4744	chrome.exe
Token: SeCreatePagefilePrivilege	4744	chrome.exe
Token: SeShutdownPrivilege	4744	chrome.exe
Token: SeCreatePagefilePrivilege	4744	chrome.exe
Token: SeShutdownPrivilege	4744	chrome.exe
Token: SeCreatePagefilePrivilege	4744	chrome.exe
Token: SeShutdownPrivilege	4744	chrome.exe
Token: SeCreatePagefilePrivilege	4744	chrome.exe
Token: SeShutdownPrivilege	4744	chrome.exe
Token: SeCreatePagefilePrivilege	4744	chrome.exe
Token: SeShutdownPrivilege	4744	chrome.exe
Token: SeCreatePagefilePrivilege	4744	chrome.exe
Token: SeShutdownPrivilege	4744	chrome.exe
Token: SeCreatePagefilePrivilege	4744	chrome.exe
Token: SeShutdownPrivilege	4744	chrome.exe
Token: SeCreatePagefilePrivilege	4744	chrome.exe
Token: SeShutdownPrivilege	4744	chrome.exe
Token: SeCreatePagefilePrivilege	4744	chrome.exe
Token: SeShutdownPrivilege	4744	chrome.exe
Token: SeCreatePagefilePrivilege	4744	chrome.exe
Token: SeShutdownPrivilege	4744	chrome.exe
Token: SeCreatePagefilePrivilege	4744	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4744 wrote to memory of 4620	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 4620	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 3380	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 3380	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 3380	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 3380	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 3380	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 3380	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 3380	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 3380	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 3380	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 3380	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 3380	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 3380	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 3380	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 3380	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 3380	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 3380	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 3380	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 3380	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 3380	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 3380	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 3380	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 3380	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 3380	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 3380	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 3380	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 3380	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 3380	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 3380	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 3380	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 3380	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 3380	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 3380	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 3380	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 3380	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 3380	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 3380	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 3380	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 3380	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 660	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 660	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 2096	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 2096	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 2096	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 2096	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 2096	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 2096	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 2096	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 2096	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 2096	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 2096	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 2096	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 2096	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 2096	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 2096	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 2096	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 2096	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 2096	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 2096	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 2096	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 2096	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 2096	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 2096	4744	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://cdn.pixelbin.io/v2/polished=grass-b48032/original/leain.html#[email protected]
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb0c339758,0x7ffb0c339768,0x7ffb0c339778
2⤵
PID:4620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1796 --field-trial-handle=1812,i,4652188036544619523,16353535777679982879,131072 /prefetch:2
2⤵
PID:3380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1812,i,4652188036544619523,16353535777679982879,131072 /prefetch:8
2⤵
PID:660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2216 --field-trial-handle=1812,i,4652188036544619523,16353535777679982879,131072 /prefetch:8
2⤵
PID:2096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3188 --field-trial-handle=1812,i,4652188036544619523,16353535777679982879,131072 /prefetch:1
2⤵
PID:1600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3208 --field-trial-handle=1812,i,4652188036544619523,16353535777679982879,131072 /prefetch:1
2⤵
PID:4728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4944 --field-trial-handle=1812,i,4652188036544619523,16353535777679982879,131072 /prefetch:8
2⤵
PID:3076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 --field-trial-handle=1812,i,4652188036544619523,16353535777679982879,131072 /prefetch:8
2⤵
PID:4020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4960 --field-trial-handle=1812,i,4652188036544619523,16353535777679982879,131072 /prefetch:8
2⤵
PID:1928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4680 --field-trial-handle=1812,i,4652188036544619523,16353535777679982879,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:400

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1180

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
955B

MD5
ebb667f9d205cb0dbd6cb12bcd54adff

SHA1
07780e9c591d498e2fc294114f5c78544f271a95

SHA256
bb9358c9c57733a8af9ca09a2e639d8cd7b3e3cfa4ed6902df2aa03076821b4e

SHA512
e3f4ba7dafeaa5069bc4186d5aba96c7603cf1eb9a0760d7b81d372901c13a129ac7e0c17da10e9eabc8b0256067b451665ee883aba75f21575e967d15f0dc8b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
4a5cbb187854f407809a7d9a29a102c8

SHA1
27b32b610f228d824dd4035529884248b8f052aa

SHA256
185a4c1410a631597e4b3efc1ab3d30f70cb175aa4af645d021bd03497f6fddb

SHA512
e0d0e2a32a860bfde77e3cae624871ea615e97a40161acb033196d91fa0139e77795562f1da201e985d26aca87c87590ea533ffac51b1d51d78b082b7356dc06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
15KB

MD5
90158bb6fcd7b5ef6973d51ed485fd8e

SHA1
bc555f8edb385fe4eb5e886a1bf9f73ce7172d5d

SHA256
8d33eb8e6f5964bc7b336db0ec402efe8999c07bcaf292d034318e1012947d61

SHA512
310b73312941cbb030160e314097a184613c7692300aa31e6905fc7f56eacade0df3e78f0567106b24e035bfa1a0e6271b83aaa8ed8e58367807c3024c6b2969

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
145KB

MD5
d06f8d045658e08cb84ea00a4d01da57

SHA1
7126357e191b78ba105f25ed1e66abcc92a2b1bb

SHA256
63ba81e272887be99d9f64c83f443bbd20b1031f5c18a2bd6c6440ed23741b79

SHA512
c1b73bb503be2411d8180383a5b5c4f9c3186a7a32d314f819a8f497dedff65a1d76cf59df9325b1b43547960a69d036ddb8fe195540b0b5a9888566fb1ae905

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
\??\pipe\crashpad_4744_NPNFRHCBAEZSOESB
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads