hxxp://metrobankonline[.]de

Analysis

max time kernel
59s
max time network
61s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
27/05/2023, 06:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

http://metrobankonline.de

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133296492800470081"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
340	chrome.exe
340	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 340 wrote to memory of 4364	340	chrome.exe	84
PID 340 wrote to memory of 4364	340	chrome.exe	84
PID 340 wrote to memory of 3156	340	chrome.exe	85
PID 340 wrote to memory of 3156	340	chrome.exe	85
PID 340 wrote to memory of 3156	340	chrome.exe	85
PID 340 wrote to memory of 3156	340	chrome.exe	85
PID 340 wrote to memory of 3156	340	chrome.exe	85
PID 340 wrote to memory of 3156	340	chrome.exe	85
PID 340 wrote to memory of 3156	340	chrome.exe	85
PID 340 wrote to memory of 3156	340	chrome.exe	85
PID 340 wrote to memory of 3156	340	chrome.exe	85
PID 340 wrote to memory of 3156	340	chrome.exe	85
PID 340 wrote to memory of 3156	340	chrome.exe	85
PID 340 wrote to memory of 3156	340	chrome.exe	85
PID 340 wrote to memory of 3156	340	chrome.exe	85
PID 340 wrote to memory of 3156	340	chrome.exe	85
PID 340 wrote to memory of 3156	340	chrome.exe	85
PID 340 wrote to memory of 3156	340	chrome.exe	85
PID 340 wrote to memory of 3156	340	chrome.exe	85
PID 340 wrote to memory of 3156	340	chrome.exe	85
PID 340 wrote to memory of 3156	340	chrome.exe	85
PID 340 wrote to memory of 3156	340	chrome.exe	85
PID 340 wrote to memory of 3156	340	chrome.exe	85
PID 340 wrote to memory of 3156	340	chrome.exe	85
PID 340 wrote to memory of 3156	340	chrome.exe	85
PID 340 wrote to memory of 3156	340	chrome.exe	85
PID 340 wrote to memory of 3156	340	chrome.exe	85
PID 340 wrote to memory of 3156	340	chrome.exe	85
PID 340 wrote to memory of 3156	340	chrome.exe	85
PID 340 wrote to memory of 3156	340	chrome.exe	85
PID 340 wrote to memory of 3156	340	chrome.exe	85
PID 340 wrote to memory of 3156	340	chrome.exe	85
PID 340 wrote to memory of 3156	340	chrome.exe	85
PID 340 wrote to memory of 3156	340	chrome.exe	85
PID 340 wrote to memory of 3156	340	chrome.exe	85
PID 340 wrote to memory of 3156	340	chrome.exe	85
PID 340 wrote to memory of 3156	340	chrome.exe	85
PID 340 wrote to memory of 3156	340	chrome.exe	85
PID 340 wrote to memory of 3156	340	chrome.exe	85
PID 340 wrote to memory of 3156	340	chrome.exe	85
PID 340 wrote to memory of 4880	340	chrome.exe	86
PID 340 wrote to memory of 4880	340	chrome.exe	86
PID 340 wrote to memory of 2568	340	chrome.exe	87
PID 340 wrote to memory of 2568	340	chrome.exe	87
PID 340 wrote to memory of 2568	340	chrome.exe	87
PID 340 wrote to memory of 2568	340	chrome.exe	87
PID 340 wrote to memory of 2568	340	chrome.exe	87
PID 340 wrote to memory of 2568	340	chrome.exe	87
PID 340 wrote to memory of 2568	340	chrome.exe	87
PID 340 wrote to memory of 2568	340	chrome.exe	87
PID 340 wrote to memory of 2568	340	chrome.exe	87
PID 340 wrote to memory of 2568	340	chrome.exe	87
PID 340 wrote to memory of 2568	340	chrome.exe	87
PID 340 wrote to memory of 2568	340	chrome.exe	87
PID 340 wrote to memory of 2568	340	chrome.exe	87
PID 340 wrote to memory of 2568	340	chrome.exe	87
PID 340 wrote to memory of 2568	340	chrome.exe	87
PID 340 wrote to memory of 2568	340	chrome.exe	87
PID 340 wrote to memory of 2568	340	chrome.exe	87
PID 340 wrote to memory of 2568	340	chrome.exe	87
PID 340 wrote to memory of 2568	340	chrome.exe	87
PID 340 wrote to memory of 2568	340	chrome.exe	87
PID 340 wrote to memory of 2568	340	chrome.exe	87
PID 340 wrote to memory of 2568	340	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://metrobankonline.de
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff4adf9758,0x7fff4adf9768,0x7fff4adf9778
  2⤵
  PID:4364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1772 --field-trial-handle=1820,i,17553697701597877691,12193343782048249086,131072 /prefetch:2
  2⤵
  PID:3156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1820,i,17553697701597877691,12193343782048249086,131072 /prefetch:8
  2⤵
  PID:4880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1648 --field-trial-handle=1820,i,17553697701597877691,12193343782048249086,131072 /prefetch:8
  2⤵
  PID:2568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3028 --field-trial-handle=1820,i,17553697701597877691,12193343782048249086,131072 /prefetch:1
  2⤵
  PID:4928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3004 --field-trial-handle=1820,i,17553697701597877691,12193343782048249086,131072 /prefetch:1
  2⤵
  PID:3352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4360 --field-trial-handle=1820,i,17553697701597877691,12193343782048249086,131072 /prefetch:1
  2⤵
  PID:1432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3280 --field-trial-handle=1820,i,17553697701597877691,12193343782048249086,131072 /prefetch:1
  2⤵
  PID:3912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5080 --field-trial-handle=1820,i,17553697701597877691,12193343782048249086,131072 /prefetch:8
  2⤵
  PID:3464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 --field-trial-handle=1820,i,17553697701597877691,12193343782048249086,131072 /prefetch:8
  2⤵
  PID:4588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 --field-trial-handle=1820,i,17553697701597877691,12193343782048249086,131072 /prefetch:8
  2⤵
  PID:2548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4592 --field-trial-handle=1820,i,17553697701597877691,12193343782048249086,131072 /prefetch:1
  2⤵
  PID:704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 --field-trial-handle=1820,i,17553697701597877691,12193343782048249086,131072 /prefetch:8
  2⤵
  PID:4428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 --field-trial-handle=1820,i,17553697701597877691,12193343782048249086,131072 /prefetch:8
  2⤵
  PID:2416

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001b

Filesize
26KB

MD5
8bb4ba711047411893d35612bc631ab9

SHA1
fddc00eca2e66e4431c9615df508a1a377adce42

SHA256
4bce5252202292e4d9d6de37a5bd004cb52d8c44e9f940bbcdd030ea569f29dc

SHA512
48bea7a2a376b01d097e02409aac713500aa7cfa9903378977178677a2764c0c8e07b692379b3722163bcb201f9649620347045b4503c0a35cbdd16f1e036470

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
325f212f510313cd660da761da38afe9

SHA1
b22beff58d188b4ebc231cc8708d0e90338876af

SHA256
62bebc99c7b9c34355690e9cb76e17a5075e6aaa739740c4e696788f28f7838d

SHA512
a4547cc00a8a3c0f17230fb3058c21c32119e902149a4bd0219b994442700ae0bc7f16d396df6f7bccfc2b3b132590a70c5022f2b4dc3dbd960f26233a7db911

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
2b518ea7cbf042d18ab59c51aa262719

SHA1
4ce719d3820ae4e94a7411ea8d196acc722a09ea

SHA256
d0357de6397678868de63ca3c66a7b181c078f9052d4a95aba69cf18f89f19ab

SHA512
21d6f11afe7e6a7626b0c333959c0afdc2e14e712c961efb772f84a844d66677bce12d8c3567deb3cb74e00c440b72f48cebf60fbcc19df52287a6c619e2b287

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b8d017cfad0fdd8171c08d4e6b841c85

SHA1
b2a54e7cf5870e62177cdc8911afc9c90c4b1f31

SHA256
e9aeed5a994bc3ed248209afd00bfb05cbe704950ad6edad28bd9907d41464a5

SHA512
aefb650f4c03a47e47351fa918cd9eac457893034c0805288701d36ca46128c8d8690fb7bd74d2b87d09b36692f674b4bccae4cf49b4394e9271908c3ed54b17

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
82598033cfd0fac06bfb60a8087b994e

SHA1
16d78ae5e8efc090888f4129cdcbe47c5d58fdef

SHA256
1e058303647e34987d2ecf375a15fbc320ca4ba371954302e532ee126a5dcd0f

SHA512
249e8e75269ebac59b221b172f6afd9c5cd5ca3543564baab5a89506aee219dc3d01b1db0c3755da01ab747fb3ec6138cf9e73503a9ccd3b028eb8723a717610

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
72KB

MD5
4f3331cb1c5c70c1a58de92b44aa6b0f

SHA1
082539b0954b0c9c5c29c6f3f4ffe1a38393201d

SHA256
9cbdec882643f74f76edbd87f68bd793f40b5ae6f69053e9140137a9396d8bc1

SHA512
8b4440051c2079411f8d794e587818578e0f98a800d43ae5f3f91d37a568f1e247e2776d264dc6c835d37baed8f515adbd23744d99408414cbc27446bc13aa59

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
155KB

MD5
e50b0a0507532c262a8742a03454e30d

SHA1
6b79f6b904a68aca317d2c9de29a1d96e97a700b

SHA256
6208d44cf55ad76c4d792d8c91ab8ff85c3cafdb6f52cd12ef6158887205d5ee

SHA512
b4abb1bb80df99c8dae84b224e3b344c6c893e6d3f8fc884558d177e46a38be66eb699a0c9bffbcaa02212ce6166aba6b73d94856959622ba1b83491e1c7354e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit