hxxps://lmo8083-0hsmmdhb[.]allcleanbydee2[.]com/

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
19/05/2023, 18:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://lmo8083-0hsmmdhb.allcleanbydee2.com/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133290013219543097"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3392	chrome.exe
3392	chrome.exe
4988	chrome.exe
4988	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3392	chrome.exe
3392	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3392 wrote to memory of 4628	3392	chrome.exe	86
PID 3392 wrote to memory of 4628	3392	chrome.exe	86
PID 3392 wrote to memory of 3296	3392	chrome.exe	87
PID 3392 wrote to memory of 3296	3392	chrome.exe	87
PID 3392 wrote to memory of 3296	3392	chrome.exe	87
PID 3392 wrote to memory of 3296	3392	chrome.exe	87
PID 3392 wrote to memory of 3296	3392	chrome.exe	87
PID 3392 wrote to memory of 3296	3392	chrome.exe	87
PID 3392 wrote to memory of 3296	3392	chrome.exe	87
PID 3392 wrote to memory of 3296	3392	chrome.exe	87
PID 3392 wrote to memory of 3296	3392	chrome.exe	87
PID 3392 wrote to memory of 3296	3392	chrome.exe	87
PID 3392 wrote to memory of 3296	3392	chrome.exe	87
PID 3392 wrote to memory of 3296	3392	chrome.exe	87
PID 3392 wrote to memory of 3296	3392	chrome.exe	87
PID 3392 wrote to memory of 3296	3392	chrome.exe	87
PID 3392 wrote to memory of 3296	3392	chrome.exe	87
PID 3392 wrote to memory of 3296	3392	chrome.exe	87
PID 3392 wrote to memory of 3296	3392	chrome.exe	87
PID 3392 wrote to memory of 3296	3392	chrome.exe	87
PID 3392 wrote to memory of 3296	3392	chrome.exe	87
PID 3392 wrote to memory of 3296	3392	chrome.exe	87
PID 3392 wrote to memory of 3296	3392	chrome.exe	87
PID 3392 wrote to memory of 3296	3392	chrome.exe	87
PID 3392 wrote to memory of 3296	3392	chrome.exe	87
PID 3392 wrote to memory of 3296	3392	chrome.exe	87
PID 3392 wrote to memory of 3296	3392	chrome.exe	87
PID 3392 wrote to memory of 3296	3392	chrome.exe	87
PID 3392 wrote to memory of 3296	3392	chrome.exe	87
PID 3392 wrote to memory of 3296	3392	chrome.exe	87
PID 3392 wrote to memory of 3296	3392	chrome.exe	87
PID 3392 wrote to memory of 3296	3392	chrome.exe	87
PID 3392 wrote to memory of 3296	3392	chrome.exe	87
PID 3392 wrote to memory of 3296	3392	chrome.exe	87
PID 3392 wrote to memory of 3296	3392	chrome.exe	87
PID 3392 wrote to memory of 3296	3392	chrome.exe	87
PID 3392 wrote to memory of 3296	3392	chrome.exe	87
PID 3392 wrote to memory of 3296	3392	chrome.exe	87
PID 3392 wrote to memory of 3296	3392	chrome.exe	87
PID 3392 wrote to memory of 3296	3392	chrome.exe	87
PID 3392 wrote to memory of 5096	3392	chrome.exe	88
PID 3392 wrote to memory of 5096	3392	chrome.exe	88
PID 3392 wrote to memory of 2420	3392	chrome.exe	89
PID 3392 wrote to memory of 2420	3392	chrome.exe	89
PID 3392 wrote to memory of 2420	3392	chrome.exe	89
PID 3392 wrote to memory of 2420	3392	chrome.exe	89
PID 3392 wrote to memory of 2420	3392	chrome.exe	89
PID 3392 wrote to memory of 2420	3392	chrome.exe	89
PID 3392 wrote to memory of 2420	3392	chrome.exe	89
PID 3392 wrote to memory of 2420	3392	chrome.exe	89
PID 3392 wrote to memory of 2420	3392	chrome.exe	89
PID 3392 wrote to memory of 2420	3392	chrome.exe	89
PID 3392 wrote to memory of 2420	3392	chrome.exe	89
PID 3392 wrote to memory of 2420	3392	chrome.exe	89
PID 3392 wrote to memory of 2420	3392	chrome.exe	89
PID 3392 wrote to memory of 2420	3392	chrome.exe	89
PID 3392 wrote to memory of 2420	3392	chrome.exe	89
PID 3392 wrote to memory of 2420	3392	chrome.exe	89
PID 3392 wrote to memory of 2420	3392	chrome.exe	89
PID 3392 wrote to memory of 2420	3392	chrome.exe	89
PID 3392 wrote to memory of 2420	3392	chrome.exe	89
PID 3392 wrote to memory of 2420	3392	chrome.exe	89
PID 3392 wrote to memory of 2420	3392	chrome.exe	89
PID 3392 wrote to memory of 2420	3392	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://lmo8083-0hsmmdhb.allcleanbydee2.com/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcb0cf9758,0x7ffcb0cf9768,0x7ffcb0cf9778
  2⤵
  PID:4628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1812 --field-trial-handle=1796,i,6887678320451657079,11192993180202596145,131072 /prefetch:2
  2⤵
  PID:3296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1796,i,6887678320451657079,11192993180202596145,131072 /prefetch:8
  2⤵
  PID:5096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2236 --field-trial-handle=1796,i,6887678320451657079,11192993180202596145,131072 /prefetch:8
  2⤵
  PID:2420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3188 --field-trial-handle=1796,i,6887678320451657079,11192993180202596145,131072 /prefetch:1
  2⤵
  PID:4236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3200 --field-trial-handle=1796,i,6887678320451657079,11192993180202596145,131072 /prefetch:1
  2⤵
  PID:4228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 --field-trial-handle=1796,i,6887678320451657079,11192993180202596145,131072 /prefetch:8
  2⤵
  PID:5056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5340 --field-trial-handle=1796,i,6887678320451657079,11192993180202596145,131072 /prefetch:8
  2⤵
  PID:512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 --field-trial-handle=1796,i,6887678320451657079,11192993180202596145,131072 /prefetch:8
  2⤵
  PID:396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2716 --field-trial-handle=1796,i,6887678320451657079,11192993180202596145,131072 /prefetch:8
  2⤵
  PID:2252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4664 --field-trial-handle=1796,i,6887678320451657079,11192993180202596145,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4988

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
daa74773f29760cf1a1e2149e468d081

SHA1
4fc51fba9783b9a75f4afef52127a52a4477c852

SHA256
12f14774b6db32614fac793b8a984898efc282974010370c5dda8c052b23c02e

SHA512
ad8d793e501f29dec8c81c61ef19821ff649a3c59908d314e39aaa304c9679c4fb1f5513b5ed9902ffeb6cf2a1f8c3fdf117982649cf27253138cf71ad9d3648

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
705B

MD5
7e3a0e20a0aa501c1562d28ee6f4e335

SHA1
88590b88793a6dee2679df77b11c97fe21672cca

SHA256
887a3af8cabc8059c33f5ae24db32e78d474e6d68d5bf30b11e630cc687c301d

SHA512
2846c469a1ebdad663d4653aab72d2e48574a5461dba33ad8a6a4a33bc15e0a57d9cd2d88a6ba2717fff3fc0b63116beb0649f6dbcb05ec6c76eabd4cdbd35e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
a987eeb470427470cb286dbbb8910e87

SHA1
65df18ac6b031593b3bc4396d9352c419aea2b3e

SHA256
a7343650ea4e1735afaf2c3ca57920bfb1079350db899b2c3863acacd38a3e6e

SHA512
4ac6f6101b83a9b48fdd44ee8253f4922c7f77b5ca697b8cbc7c43131e04e3f49efb87eeb7a532222165ec06a1ac8c717e75adfab1135e5c762b266884c9b6bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
6854f49a5982eb11c8c1e05ff841eaa2

SHA1
e486392d8ba15afe76aa0b8450c3c75fed220d34

SHA256
9ecdfe680514a81b501d31b218328a5af68605f4ea9d391da5f66e28e6d9700e

SHA512
0aa0e9c9377dc4c0eb6ea58ac606c6ad4820d5786d98b61ad22c45f3afa4bf9774e60377e32fef2ceea01d532e6485ca35416efaf411791c582fadc0f7e6cacd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
151KB

MD5
655c5d55d415e15afb262b0093fa1fb9

SHA1
fdea3a2629d3aaa33b127030e8e328b37405d073

SHA256
a4786dd55825dd757fd21cd493888f51a969e5a79319b995cbfa341bf5f7d2bd

SHA512
13ff508a7bcff13c437b0646da1454229469688c1365ea856952bc5c55de718f1a38c70c41b874b955e0dd9261f7775b2884c510dbe169e061efc6f4e6c1f9e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit