hxxps://pub[.]marq[.]com/Orders-FILE/#_0

Resubmissions

05/06/2023, 11:50

230605-nzy7lagh7z 1

05/06/2023, 11:47

230605-nybpxagd45 1

Analysis

max time kernel
149s
max time network
148s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
05/06/2023, 11:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://pub.marq.com/Orders-FILE/#_0

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133304394648653587"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1444	chrome.exe
1444	chrome.exe
3148	chrome.exe
3148	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 1596	1444	chrome.exe	66
PID 1444 wrote to memory of 1596	1444	chrome.exe	66
PID 1444 wrote to memory of 3112	1444	chrome.exe	69
PID 1444 wrote to memory of 3112	1444	chrome.exe	69
PID 1444 wrote to memory of 3112	1444	chrome.exe	69
PID 1444 wrote to memory of 3112	1444	chrome.exe	69
PID 1444 wrote to memory of 3112	1444	chrome.exe	69
PID 1444 wrote to memory of 3112	1444	chrome.exe	69
PID 1444 wrote to memory of 3112	1444	chrome.exe	69
PID 1444 wrote to memory of 3112	1444	chrome.exe	69
PID 1444 wrote to memory of 3112	1444	chrome.exe	69
PID 1444 wrote to memory of 3112	1444	chrome.exe	69
PID 1444 wrote to memory of 3112	1444	chrome.exe	69
PID 1444 wrote to memory of 3112	1444	chrome.exe	69
PID 1444 wrote to memory of 3112	1444	chrome.exe	69
PID 1444 wrote to memory of 3112	1444	chrome.exe	69
PID 1444 wrote to memory of 3112	1444	chrome.exe	69
PID 1444 wrote to memory of 3112	1444	chrome.exe	69
PID 1444 wrote to memory of 3112	1444	chrome.exe	69
PID 1444 wrote to memory of 3112	1444	chrome.exe	69
PID 1444 wrote to memory of 3112	1444	chrome.exe	69
PID 1444 wrote to memory of 3112	1444	chrome.exe	69
PID 1444 wrote to memory of 3112	1444	chrome.exe	69
PID 1444 wrote to memory of 3112	1444	chrome.exe	69
PID 1444 wrote to memory of 3112	1444	chrome.exe	69
PID 1444 wrote to memory of 3112	1444	chrome.exe	69
PID 1444 wrote to memory of 3112	1444	chrome.exe	69
PID 1444 wrote to memory of 3112	1444	chrome.exe	69
PID 1444 wrote to memory of 3112	1444	chrome.exe	69
PID 1444 wrote to memory of 3112	1444	chrome.exe	69
PID 1444 wrote to memory of 3112	1444	chrome.exe	69
PID 1444 wrote to memory of 3112	1444	chrome.exe	69
PID 1444 wrote to memory of 3112	1444	chrome.exe	69
PID 1444 wrote to memory of 3112	1444	chrome.exe	69
PID 1444 wrote to memory of 3112	1444	chrome.exe	69
PID 1444 wrote to memory of 3112	1444	chrome.exe	69
PID 1444 wrote to memory of 3112	1444	chrome.exe	69
PID 1444 wrote to memory of 3112	1444	chrome.exe	69
PID 1444 wrote to memory of 3112	1444	chrome.exe	69
PID 1444 wrote to memory of 3112	1444	chrome.exe	69
PID 1444 wrote to memory of 4000	1444	chrome.exe	68
PID 1444 wrote to memory of 4000	1444	chrome.exe	68
PID 1444 wrote to memory of 2508	1444	chrome.exe	70
PID 1444 wrote to memory of 2508	1444	chrome.exe	70
PID 1444 wrote to memory of 2508	1444	chrome.exe	70
PID 1444 wrote to memory of 2508	1444	chrome.exe	70
PID 1444 wrote to memory of 2508	1444	chrome.exe	70
PID 1444 wrote to memory of 2508	1444	chrome.exe	70
PID 1444 wrote to memory of 2508	1444	chrome.exe	70
PID 1444 wrote to memory of 2508	1444	chrome.exe	70
PID 1444 wrote to memory of 2508	1444	chrome.exe	70
PID 1444 wrote to memory of 2508	1444	chrome.exe	70
PID 1444 wrote to memory of 2508	1444	chrome.exe	70
PID 1444 wrote to memory of 2508	1444	chrome.exe	70
PID 1444 wrote to memory of 2508	1444	chrome.exe	70
PID 1444 wrote to memory of 2508	1444	chrome.exe	70
PID 1444 wrote to memory of 2508	1444	chrome.exe	70
PID 1444 wrote to memory of 2508	1444	chrome.exe	70
PID 1444 wrote to memory of 2508	1444	chrome.exe	70
PID 1444 wrote to memory of 2508	1444	chrome.exe	70
PID 1444 wrote to memory of 2508	1444	chrome.exe	70
PID 1444 wrote to memory of 2508	1444	chrome.exe	70
PID 1444 wrote to memory of 2508	1444	chrome.exe	70
PID 1444 wrote to memory of 2508	1444	chrome.exe	70

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://pub.marq.com/Orders-FILE/#_0
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffe8e699758,0x7ffe8e699768,0x7ffe8e699778
  2⤵
  PID:1596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1812 --field-trial-handle=1760,i,10157789072579449148,5303289617021829558,131072 /prefetch:8
  2⤵
  PID:4000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1620 --field-trial-handle=1760,i,10157789072579449148,5303289617021829558,131072 /prefetch:2
  2⤵
  PID:3112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2120 --field-trial-handle=1760,i,10157789072579449148,5303289617021829558,131072 /prefetch:8
  2⤵
  PID:2508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2968 --field-trial-handle=1760,i,10157789072579449148,5303289617021829558,131072 /prefetch:1
  2⤵
  PID:2236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2976 --field-trial-handle=1760,i,10157789072579449148,5303289617021829558,131072 /prefetch:1
  2⤵
  PID:944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4996 --field-trial-handle=1760,i,10157789072579449148,5303289617021829558,131072 /prefetch:1
  2⤵
  PID:2168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5424 --field-trial-handle=1760,i,10157789072579449148,5303289617021829558,131072 /prefetch:8
  2⤵
  PID:3184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4928 --field-trial-handle=1760,i,10157789072579449148,5303289617021829558,131072 /prefetch:8
  2⤵
  PID:4968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4268 --field-trial-handle=1760,i,10157789072579449148,5303289617021829558,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3148

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
504B

MD5
9d662524afd3ac3b952fb5f227d36010

SHA1
a46abdb15628089df8f278a138c6f70d9fb92f1e

SHA256
272c5e6b14d553f17a0d54f340a0507201dce88bda5d7565b42f207c7b19f116

SHA512
41943984b159159c2e544d261215f2abf8a0fd7a0af9602f72cac837e58748c2860b2a8e39295c39848e109b2d8d43a7a7a3bc73231a504afe4fa149af73c157

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
d758fd6e6d7342ae84ac856a1e1de721

SHA1
fc90d8957d467ffac7d35361c17b0e9608ae6c12

SHA256
4db4defa269a4a6ae0a257d28a434b1d136169a1738a205f537821b26ebde0d1

SHA512
55e90f0622ab25f1b907a0e0cecbf15021ac238f8fc83d43e803df5ddbd1b2dbe01dfaef67d42581a2522f0157832d079593aa9b297d07542a0ff77546a8a970

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
c662e31c1dd20fb8af036fe06cca6384

SHA1
89ccf4dab772f391c20709fbf7eb685f7dc775f7

SHA256
82cea701f6875f4491505368cf8171b0f3f4d3df6c5931be39c0dcb5e575307e

SHA512
4c658074bb48320843da1f3fe750eb7e4100fca84ea2aeec9832667d5a9b643a0c743a7d756dd651e3f4729f7d3bf66a5892f1259a32b9de016a983de2c330e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
e96cc22ea1aae6c44f66f18d9cad45b0

SHA1
11da37c960e2cba6bfd69d53fd0ed0538c438273

SHA256
9c90ccdcbecec53a91db8e9d38cb37e4acb4bbd284f2cb79c8b20d2557584dbb

SHA512
cee54902e4da6c304e7039ccf9bb1a90d7a2ac117bb0c60e557d04e0aa03c092626a794997a61025df68312a6b89b9165634a21cd73529d321dbbf7ba9c70ea1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
788befb05100df439adddbb912083730

SHA1
4e45b51851599a4112cf159ea77dde89dd540876

SHA256
2ffa4e7dddc1eff124f0e4b50334b5e879da9de044395d7430793f54ea68e9f9

SHA512
aabf26b315c0cd27b34239df801f1b47806dbc10a4ba99127c63a79df2933b6503aadf0e63e6ae8d6a7a8e9a1d3d6adf05fb9ad93260270896cc0bfe5b5f1db3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
44bd013db273ec3308f9f0abc00e5a1e

SHA1
fac84f57c6dd332c10e010f9cb6683f70cc5e741

SHA256
5cd6d78d949b70c17a6952c6c9f58f305cbd076fa37a9b2fa24fcd876615a279

SHA512
6cd1a3c3f3fb0207c0c616389c119121293b4e138183621c70eac5cbdf1f0eff22dbd973137897ae28e8cd5e90874aae867536be7c93ba7fe0455dab551d7803

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
ef60d808982c7095738fc2800d7ceeae

SHA1
65a12256731ae713d34dfcc5bc6c128d9ed3efc4

SHA256
dc17736db391403d574a4f4f17bd03fef0b16ceec7aaa14cea0432a523e6a85d

SHA512
768934344d367cffa522e36c65939570458e002c972bc2cfe04df4cb107b1f7ed48c21459c0c2e04a854ec801d9133f18d848b2e929204f31141d618262e4053

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
157KB

MD5
acbe3d466d2010fef546f480207d6cda

SHA1
c72272999726353d34f5080d27f8f2b27b33e522

SHA256
8d3bb4680f334dcd48f021892d8cd750e2ca7edb2e0d96784e85dda6e200c621

SHA512
3c7e8e8d873a1010ff39d80d3bc0e3cd36673f5141ec4f9e03f1baa2e1e18ea66d68ae92951e14b2d3959880593954e22d12c10b309926dc52b2c008ed7ff7c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit