hxxps://api[.]main-bvxea6i-om2oma5wsxivc[.]us-2[.]platformsh[.]site/sample-page/

Analysis

max time kernel
41s
max time network
45s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2023, 13:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://api.main-bvxea6i-om2oma5wsxivc.us-2.platformsh.site/sample-page/

Score

10^/10

phishing

Malware Config

Signatures

Detected phishing page
phishing

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133288052647566891"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
632	chrome.exe
632	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
632	chrome.exe
632	chrome.exe
632	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 632 wrote to memory of 3260	632	chrome.exe	84
PID 632 wrote to memory of 3260	632	chrome.exe	84
PID 632 wrote to memory of 1920	632	chrome.exe	85
PID 632 wrote to memory of 1920	632	chrome.exe	85
PID 632 wrote to memory of 1920	632	chrome.exe	85
PID 632 wrote to memory of 1920	632	chrome.exe	85
PID 632 wrote to memory of 1920	632	chrome.exe	85
PID 632 wrote to memory of 1920	632	chrome.exe	85
PID 632 wrote to memory of 1920	632	chrome.exe	85
PID 632 wrote to memory of 1920	632	chrome.exe	85
PID 632 wrote to memory of 1920	632	chrome.exe	85
PID 632 wrote to memory of 1920	632	chrome.exe	85
PID 632 wrote to memory of 1920	632	chrome.exe	85
PID 632 wrote to memory of 1920	632	chrome.exe	85
PID 632 wrote to memory of 1920	632	chrome.exe	85
PID 632 wrote to memory of 1920	632	chrome.exe	85
PID 632 wrote to memory of 1920	632	chrome.exe	85
PID 632 wrote to memory of 1920	632	chrome.exe	85
PID 632 wrote to memory of 1920	632	chrome.exe	85
PID 632 wrote to memory of 1920	632	chrome.exe	85
PID 632 wrote to memory of 1920	632	chrome.exe	85
PID 632 wrote to memory of 1920	632	chrome.exe	85
PID 632 wrote to memory of 1920	632	chrome.exe	85
PID 632 wrote to memory of 1920	632	chrome.exe	85
PID 632 wrote to memory of 1920	632	chrome.exe	85
PID 632 wrote to memory of 1920	632	chrome.exe	85
PID 632 wrote to memory of 1920	632	chrome.exe	85
PID 632 wrote to memory of 1920	632	chrome.exe	85
PID 632 wrote to memory of 1920	632	chrome.exe	85
PID 632 wrote to memory of 1920	632	chrome.exe	85
PID 632 wrote to memory of 1920	632	chrome.exe	85
PID 632 wrote to memory of 1920	632	chrome.exe	85
PID 632 wrote to memory of 1920	632	chrome.exe	85
PID 632 wrote to memory of 1920	632	chrome.exe	85
PID 632 wrote to memory of 1920	632	chrome.exe	85
PID 632 wrote to memory of 1920	632	chrome.exe	85
PID 632 wrote to memory of 1920	632	chrome.exe	85
PID 632 wrote to memory of 1920	632	chrome.exe	85
PID 632 wrote to memory of 1920	632	chrome.exe	85
PID 632 wrote to memory of 1920	632	chrome.exe	85
PID 632 wrote to memory of 3380	632	chrome.exe	86
PID 632 wrote to memory of 3380	632	chrome.exe	86
PID 632 wrote to memory of 1684	632	chrome.exe	87
PID 632 wrote to memory of 1684	632	chrome.exe	87
PID 632 wrote to memory of 1684	632	chrome.exe	87
PID 632 wrote to memory of 1684	632	chrome.exe	87
PID 632 wrote to memory of 1684	632	chrome.exe	87
PID 632 wrote to memory of 1684	632	chrome.exe	87
PID 632 wrote to memory of 1684	632	chrome.exe	87
PID 632 wrote to memory of 1684	632	chrome.exe	87
PID 632 wrote to memory of 1684	632	chrome.exe	87
PID 632 wrote to memory of 1684	632	chrome.exe	87
PID 632 wrote to memory of 1684	632	chrome.exe	87
PID 632 wrote to memory of 1684	632	chrome.exe	87
PID 632 wrote to memory of 1684	632	chrome.exe	87
PID 632 wrote to memory of 1684	632	chrome.exe	87
PID 632 wrote to memory of 1684	632	chrome.exe	87
PID 632 wrote to memory of 1684	632	chrome.exe	87
PID 632 wrote to memory of 1684	632	chrome.exe	87
PID 632 wrote to memory of 1684	632	chrome.exe	87
PID 632 wrote to memory of 1684	632	chrome.exe	87
PID 632 wrote to memory of 1684	632	chrome.exe	87
PID 632 wrote to memory of 1684	632	chrome.exe	87
PID 632 wrote to memory of 1684	632	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://api.main-bvxea6i-om2oma5wsxivc.us-2.platformsh.site/sample-page/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb46e39758,0x7ffb46e39768,0x7ffb46e39778
  2⤵
  PID:3260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1800 --field-trial-handle=1784,i,1895855960500807173,17529556324627040700,131072 /prefetch:2
  2⤵
  PID:1920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1784,i,1895855960500807173,17529556324627040700,131072 /prefetch:8
  2⤵
  PID:3380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2168 --field-trial-handle=1784,i,1895855960500807173,17529556324627040700,131072 /prefetch:8
  2⤵
  PID:1684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3160 --field-trial-handle=1784,i,1895855960500807173,17529556324627040700,131072 /prefetch:1
  2⤵
  PID:3420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3136 --field-trial-handle=1784,i,1895855960500807173,17529556324627040700,131072 /prefetch:1
  2⤵
  PID:3584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4768 --field-trial-handle=1784,i,1895855960500807173,17529556324627040700,131072 /prefetch:1
  2⤵
  PID:5060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4564 --field-trial-handle=1784,i,1895855960500807173,17529556324627040700,131072 /prefetch:8
  2⤵
  PID:1792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5104 --field-trial-handle=1784,i,1895855960500807173,17529556324627040700,131072 /prefetch:8
  2⤵
  PID:2308

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:724

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000b

Filesize
54KB

MD5
c3193e281096b13bfbd06ed13399a7a0

SHA1
061eecd474631b2037819b33f2924d7038886dba

SHA256
7beafd737c66b36f397e6b2698e3d8999e51d0469073647fcf46de90047509c8

SHA512
72059288830ecd3c36c2d61ae5d7c7152051333420d9cc2289dfc296b149ae69a45bf6232568207237ee82af3dde69b76fe43a6f549b8e2af8ef2b5be403fa9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
96B

MD5
b5ebf8f02da6b35eb3333ade67678461

SHA1
fa4c36677d7a16e58ab0d806ebfc8f212f9d1059

SHA256
e1dde5d6f203a3e6431e830c94b6b298a9d44628b5852da56b263172dabcd8ce

SHA512
22d9632f434cd915aa10a21d558b42d5e0658e9b83d5bd86584e4902f128f7d0f7ccda881eeade458f16cd74a8fe2e60db9c70f70957dd43c5b9d985879278e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
22bd556bccff77be8c2d0b11790a3d0e

SHA1
0bec09b9f19db40a04010c1622830e437109e83e

SHA256
6d05d1bc725b3b1cb9c8eb199172b532ae9bd23b704c558aa03ca53790671f16

SHA512
085519db45c703dae4271554d81478b4049839f90266315ca1361354be6c1f65b5df1a2da4933eb3deba0bb98fc9c6a853b4c599cab25f8304218fb260a18869

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
8fe57b15215642bff04ddd9af3df88f4

SHA1
8634a0efeb827f014590483ff0f18051d036af5d

SHA256
53690f06b1435ce633c2d7f61e30e04f20dc2398d7b639374cc6fe9167f402a9

SHA512
e9f176f7f563876bbe06fa601c58cfe7319504849566346a9d37adca70c416957556fa914b73fae6548ef29c86c750138246855662519e6070a931c4dab43c05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d1bade6a0dba4e5c8f5c3ba525ee64a1

SHA1
24587d3cc6af082fe24a8b96a21f8a0365b04362

SHA256
2b8f1a2220c419f788bc996e6c38807291672a9de6bc93ceb3b271e107153cb9

SHA512
7733354227d012697ff8de7d35da7d77f378f0a77c890dacf7a7f3c6c65cc1af7db3b16cf713eaa01c2bc321a379b174870a96dba7ff286a876ea98ce0586c89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
402db0521c09f815c24de306707247c1

SHA1
671e65918b01bc6862de67537ea24df7ac5dc683

SHA256
c730e6be203feaa0e6441cff7f186d396136f6e5ffdff357babe23f76472fbe3

SHA512
cfbc345bc9c882475ad5e991bcb8d3e4a6ef3c3976238a7c7bb95a74a0ce7b3cd1bfa8b37f914509f057a919f44ef5542bea52d92ea27eaa1349581e4182f886

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
151KB

MD5
d716fb0170a8729dda9f9865c84d6b15

SHA1
06e8558bfec5164ef5f2b1ce43ee9aa00ddffb58

SHA256
541acd75f52fb30166c4f907d88338a5bbcda554af1b089c6e91e73102dc50a8

SHA512
3b77472c0ac5c8cbe63785bf03b8a57b26495bfab6b7cbe0632cc1deb99f228a2070cf14e7f7dd75339891b53898b706c0d93b0c83fa75b952958a4e5333f8bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit