hxxps://rebrand[.]ly/e39211

General

Target

https://rebrand.ly/e39211

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133244641786988896"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

3300 chrome.exe
3300 chrome.exe
1508 chrome.exe
1508 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

3300 chrome.exe
3300 chrome.exe
3300 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3300 wrote to memory of 4372	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 4372	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 396	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 396	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 396	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 396	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 396	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 396	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 396	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 396	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 396	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 396	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 396	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 396	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 396	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 396	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 396	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 396	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 396	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 396	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 396	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 396	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 396	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 396	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 396	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 396	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 396	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 396	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 396	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 396	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 396	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 396	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 396	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 396	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 396	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 396	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 396	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 396	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 396	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 396	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 3228	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 3228	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 4512	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 4512	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 4512	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 4512	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 4512	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 4512	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 4512	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 4512	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 4512	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 4512	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 4512	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 4512	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 4512	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 4512	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 4512	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 4512	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 4512	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 4512	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 4512	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 4512	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 4512	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 4512	3300	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://rebrand.ly/e39211
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbc1179758,0x7ffbc1179768,0x7ffbc1179778
2⤵
PID:4372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1780 --field-trial-handle=1824,i,14780872645208413989,6756500147542476757,131072 /prefetch:2
2⤵
PID:396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1824,i,14780872645208413989,6756500147542476757,131072 /prefetch:8
2⤵
PID:3228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2144 --field-trial-handle=1824,i,14780872645208413989,6756500147542476757,131072 /prefetch:8
2⤵
PID:4512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3212 --field-trial-handle=1824,i,14780872645208413989,6756500147542476757,131072 /prefetch:1
2⤵
PID:3960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3228 --field-trial-handle=1824,i,14780872645208413989,6756500147542476757,131072 /prefetch:1
2⤵
PID:2256

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4616 --field-trial-handle=1824,i,14780872645208413989,6756500147542476757,131072 /prefetch:1
2⤵
PID:1388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5080 --field-trial-handle=1824,i,14780872645208413989,6756500147542476757,131072 /prefetch:8
2⤵
PID:4428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 --field-trial-handle=1824,i,14780872645208413989,6756500147542476757,131072 /prefetch:8
2⤵
PID:1948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1620 --field-trial-handle=1824,i,14780872645208413989,6756500147542476757,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1508

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:816

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
408B

MD5
f881b2dc6b2b7b097c09f377d79fa233

SHA1
007116dcb295f23a3c9f64b62a7ce2326082544f

SHA256
99ad69b327e1d90435c10ceed9d374b8872cded4d7d1283737928c848568e442

SHA512
c2d232f6e9c5bbc17b0d49327271ef57e6dbd261b1111fc0907cc69447536ca5171ee3b69570520ab163064f2f8de20fc081dcb2718b7750c97a9d7ca2b8b304

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
474b0a981e0747ac514668f73b58b1cc

SHA1
ee7437da2fa83103e5a9f5a3fb85ab25f3c598c0

SHA256
327e1b03bc586b82dbf35cdb0395abd359256b2537e60db852f3f9f9e2d51a84

SHA512
0dde077f12805f279d994d7a5a6ca49b617ca69724a55a7b34ab2f806f4cea105ad305b00ea4de9db61fa6ce19117fca0656963893acd6e94936fe726a2b5aac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
c81fca9a22ae78fb16f0d572a5be7b08

SHA1
d6c3fa507847f4e91240a0fc930922d8bf76d0b7

SHA256
7dd3753e6177b839511c50128ff0048dbf1c34919baa0db87c2463f2734a82a0

SHA512
91be5e71b50482b2888048b566cf7f5c547edc6b90768d6814b45bafd0dc1f6ebe663280b27cbc9e671e02455a45e6b38244cb5a6524a1bc13343e47f7dc8507

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
f94474f10aa7a8ceb033fa9dffe625d5

SHA1
36de5eac3950b30416c25fc7f7ca5be68a5e5272

SHA256
89fc80c7238649bd3b43d5f9889e694b5d4ef5241adb596ca14e9ff203ea760d

SHA512
044e6b620a5161d30633ec256c3b7c8e5fd6822b88992499df9040d02301ee300394f365d18175e1961f41d44191288932648fc0f21595c31e2fd1c6ef86905c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
1e797ee5d6b64183d7e6180ce7c4d29e

SHA1
cdca73de36b6bc88a2ee63d9d1a11f66ff8378de

SHA256
bd030fb8b72a05ac93c1315bce3f2e75e294b03033250c29b4005c6fbe81f0e0

SHA512
5a8a66601af4499ab3ccd0d8254b0e8786ebd867171161b1ba4bae932a9270f67242b6d8122b0d7313941fed3cc90c3a079ca15ec3cb8bf4d7fd482ffb648824

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
841c8efb41a452adecc07395a32947cc

SHA1
75796615beeb636083eaff16a520eae25106051d

SHA256
c3e522161cf55a11f271439c27900f4da8dbccbbbf98fab93ba3149e760d9a8d

SHA512
99b3af8a32f08622d965b15e371e7859eb3a43ede88c1eb7aa4de59a56548fcf2cc12bc8c35700d12134faed5a57a68f1bee0ca83a04ac0f9dcfb15bbc060c17

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
144KB

MD5
d9a43cdd1cf76ac223f17edc6a59872c

SHA1
e715a963f2be118e7867c5a490d537d36625d1f6

SHA256
71bce0935544cf38e8be3b993faac71c00138ddbe425ea50f5e04ddafa1ec396

SHA512
b1718e20bb154c71ca80cbc556556ff9281259155126ed940717560b1f003b011580299cc66769ac2ec165e67dc9d70a3079e6342abf32bcf4c1da2cc172c7c0

Download Submit
\??\pipe\crashpad_3300_QULNEZJMYKMDRSFE
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads