hxxps://polo[.]feathr[.]co/v1/analytics/crumb?flvr=email_link_click&t_id=6356b996c1fccc23a0986068&crv_id=6463f2e263e449c697f8129f&p_id=63f8eb47f677980531c7036d&cpn_id=6351a37c0a37531d83bf8948&rdr=https%3A%2F%2Fm76k00[.]codesandbox[.]io%2Fereg%2F/?register=dGV0c3VvLmtvbW9yaUBmaW5ldG9kYXkuY29t

Analysis

max time kernel
45s
max time network
47s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24/05/2023, 07:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://polo.feathr.co/v1/analytics/crumb?flvr=email_link_click&t_id=6356b996c1fccc23a0986068&crv_id=6463f2e263e449c697f8129f&p_id=63f8eb47f677980531c7036d&cpn_id=6351a37c0a37531d83bf8948&rdr=https%3A%2F%2Fm76k00.codesandbox.io%2Fereg%2F/?register=dGV0c3VvLmtvbW9yaUBmaW5ldG9kYXkuY29t

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133293955562250875"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3812	chrome.exe
3812	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3812	chrome.exe
3812	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3812 wrote to memory of 392	3812	chrome.exe	86
PID 3812 wrote to memory of 392	3812	chrome.exe	86
PID 3812 wrote to memory of 4868	3812	chrome.exe	87
PID 3812 wrote to memory of 4868	3812	chrome.exe	87
PID 3812 wrote to memory of 4868	3812	chrome.exe	87
PID 3812 wrote to memory of 4868	3812	chrome.exe	87
PID 3812 wrote to memory of 4868	3812	chrome.exe	87
PID 3812 wrote to memory of 4868	3812	chrome.exe	87
PID 3812 wrote to memory of 4868	3812	chrome.exe	87
PID 3812 wrote to memory of 4868	3812	chrome.exe	87
PID 3812 wrote to memory of 4868	3812	chrome.exe	87
PID 3812 wrote to memory of 4868	3812	chrome.exe	87
PID 3812 wrote to memory of 4868	3812	chrome.exe	87
PID 3812 wrote to memory of 4868	3812	chrome.exe	87
PID 3812 wrote to memory of 4868	3812	chrome.exe	87
PID 3812 wrote to memory of 4868	3812	chrome.exe	87
PID 3812 wrote to memory of 4868	3812	chrome.exe	87
PID 3812 wrote to memory of 4868	3812	chrome.exe	87
PID 3812 wrote to memory of 4868	3812	chrome.exe	87
PID 3812 wrote to memory of 4868	3812	chrome.exe	87
PID 3812 wrote to memory of 4868	3812	chrome.exe	87
PID 3812 wrote to memory of 4868	3812	chrome.exe	87
PID 3812 wrote to memory of 4868	3812	chrome.exe	87
PID 3812 wrote to memory of 4868	3812	chrome.exe	87
PID 3812 wrote to memory of 4868	3812	chrome.exe	87
PID 3812 wrote to memory of 4868	3812	chrome.exe	87
PID 3812 wrote to memory of 4868	3812	chrome.exe	87
PID 3812 wrote to memory of 4868	3812	chrome.exe	87
PID 3812 wrote to memory of 4868	3812	chrome.exe	87
PID 3812 wrote to memory of 4868	3812	chrome.exe	87
PID 3812 wrote to memory of 4868	3812	chrome.exe	87
PID 3812 wrote to memory of 4868	3812	chrome.exe	87
PID 3812 wrote to memory of 4868	3812	chrome.exe	87
PID 3812 wrote to memory of 4868	3812	chrome.exe	87
PID 3812 wrote to memory of 4868	3812	chrome.exe	87
PID 3812 wrote to memory of 4868	3812	chrome.exe	87
PID 3812 wrote to memory of 4868	3812	chrome.exe	87
PID 3812 wrote to memory of 4868	3812	chrome.exe	87
PID 3812 wrote to memory of 4868	3812	chrome.exe	87
PID 3812 wrote to memory of 4868	3812	chrome.exe	87
PID 3812 wrote to memory of 896	3812	chrome.exe	88
PID 3812 wrote to memory of 896	3812	chrome.exe	88
PID 3812 wrote to memory of 5008	3812	chrome.exe	89
PID 3812 wrote to memory of 5008	3812	chrome.exe	89
PID 3812 wrote to memory of 5008	3812	chrome.exe	89
PID 3812 wrote to memory of 5008	3812	chrome.exe	89
PID 3812 wrote to memory of 5008	3812	chrome.exe	89
PID 3812 wrote to memory of 5008	3812	chrome.exe	89
PID 3812 wrote to memory of 5008	3812	chrome.exe	89
PID 3812 wrote to memory of 5008	3812	chrome.exe	89
PID 3812 wrote to memory of 5008	3812	chrome.exe	89
PID 3812 wrote to memory of 5008	3812	chrome.exe	89
PID 3812 wrote to memory of 5008	3812	chrome.exe	89
PID 3812 wrote to memory of 5008	3812	chrome.exe	89
PID 3812 wrote to memory of 5008	3812	chrome.exe	89
PID 3812 wrote to memory of 5008	3812	chrome.exe	89
PID 3812 wrote to memory of 5008	3812	chrome.exe	89
PID 3812 wrote to memory of 5008	3812	chrome.exe	89
PID 3812 wrote to memory of 5008	3812	chrome.exe	89
PID 3812 wrote to memory of 5008	3812	chrome.exe	89
PID 3812 wrote to memory of 5008	3812	chrome.exe	89
PID 3812 wrote to memory of 5008	3812	chrome.exe	89
PID 3812 wrote to memory of 5008	3812	chrome.exe	89
PID 3812 wrote to memory of 5008	3812	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://polo.feathr.co/v1/analytics/crumb?flvr=email_link_click&t_id=6356b996c1fccc23a0986068&crv_id=6463f2e263e449c697f8129f&p_id=63f8eb47f677980531c7036d&cpn_id=6351a37c0a37531d83bf8948&rdr=https%3A%2F%2Fm76k00.codesandbox.io%2Fereg%2F/?register=dGV0c3VvLmtvbW9yaUBmaW5ldG9kYXkuY29t
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa756d9758,0x7ffa756d9768,0x7ffa756d9778
  2⤵
  PID:392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1800 --field-trial-handle=1816,i,6739628480876771724,2121152840292652317,131072 /prefetch:2
  2⤵
  PID:4868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1816,i,6739628480876771724,2121152840292652317,131072 /prefetch:8
  2⤵
  PID:896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 --field-trial-handle=1816,i,6739628480876771724,2121152840292652317,131072 /prefetch:8
  2⤵
  PID:5008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3136 --field-trial-handle=1816,i,6739628480876771724,2121152840292652317,131072 /prefetch:1
  2⤵
  PID:3124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3156 --field-trial-handle=1816,i,6739628480876771724,2121152840292652317,131072 /prefetch:1
  2⤵
  PID:3668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4916 --field-trial-handle=1816,i,6739628480876771724,2121152840292652317,131072 /prefetch:8
  2⤵
  PID:4848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4928 --field-trial-handle=1816,i,6739628480876771724,2121152840292652317,131072 /prefetch:8
  2⤵
  PID:3552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5032 --field-trial-handle=1816,i,6739628480876771724,2121152840292652317,131072 /prefetch:8
  2⤵
  PID:3212

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4984

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
c177d433786d9a5108f80a41716215c0

SHA1
45f6f64e47166111095ef7963ddeb06631b5dc99

SHA256
9012994d839a0b13df8b579df917db79ea4eee9a049f7bde82aa4f908b67e926

SHA512
086299b5ea1aed3817d582f02774877d55866e45f6958bd51edcf8b04d34ab8b706c009f084d1e82981067003dcad3dac3bfa615e887e6f9e11f7918b85ba694

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
68450d3f4651d1fa215815f58430689f

SHA1
51326d39e252360c413765f5bbde4832feb66055

SHA256
714411556aded33fb578f2d6f522d2fdbe3b794e5e00c86d1a8a9396055a65c1

SHA512
cf72cf544c99b5336e7883bf407e5fc5eafbe83c62c51e330ca6eae4c03ff45ea6fcaf2f87d0c5fc348de863cb2e59920d5f64d56717cba83b0ceca0b3d8dc78

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
a11dd0ee1e3fa118fc828dbd16d2f381

SHA1
6aeb8067ad5bea3c7d7b15d9e33ad7b04fd7dcc8

SHA256
331ae6a40626dda884189ac68a39bb8f3b143b08f9535fb4786afe5d33255917

SHA512
f6fb9a6af29951f14910436bbf15d7f2c5c320cd38036ae145a1fb9e7c4a63bd344ab7e799dba61b4f40e0a7ccae64cf252f2259a4f68e5f4f9ca14e7ef42298

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
db8e20d89493be94e4b3da9d7b9cd924

SHA1
560b3904beb1b6e88e17678fe5cd79f9bf1c6406

SHA256
37cf4b2ca5f7aceab566e11df8ab646799697ea793df5de1430d700d6bdb30a8

SHA512
eda250420c2db223711674067b959a8dfde9e117b0c072d93ba7d8fa94b671d66bde9ce76e8feef38fda06397c9d7efe01163ea5dfd1598db77d093335781206

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
152KB

MD5
1f30d2f8d4beb238685e06a89ceaaae5

SHA1
fd17e9753e36179b5ddf9d167d8de612468b4185

SHA256
11add36adc1943337591ec2fef8684310871387a92f58a1765ab2c58e6758eb3

SHA512
441674e11ef78135609158ce62939b25efd94681e78c41a72439158942847324a37ebd82d6858656f77349b6dcc5c843a9d7528fa81d1da9ff5503dc9b57b96a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit