hxxps://russianmarket[.]gs/logs#1640081280963235958

Analysis

max time kernel
95s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
25/05/2023, 20:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://russianmarket.gs/logs#1640081280963235958

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133295257908816889"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1848	chrome.exe
1848	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 2760	1848	chrome.exe	86
PID 1848 wrote to memory of 2760	1848	chrome.exe	86
PID 1848 wrote to memory of 1976	1848	chrome.exe	87
PID 1848 wrote to memory of 1976	1848	chrome.exe	87
PID 1848 wrote to memory of 1976	1848	chrome.exe	87
PID 1848 wrote to memory of 1976	1848	chrome.exe	87
PID 1848 wrote to memory of 1976	1848	chrome.exe	87
PID 1848 wrote to memory of 1976	1848	chrome.exe	87
PID 1848 wrote to memory of 1976	1848	chrome.exe	87
PID 1848 wrote to memory of 1976	1848	chrome.exe	87
PID 1848 wrote to memory of 1976	1848	chrome.exe	87
PID 1848 wrote to memory of 1976	1848	chrome.exe	87
PID 1848 wrote to memory of 1976	1848	chrome.exe	87
PID 1848 wrote to memory of 1976	1848	chrome.exe	87
PID 1848 wrote to memory of 1976	1848	chrome.exe	87
PID 1848 wrote to memory of 1976	1848	chrome.exe	87
PID 1848 wrote to memory of 1976	1848	chrome.exe	87
PID 1848 wrote to memory of 1976	1848	chrome.exe	87
PID 1848 wrote to memory of 1976	1848	chrome.exe	87
PID 1848 wrote to memory of 1976	1848	chrome.exe	87
PID 1848 wrote to memory of 1976	1848	chrome.exe	87
PID 1848 wrote to memory of 1976	1848	chrome.exe	87
PID 1848 wrote to memory of 1976	1848	chrome.exe	87
PID 1848 wrote to memory of 1976	1848	chrome.exe	87
PID 1848 wrote to memory of 1976	1848	chrome.exe	87
PID 1848 wrote to memory of 1976	1848	chrome.exe	87
PID 1848 wrote to memory of 1976	1848	chrome.exe	87
PID 1848 wrote to memory of 1976	1848	chrome.exe	87
PID 1848 wrote to memory of 1976	1848	chrome.exe	87
PID 1848 wrote to memory of 1976	1848	chrome.exe	87
PID 1848 wrote to memory of 1976	1848	chrome.exe	87
PID 1848 wrote to memory of 1976	1848	chrome.exe	87
PID 1848 wrote to memory of 1976	1848	chrome.exe	87
PID 1848 wrote to memory of 1976	1848	chrome.exe	87
PID 1848 wrote to memory of 1976	1848	chrome.exe	87
PID 1848 wrote to memory of 1976	1848	chrome.exe	87
PID 1848 wrote to memory of 1976	1848	chrome.exe	87
PID 1848 wrote to memory of 1976	1848	chrome.exe	87
PID 1848 wrote to memory of 1976	1848	chrome.exe	87
PID 1848 wrote to memory of 1976	1848	chrome.exe	87
PID 1848 wrote to memory of 2416	1848	chrome.exe	88
PID 1848 wrote to memory of 2416	1848	chrome.exe	88
PID 1848 wrote to memory of 116	1848	chrome.exe	89
PID 1848 wrote to memory of 116	1848	chrome.exe	89
PID 1848 wrote to memory of 116	1848	chrome.exe	89
PID 1848 wrote to memory of 116	1848	chrome.exe	89
PID 1848 wrote to memory of 116	1848	chrome.exe	89
PID 1848 wrote to memory of 116	1848	chrome.exe	89
PID 1848 wrote to memory of 116	1848	chrome.exe	89
PID 1848 wrote to memory of 116	1848	chrome.exe	89
PID 1848 wrote to memory of 116	1848	chrome.exe	89
PID 1848 wrote to memory of 116	1848	chrome.exe	89
PID 1848 wrote to memory of 116	1848	chrome.exe	89
PID 1848 wrote to memory of 116	1848	chrome.exe	89
PID 1848 wrote to memory of 116	1848	chrome.exe	89
PID 1848 wrote to memory of 116	1848	chrome.exe	89
PID 1848 wrote to memory of 116	1848	chrome.exe	89
PID 1848 wrote to memory of 116	1848	chrome.exe	89
PID 1848 wrote to memory of 116	1848	chrome.exe	89
PID 1848 wrote to memory of 116	1848	chrome.exe	89
PID 1848 wrote to memory of 116	1848	chrome.exe	89
PID 1848 wrote to memory of 116	1848	chrome.exe	89
PID 1848 wrote to memory of 116	1848	chrome.exe	89
PID 1848 wrote to memory of 116	1848	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://russianmarket.gs/logs#1640081280963235958
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcaff49758,0x7ffcaff49768,0x7ffcaff49778
  2⤵
  PID:2760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1792 --field-trial-handle=1820,i,14254050565628470558,2798618826142848668,131072 /prefetch:2
  2⤵
  PID:1976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1820,i,14254050565628470558,2798618826142848668,131072 /prefetch:8
  2⤵
  PID:2416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2232 --field-trial-handle=1820,i,14254050565628470558,2798618826142848668,131072 /prefetch:8
  2⤵
  PID:116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3184 --field-trial-handle=1820,i,14254050565628470558,2798618826142848668,131072 /prefetch:1
  2⤵
  PID:3952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3224 --field-trial-handle=1820,i,14254050565628470558,2798618826142848668,131072 /prefetch:1
  2⤵
  PID:3800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4516 --field-trial-handle=1820,i,14254050565628470558,2798618826142848668,131072 /prefetch:1
  2⤵
  PID:4592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3352 --field-trial-handle=1820,i,14254050565628470558,2798618826142848668,131072 /prefetch:1
  2⤵
  PID:3316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4616 --field-trial-handle=1820,i,14254050565628470558,2798618826142848668,131072 /prefetch:8
  2⤵
  PID:4556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5052 --field-trial-handle=1820,i,14254050565628470558,2798618826142848668,131072 /prefetch:8
  2⤵
  PID:3760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5052 --field-trial-handle=1820,i,14254050565628470558,2798618826142848668,131072 /prefetch:8
  2⤵
  PID:4608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4808 --field-trial-handle=1820,i,14254050565628470558,2798618826142848668,131072 /prefetch:1
  2⤵
  PID:5104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2788 --field-trial-handle=1820,i,14254050565628470558,2798618826142848668,131072 /prefetch:1
  2⤵
  PID:4528

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4160

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\360e302e-e528-42a0-aee1-cd56da171e2f.tmp

Filesize
15KB

MD5
f978029c505ef4380beff6ae648a71be

SHA1
d1878382f32d6e75dfabd42b7b78bc53e03b4845

SHA256
d0fcf12550b3286fb7708d4c30733cafd2e852033372a3afa4cd430ec43725c1

SHA512
53dce04d308407a6043e8af9f20b66cefb2d7ed696c3b4f1d51879e29648b49bcb48a2a046061af1424be1b29b23e54007994a0b58f98386edc2d3706b87ebcc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
882B

MD5
4472745240257ee32dedbf8a4d4b5d95

SHA1
6588b606c3e031e7971ee8a63b54d0fa14fa6fa5

SHA256
10068b3de6d30552c549a950f5976b7ba81892d790afc0ed776d44ceb7e5f988

SHA512
54560e06f8c9c90e93703d1e2622c1da355e24bfe321141b8278c9ae06b507e6c6122e622d71ffa84d089e8e8f8f59a02217f2720adf5e95dee8dc755ae8408e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
6f9c19b0e85902fc6cb0f7c151e6aca9

SHA1
6ed8a4617a541fdcdd1bc3a90a6034d7b3be0927

SHA256
83249af3530562cc619ad21d6b4a0c0a17735b3104fb3e8e541360a66428b2af

SHA512
2dd39be2035af3df6d6ed7bb3b0ac6812e788fe86c57e2a81f1f832424f0f8984e3ed867e498e5026b8e417c5015ce4f3a3ab7107ca6520c90aedf9ff5e719a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
2b95de4164aca5347c287914c9d23512

SHA1
ea18aa4f8c741ace916a1ef9db5b7d20ce58f2f0

SHA256
26dc6a3cc8b6409921ff93d1e4bfef14e982dff51bc0f62c29ead3b7895308f3

SHA512
f2781ccdddb34131af164b33ce5f7381c42595a11a2c2d1cc71faf96d71fd9f325694f1edad5cf8311df0dc730edaa6c1a459cebb2364cf7729e4ba3da957ee5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
153KB

MD5
dd0d9f70af06696558de466602cc381f

SHA1
84516dd60e75b5381406e9f3ea37787469bf94b5

SHA256
58793ca5512a30f9b7da1ff819122df205af3e5800eb04cc07b3e9719f4f29ab

SHA512
d8405374563d239af1c51b59ba72c4b74d08d6e131e2e7aac4ce3505ed520d786828dc63c938c73247e2fbf30fcca62254eb5ced93bac032bd9e5b8de2676a61

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit