hxxp://russianmarket[.]to/logs

Analysis

max time kernel
42s
max time network
38s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
25/05/2023, 11:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

http://russianmarket.to/logs

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133294954240371155"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
504	chrome.exe
504	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
504	chrome.exe
504	chrome.exe
504	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	504	chrome.exe
Token: SeCreatePagefilePrivilege	504	chrome.exe
Token: SeShutdownPrivilege	504	chrome.exe
Token: SeCreatePagefilePrivilege	504	chrome.exe
Token: SeShutdownPrivilege	504	chrome.exe
Token: SeCreatePagefilePrivilege	504	chrome.exe
Token: SeShutdownPrivilege	504	chrome.exe
Token: SeCreatePagefilePrivilege	504	chrome.exe
Token: SeShutdownPrivilege	504	chrome.exe
Token: SeCreatePagefilePrivilege	504	chrome.exe
Token: SeShutdownPrivilege	504	chrome.exe
Token: SeCreatePagefilePrivilege	504	chrome.exe
Token: SeShutdownPrivilege	504	chrome.exe
Token: SeCreatePagefilePrivilege	504	chrome.exe
Token: SeShutdownPrivilege	504	chrome.exe
Token: SeCreatePagefilePrivilege	504	chrome.exe
Token: SeShutdownPrivilege	504	chrome.exe
Token: SeCreatePagefilePrivilege	504	chrome.exe
Token: SeShutdownPrivilege	504	chrome.exe
Token: SeCreatePagefilePrivilege	504	chrome.exe
Token: SeShutdownPrivilege	504	chrome.exe
Token: SeCreatePagefilePrivilege	504	chrome.exe
Token: SeShutdownPrivilege	504	chrome.exe
Token: SeCreatePagefilePrivilege	504	chrome.exe
Token: SeShutdownPrivilege	504	chrome.exe
Token: SeCreatePagefilePrivilege	504	chrome.exe
Token: SeShutdownPrivilege	504	chrome.exe
Token: SeCreatePagefilePrivilege	504	chrome.exe
Token: SeShutdownPrivilege	504	chrome.exe
Token: SeCreatePagefilePrivilege	504	chrome.exe
Token: SeShutdownPrivilege	504	chrome.exe
Token: SeCreatePagefilePrivilege	504	chrome.exe
Token: SeShutdownPrivilege	504	chrome.exe
Token: SeCreatePagefilePrivilege	504	chrome.exe
Token: SeShutdownPrivilege	504	chrome.exe
Token: SeCreatePagefilePrivilege	504	chrome.exe
Token: SeShutdownPrivilege	504	chrome.exe
Token: SeCreatePagefilePrivilege	504	chrome.exe
Token: SeShutdownPrivilege	504	chrome.exe
Token: SeCreatePagefilePrivilege	504	chrome.exe
Token: SeShutdownPrivilege	504	chrome.exe
Token: SeCreatePagefilePrivilege	504	chrome.exe
Token: SeShutdownPrivilege	504	chrome.exe
Token: SeCreatePagefilePrivilege	504	chrome.exe
Token: SeShutdownPrivilege	504	chrome.exe
Token: SeCreatePagefilePrivilege	504	chrome.exe
Token: SeShutdownPrivilege	504	chrome.exe
Token: SeCreatePagefilePrivilege	504	chrome.exe
Token: SeShutdownPrivilege	504	chrome.exe
Token: SeCreatePagefilePrivilege	504	chrome.exe
Token: SeShutdownPrivilege	504	chrome.exe
Token: SeCreatePagefilePrivilege	504	chrome.exe
Token: SeShutdownPrivilege	504	chrome.exe
Token: SeCreatePagefilePrivilege	504	chrome.exe
Token: SeShutdownPrivilege	504	chrome.exe
Token: SeCreatePagefilePrivilege	504	chrome.exe
Token: SeShutdownPrivilege	504	chrome.exe
Token: SeCreatePagefilePrivilege	504	chrome.exe
Token: SeShutdownPrivilege	504	chrome.exe
Token: SeCreatePagefilePrivilege	504	chrome.exe
Token: SeShutdownPrivilege	504	chrome.exe
Token: SeCreatePagefilePrivilege	504	chrome.exe
Token: SeShutdownPrivilege	504	chrome.exe
Token: SeCreatePagefilePrivilege	504	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe
504	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 504 wrote to memory of 2080	504	chrome.exe	86
PID 504 wrote to memory of 2080	504	chrome.exe	86
PID 504 wrote to memory of 1260	504	chrome.exe	87
PID 504 wrote to memory of 1260	504	chrome.exe	87
PID 504 wrote to memory of 1260	504	chrome.exe	87
PID 504 wrote to memory of 1260	504	chrome.exe	87
PID 504 wrote to memory of 1260	504	chrome.exe	87
PID 504 wrote to memory of 1260	504	chrome.exe	87
PID 504 wrote to memory of 1260	504	chrome.exe	87
PID 504 wrote to memory of 1260	504	chrome.exe	87
PID 504 wrote to memory of 1260	504	chrome.exe	87
PID 504 wrote to memory of 1260	504	chrome.exe	87
PID 504 wrote to memory of 1260	504	chrome.exe	87
PID 504 wrote to memory of 1260	504	chrome.exe	87
PID 504 wrote to memory of 1260	504	chrome.exe	87
PID 504 wrote to memory of 1260	504	chrome.exe	87
PID 504 wrote to memory of 1260	504	chrome.exe	87
PID 504 wrote to memory of 1260	504	chrome.exe	87
PID 504 wrote to memory of 1260	504	chrome.exe	87
PID 504 wrote to memory of 1260	504	chrome.exe	87
PID 504 wrote to memory of 1260	504	chrome.exe	87
PID 504 wrote to memory of 1260	504	chrome.exe	87
PID 504 wrote to memory of 1260	504	chrome.exe	87
PID 504 wrote to memory of 1260	504	chrome.exe	87
PID 504 wrote to memory of 1260	504	chrome.exe	87
PID 504 wrote to memory of 1260	504	chrome.exe	87
PID 504 wrote to memory of 1260	504	chrome.exe	87
PID 504 wrote to memory of 1260	504	chrome.exe	87
PID 504 wrote to memory of 1260	504	chrome.exe	87
PID 504 wrote to memory of 1260	504	chrome.exe	87
PID 504 wrote to memory of 1260	504	chrome.exe	87
PID 504 wrote to memory of 1260	504	chrome.exe	87
PID 504 wrote to memory of 1260	504	chrome.exe	87
PID 504 wrote to memory of 1260	504	chrome.exe	87
PID 504 wrote to memory of 1260	504	chrome.exe	87
PID 504 wrote to memory of 1260	504	chrome.exe	87
PID 504 wrote to memory of 1260	504	chrome.exe	87
PID 504 wrote to memory of 1260	504	chrome.exe	87
PID 504 wrote to memory of 1260	504	chrome.exe	87
PID 504 wrote to memory of 1260	504	chrome.exe	87
PID 504 wrote to memory of 612	504	chrome.exe	88
PID 504 wrote to memory of 612	504	chrome.exe	88
PID 504 wrote to memory of 1580	504	chrome.exe	89
PID 504 wrote to memory of 1580	504	chrome.exe	89
PID 504 wrote to memory of 1580	504	chrome.exe	89
PID 504 wrote to memory of 1580	504	chrome.exe	89
PID 504 wrote to memory of 1580	504	chrome.exe	89
PID 504 wrote to memory of 1580	504	chrome.exe	89
PID 504 wrote to memory of 1580	504	chrome.exe	89
PID 504 wrote to memory of 1580	504	chrome.exe	89
PID 504 wrote to memory of 1580	504	chrome.exe	89
PID 504 wrote to memory of 1580	504	chrome.exe	89
PID 504 wrote to memory of 1580	504	chrome.exe	89
PID 504 wrote to memory of 1580	504	chrome.exe	89
PID 504 wrote to memory of 1580	504	chrome.exe	89
PID 504 wrote to memory of 1580	504	chrome.exe	89
PID 504 wrote to memory of 1580	504	chrome.exe	89
PID 504 wrote to memory of 1580	504	chrome.exe	89
PID 504 wrote to memory of 1580	504	chrome.exe	89
PID 504 wrote to memory of 1580	504	chrome.exe	89
PID 504 wrote to memory of 1580	504	chrome.exe	89
PID 504 wrote to memory of 1580	504	chrome.exe	89
PID 504 wrote to memory of 1580	504	chrome.exe	89
PID 504 wrote to memory of 1580	504	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://russianmarket.to/logs
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9bada9758,0x7ff9bada9768,0x7ff9bada9778
  2⤵
  PID:2080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1780 --field-trial-handle=1796,i,7311486580703422986,8037244250583212410,131072 /prefetch:2
  2⤵
  PID:1260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1796,i,7311486580703422986,8037244250583212410,131072 /prefetch:8
  2⤵
  PID:612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2212 --field-trial-handle=1796,i,7311486580703422986,8037244250583212410,131072 /prefetch:8
  2⤵
  PID:1580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3088 --field-trial-handle=1796,i,7311486580703422986,8037244250583212410,131072 /prefetch:1
  2⤵
  PID:948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3104 --field-trial-handle=1796,i,7311486580703422986,8037244250583212410,131072 /prefetch:1
  2⤵
  PID:4312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4580 --field-trial-handle=1796,i,7311486580703422986,8037244250583212410,131072 /prefetch:1
  2⤵
  PID:4784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3092 --field-trial-handle=1796,i,7311486580703422986,8037244250583212410,131072 /prefetch:8
  2⤵
  PID:3596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5156 --field-trial-handle=1796,i,7311486580703422986,8037244250583212410,131072 /prefetch:8
  2⤵
  PID:1372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3332 --field-trial-handle=1796,i,7311486580703422986,8037244250583212410,131072 /prefetch:8
  2⤵
  PID:3916

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
f35dbc3e56f2b16b2238539763a90943

SHA1
e8462c285f342f35a192e03eb53904a328ef11f6

SHA256
ff179473a338838736cad09324f9317156a0011394910e6dd1330225baa7e1e1

SHA512
90268f42d760015c055920552fe27148cae50e2f0818055283d998316f4f3cf640870db0061afcb0f3f705c6168ba07e1ebc1457923fb8085a08bc7a752d51ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
537B

MD5
ec6a245b6d6a9aada5acfc06fec64f4b

SHA1
3752028cfb207c4f3d06cae1c3239ddef95d8a84

SHA256
fb8da06e57f7510c58e6cc328c93012831d95c378995206f9f2129abd711047b

SHA512
804423156e3c5c194b7024f368ae8ff8cd4ee83ddd63efd3075f286b9bc06b598f221d07a64adf5347301b51be429befb91b250c41d1a320fb85cf0c4ce628a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e9c88378f28e55e1839013e27d28165c

SHA1
5f35202924c7100e90dd474214781b5c3e4f72b2

SHA256
facacef4219c78d3fb9dda4a249b242a5820afbac3db48dc808234a199a63cbe

SHA512
793461a3f895650d496db4ded8c8bf531513e6f646937da7c230fca81ee88f4b66cfde45402bd7cc70747b218ccc6ef67ed9c4988f4a00f325d72498abdedb96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
1f3a1fc11abea809e685dea597668a8a

SHA1
0cec411db686989a96490f1dbf477254cf6b0168

SHA256
f17dac5972d2cababbf153c509bcd0e34853366b015b6d30c9f3c06b15ea567b

SHA512
c5c7f24a1cc16bfea07e95bc2dc2a551a3df702ddb055139bccbdcdd0e0ebfdbe891a885e6081bd9c3be403f3b6e3d48297ad5b28faa11045218d3dfc4728e3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
153KB

MD5
444335418f45029241ced740fccea74c

SHA1
2675f7d29e34680f377737e09ca7cd89ef7e18af

SHA256
ab186c0ee8491d94519a3f3232d7317bc5637d6036291627db47561fc5c1c26b

SHA512
9d7fe53386ad8d5dbe03dd6e046b41b67aae724dd7b4bb0f2b12f45b61dc69f566185c5a5bd44867e923fabd79693d2f6d8402c92ad0be907baefe8cbe915747

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit