hxxp://6zuvixt4bb6418740798edf[.]nlbdr[.]ru

General

Target

http://6zuvixt4bb6418740798edf.nlbdr.ru

Score

5^/10

microsoft phishing

Malware Config

Signatures

Detected potential entity reuse from brand microsoft.
phishing microsoft

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133245237964076749"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

1280 chrome.exe
1280 chrome.exe
2188 chrome.exe
2188 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

1280 chrome.exe
1280 chrome.exe
1280 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1280 wrote to memory of 780	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 780	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 4488	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 4488	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 4488	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 4488	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 4488	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 4488	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 4488	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 4488	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 4488	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 4488	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 4488	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 4488	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 4488	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 4488	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 4488	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 4488	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 4488	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 4488	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 4488	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 4488	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 4488	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 4488	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 4488	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 4488	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 4488	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 4488	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 4488	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 4488	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 4488	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 4488	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 4488	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 4488	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 4488	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 4488	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 4488	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 4488	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 4488	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 4488	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 860	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 860	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 1384	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 1384	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 1384	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 1384	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 1384	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 1384	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 1384	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 1384	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 1384	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 1384	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 1384	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 1384	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 1384	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 1384	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 1384	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 1384	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 1384	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 1384	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 1384	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 1384	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 1384	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 1384	1280	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://6zuvixt4bb6418740798edf.nlbdr.ru
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ffb89759758,0x7ffb89759768,0x7ffb89759778
2⤵
PID:780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1800 --field-trial-handle=1764,i,8499090851742306176,11760767498384978044,131072 /prefetch:2
2⤵
PID:4488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1764,i,8499090851742306176,11760767498384978044,131072 /prefetch:8
2⤵
PID:860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2240 --field-trial-handle=1764,i,8499090851742306176,11760767498384978044,131072 /prefetch:8
2⤵
PID:1384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3092 --field-trial-handle=1764,i,8499090851742306176,11760767498384978044,131072 /prefetch:1
2⤵
PID:208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3116 --field-trial-handle=1764,i,8499090851742306176,11760767498384978044,131072 /prefetch:1
2⤵
PID:1112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4520 --field-trial-handle=1764,i,8499090851742306176,11760767498384978044,131072 /prefetch:1
2⤵
PID:1692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5272 --field-trial-handle=1764,i,8499090851742306176,11760767498384978044,131072 /prefetch:8
2⤵
PID:4540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5384 --field-trial-handle=1764,i,8499090851742306176,11760767498384978044,131072 /prefetch:8
2⤵
PID:5068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 --field-trial-handle=1764,i,8499090851742306176,11760767498384978044,131072 /prefetch:8
2⤵
PID:2700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2784 --field-trial-handle=1764,i,8499090851742306176,11760767498384978044,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2188

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3872

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
e5edac23e240d750f78fbd41913af742

SHA1
b9eb6f00e3dbd495e7a2798ddc664f1bf58c002a

SHA256
34f056ae978bdf881bf1d636bf494f5f6ed99f9a34f7a7174f9212b92ed02829

SHA512
3506a8920c43c202c0f1fca088a5ddf71f05c99499735525f4f5047a3bfe3faf55f3d672c7ff7e98dac319f35e95f1320a774e3ab920ab32db80712e048cfb6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
f51aed6bef3aaa5a17dbd42de8672f4d

SHA1
4d4b9181a145918285286731416992e0f1768ddc

SHA256
c75b195f5980edd49031352f4d7b48bc44f28e8bf72f7dab87a8ea4e8ea5219c

SHA512
23e5cd69044292483027caa6eab27ce9cf789fae814cdca153b67ba6084f7ec9de2a234c071993e02cc2b3a92b97e968fbfa606283c5663fca2c1b5c6f62052f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d7624db018992679b73ba59c561f7f00

SHA1
e22845efa4f6c5427736542e4ad99a4894f9d878

SHA256
89d2a238fc631a9c9abf77435cdccf7a909952ef5641c4bc2db6b447e897493a

SHA512
ce6499f1c9da7743192020cdbac3d94ede2713d709f9c3a584243c96941a52eb3305ac58d98472b2d7af50401fbb59f5df364e6a4bf7ffe763c9f2425e09ad0e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
b9d0c30907eec44da52b6f11a42cafcb

SHA1
82979d82b82797003dcd5e792a66b079f5006859

SHA256
cc016d14e0fa6757edc399adce13a93c657eab518f9abc95cf728cbc4569d077

SHA512
60b4ff9677e7c687b6e6761df61038c15fd7aa9ba0259eaf546285bf6a96248b4838b5697732b5c450200a33f6d55de89ae44876f4e7bed5902ee56d98c9fa3b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
144KB

MD5
5eec14cb99f7bc486a8bac400db8b6e1

SHA1
099970930ea010d46fb1e23f4288d576ab6ff931

SHA256
79c7e3906a74b97da4ff8a4989fcea0c56f2e731090eab717960de3f6964da0a

SHA512
97e6654b2101422c011ecefd49237c5c6199484ce92908a76484f3206456f6f32f52e3f4fd48b4af1933516caf266abd6b6e921aec44484c50f60e34d6ed154c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
\??\pipe\crashpad_1280_IAVMPEBQXKTGKSLS

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads