hxxps://cdn[.]pixelbin[.]io/v2/polished=grass-b48032/original/leain[.]html#eh@motc[.]qa

General

Target

https://cdn.pixelbin.io/v2/polished=grass-b48032/original/leain.html#[email protected]

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133240354062640000"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

3804 chrome.exe
3804 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

3804 chrome.exe
3804 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3804 wrote to memory of 4328	3804	chrome.exe	chrome.exe
PID 3804 wrote to memory of 4328	3804	chrome.exe	chrome.exe
PID 3804 wrote to memory of 3996	3804	chrome.exe	chrome.exe
PID 3804 wrote to memory of 3996	3804	chrome.exe	chrome.exe
PID 3804 wrote to memory of 3996	3804	chrome.exe	chrome.exe
PID 3804 wrote to memory of 3996	3804	chrome.exe	chrome.exe
PID 3804 wrote to memory of 3996	3804	chrome.exe	chrome.exe
PID 3804 wrote to memory of 3996	3804	chrome.exe	chrome.exe
PID 3804 wrote to memory of 3996	3804	chrome.exe	chrome.exe
PID 3804 wrote to memory of 3996	3804	chrome.exe	chrome.exe
PID 3804 wrote to memory of 3996	3804	chrome.exe	chrome.exe
PID 3804 wrote to memory of 3996	3804	chrome.exe	chrome.exe
PID 3804 wrote to memory of 3996	3804	chrome.exe	chrome.exe
PID 3804 wrote to memory of 3996	3804	chrome.exe	chrome.exe
PID 3804 wrote to memory of 3996	3804	chrome.exe	chrome.exe
PID 3804 wrote to memory of 3996	3804	chrome.exe	chrome.exe
PID 3804 wrote to memory of 3996	3804	chrome.exe	chrome.exe
PID 3804 wrote to memory of 3996	3804	chrome.exe	chrome.exe
PID 3804 wrote to memory of 3996	3804	chrome.exe	chrome.exe
PID 3804 wrote to memory of 3996	3804	chrome.exe	chrome.exe
PID 3804 wrote to memory of 3996	3804	chrome.exe	chrome.exe
PID 3804 wrote to memory of 3996	3804	chrome.exe	chrome.exe
PID 3804 wrote to memory of 3996	3804	chrome.exe	chrome.exe
PID 3804 wrote to memory of 3996	3804	chrome.exe	chrome.exe
PID 3804 wrote to memory of 3996	3804	chrome.exe	chrome.exe
PID 3804 wrote to memory of 3996	3804	chrome.exe	chrome.exe
PID 3804 wrote to memory of 3996	3804	chrome.exe	chrome.exe
PID 3804 wrote to memory of 3996	3804	chrome.exe	chrome.exe
PID 3804 wrote to memory of 3996	3804	chrome.exe	chrome.exe
PID 3804 wrote to memory of 3996	3804	chrome.exe	chrome.exe
PID 3804 wrote to memory of 3996	3804	chrome.exe	chrome.exe
PID 3804 wrote to memory of 3996	3804	chrome.exe	chrome.exe
PID 3804 wrote to memory of 3996	3804	chrome.exe	chrome.exe
PID 3804 wrote to memory of 3996	3804	chrome.exe	chrome.exe
PID 3804 wrote to memory of 3996	3804	chrome.exe	chrome.exe
PID 3804 wrote to memory of 3996	3804	chrome.exe	chrome.exe
PID 3804 wrote to memory of 3996	3804	chrome.exe	chrome.exe
PID 3804 wrote to memory of 3996	3804	chrome.exe	chrome.exe
PID 3804 wrote to memory of 3996	3804	chrome.exe	chrome.exe
PID 3804 wrote to memory of 3996	3804	chrome.exe	chrome.exe
PID 3804 wrote to memory of 4848	3804	chrome.exe	chrome.exe
PID 3804 wrote to memory of 4848	3804	chrome.exe	chrome.exe
PID 3804 wrote to memory of 1480	3804	chrome.exe	chrome.exe
PID 3804 wrote to memory of 1480	3804	chrome.exe	chrome.exe
PID 3804 wrote to memory of 1480	3804	chrome.exe	chrome.exe
PID 3804 wrote to memory of 1480	3804	chrome.exe	chrome.exe
PID 3804 wrote to memory of 1480	3804	chrome.exe	chrome.exe
PID 3804 wrote to memory of 1480	3804	chrome.exe	chrome.exe
PID 3804 wrote to memory of 1480	3804	chrome.exe	chrome.exe
PID 3804 wrote to memory of 1480	3804	chrome.exe	chrome.exe
PID 3804 wrote to memory of 1480	3804	chrome.exe	chrome.exe
PID 3804 wrote to memory of 1480	3804	chrome.exe	chrome.exe
PID 3804 wrote to memory of 1480	3804	chrome.exe	chrome.exe
PID 3804 wrote to memory of 1480	3804	chrome.exe	chrome.exe
PID 3804 wrote to memory of 1480	3804	chrome.exe	chrome.exe
PID 3804 wrote to memory of 1480	3804	chrome.exe	chrome.exe
PID 3804 wrote to memory of 1480	3804	chrome.exe	chrome.exe
PID 3804 wrote to memory of 1480	3804	chrome.exe	chrome.exe
PID 3804 wrote to memory of 1480	3804	chrome.exe	chrome.exe
PID 3804 wrote to memory of 1480	3804	chrome.exe	chrome.exe
PID 3804 wrote to memory of 1480	3804	chrome.exe	chrome.exe
PID 3804 wrote to memory of 1480	3804	chrome.exe	chrome.exe
PID 3804 wrote to memory of 1480	3804	chrome.exe	chrome.exe
PID 3804 wrote to memory of 1480	3804	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://cdn.pixelbin.io/v2/polished=grass-b48032/original/leain.html#[email protected]
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffda7279758,0x7ffda7279768,0x7ffda7279778
2⤵
PID:4328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1780 --field-trial-handle=1812,i,15341008076518636543,15077227494622655261,131072 /prefetch:2
2⤵
PID:3996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1812,i,15341008076518636543,15077227494622655261,131072 /prefetch:8
2⤵
PID:4848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2232 --field-trial-handle=1812,i,15341008076518636543,15077227494622655261,131072 /prefetch:8
2⤵
PID:1480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3208 --field-trial-handle=1812,i,15341008076518636543,15077227494622655261,131072 /prefetch:1
2⤵
PID:4416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3216 --field-trial-handle=1812,i,15341008076518636543,15077227494622655261,131072 /prefetch:1
2⤵
PID:1772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5020 --field-trial-handle=1812,i,15341008076518636543,15077227494622655261,131072 /prefetch:8
2⤵
PID:4280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5108 --field-trial-handle=1812,i,15341008076518636543,15077227494622655261,131072 /prefetch:8
2⤵
PID:908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 --field-trial-handle=1812,i,15341008076518636543,15077227494622655261,131072 /prefetch:8
2⤵
PID:452

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3224

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
955B

MD5
13ba9b449065f50e9f6ea2bb3df88b79

SHA1
d899519371ceb8e86ec6987c8a38f128e9eac244

SHA256
dbed2fd3b480184aedfaa015486c64e0bd2817c00ffc43615e3538da15303297

SHA512
7ebbde73d4bb1930293b71c908388f3e6f90eb901d013cf124d5562454ac86a7eaec8d18bd3430e1425eae28379d54482db449c19309e200854f2eac979e9f7c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
5e26c2b3859887e8f96484208c92c79b

SHA1
6d6b7c7a7c1c9d7f667ea9adfc58a885fbfcdcab

SHA256
244cb564fb2ff9674a34074d939e9bf1d39f4bdcdb9e8b9863c4875a5fb29664

SHA512
67b0d9769ce1d5ac186c39075163559391eed3222c36ad4854960bc08dd607bf79d25a886e88d623ee9a6e674ccc3369257ab8985734d7d2679fd9072fa2d76a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
15KB

MD5
58b80dffe5ecf824bf43de2b708c3737

SHA1
8d5bd32f259e727fb32bf0ee00d4dd46ac14286f

SHA256
09164aec53b80a8b79f8b41eaac18e8eb94cd602e54a12e3def8021dc13eddc5

SHA512
76c27cb6e6d3a496bd72b10c5f450b75c3109b58b6da2f4c565137619cd5bb52c5736fe90ca05ecafcb9e74d72d15f70f0e7a5247adc4a5f354734a7d68aa4a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
145KB

MD5
591426a0ce330934b02fefc5c2ed164e

SHA1
a4107462bbd20d96f4d68932d4f810f136d3353a

SHA256
beca664ec333887868a1db4dc1cad4f6b7737bb6b8615f768362b4696815ee62

SHA512
f56c5b4d7ff4630c2c4f5a43168650b954ceb6a4fa441237921222a80a2b66890932715ebcb96846ed486fcbe416a9544f0f7d082002e26f6a80c7d2fd2633a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
\??\pipe\crashpad_3804_WRJNUMGNPLKKZQHF
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads