hxxps://cardinvitenow[.]com/ve75c5b5222/e19e5b30481ba57cddf91933/index[.]php?id=ca02ef5b4a922ca0236834b4f147d15c

General

Target

https://cardinvitenow.com/ve75c5b5222/e19e5b30481ba57cddf91933/index.php?id=ca02ef5b4a922ca0236834b4f147d15c

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133307766478638719"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

4256 chrome.exe
4256 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

4256 chrome.exe
4256 chrome.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	4256	chrome.exe
Token: SeCreatePagefilePrivilege	4256	chrome.exe
Token: SeShutdownPrivilege	4256	chrome.exe
Token: SeCreatePagefilePrivilege	4256	chrome.exe
Token: SeShutdownPrivilege	4256	chrome.exe
Token: SeCreatePagefilePrivilege	4256	chrome.exe
Token: SeShutdownPrivilege	4256	chrome.exe
Token: SeCreatePagefilePrivilege	4256	chrome.exe
Token: SeShutdownPrivilege	4256	chrome.exe
Token: SeCreatePagefilePrivilege	4256	chrome.exe
Token: SeShutdownPrivilege	4256	chrome.exe
Token: SeCreatePagefilePrivilege	4256	chrome.exe
Token: SeShutdownPrivilege	4256	chrome.exe
Token: SeCreatePagefilePrivilege	4256	chrome.exe
Token: SeShutdownPrivilege	4256	chrome.exe
Token: SeCreatePagefilePrivilege	4256	chrome.exe
Token: SeShutdownPrivilege	4256	chrome.exe
Token: SeCreatePagefilePrivilege	4256	chrome.exe
Token: SeShutdownPrivilege	4256	chrome.exe
Token: SeCreatePagefilePrivilege	4256	chrome.exe
Token: SeShutdownPrivilege	4256	chrome.exe
Token: SeCreatePagefilePrivilege	4256	chrome.exe
Token: SeShutdownPrivilege	4256	chrome.exe
Token: SeCreatePagefilePrivilege	4256	chrome.exe
Token: SeShutdownPrivilege	4256	chrome.exe
Token: SeCreatePagefilePrivilege	4256	chrome.exe
Token: SeShutdownPrivilege	4256	chrome.exe
Token: SeCreatePagefilePrivilege	4256	chrome.exe
Token: SeShutdownPrivilege	4256	chrome.exe
Token: SeCreatePagefilePrivilege	4256	chrome.exe
Token: SeShutdownPrivilege	4256	chrome.exe
Token: SeCreatePagefilePrivilege	4256	chrome.exe
Token: SeShutdownPrivilege	4256	chrome.exe
Token: SeCreatePagefilePrivilege	4256	chrome.exe
Token: SeShutdownPrivilege	4256	chrome.exe
Token: SeCreatePagefilePrivilege	4256	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
4256	chrome.exe
4256	chrome.exe
4256	chrome.exe
4256	chrome.exe
4256	chrome.exe
4256	chrome.exe
4256	chrome.exe
4256	chrome.exe
4256	chrome.exe
4256	chrome.exe
4256	chrome.exe
4256	chrome.exe
4256	chrome.exe
4256	chrome.exe
4256	chrome.exe
4256	chrome.exe
4256	chrome.exe
4256	chrome.exe
4256	chrome.exe
4256	chrome.exe
4256	chrome.exe
4256	chrome.exe
4256	chrome.exe
4256	chrome.exe
4256	chrome.exe
4256	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4256	chrome.exe
4256	chrome.exe
4256	chrome.exe
4256	chrome.exe
4256	chrome.exe
4256	chrome.exe
4256	chrome.exe
4256	chrome.exe
4256	chrome.exe
4256	chrome.exe
4256	chrome.exe
4256	chrome.exe
4256	chrome.exe
4256	chrome.exe
4256	chrome.exe
4256	chrome.exe
4256	chrome.exe
4256	chrome.exe
4256	chrome.exe
4256	chrome.exe
4256	chrome.exe
4256	chrome.exe
4256	chrome.exe
4256	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4256 wrote to memory of 868	4256	chrome.exe	chrome.exe
PID 4256 wrote to memory of 868	4256	chrome.exe	chrome.exe
PID 4256 wrote to memory of 3312	4256	chrome.exe	chrome.exe
PID 4256 wrote to memory of 3312	4256	chrome.exe	chrome.exe
PID 4256 wrote to memory of 3312	4256	chrome.exe	chrome.exe
PID 4256 wrote to memory of 3312	4256	chrome.exe	chrome.exe
PID 4256 wrote to memory of 3312	4256	chrome.exe	chrome.exe
PID 4256 wrote to memory of 3312	4256	chrome.exe	chrome.exe
PID 4256 wrote to memory of 3312	4256	chrome.exe	chrome.exe
PID 4256 wrote to memory of 3312	4256	chrome.exe	chrome.exe
PID 4256 wrote to memory of 3312	4256	chrome.exe	chrome.exe
PID 4256 wrote to memory of 3312	4256	chrome.exe	chrome.exe
PID 4256 wrote to memory of 3312	4256	chrome.exe	chrome.exe
PID 4256 wrote to memory of 3312	4256	chrome.exe	chrome.exe
PID 4256 wrote to memory of 3312	4256	chrome.exe	chrome.exe
PID 4256 wrote to memory of 3312	4256	chrome.exe	chrome.exe
PID 4256 wrote to memory of 3312	4256	chrome.exe	chrome.exe
PID 4256 wrote to memory of 3312	4256	chrome.exe	chrome.exe
PID 4256 wrote to memory of 3312	4256	chrome.exe	chrome.exe
PID 4256 wrote to memory of 3312	4256	chrome.exe	chrome.exe
PID 4256 wrote to memory of 3312	4256	chrome.exe	chrome.exe
PID 4256 wrote to memory of 3312	4256	chrome.exe	chrome.exe
PID 4256 wrote to memory of 3312	4256	chrome.exe	chrome.exe
PID 4256 wrote to memory of 3312	4256	chrome.exe	chrome.exe
PID 4256 wrote to memory of 3312	4256	chrome.exe	chrome.exe
PID 4256 wrote to memory of 3312	4256	chrome.exe	chrome.exe
PID 4256 wrote to memory of 3312	4256	chrome.exe	chrome.exe
PID 4256 wrote to memory of 3312	4256	chrome.exe	chrome.exe
PID 4256 wrote to memory of 3312	4256	chrome.exe	chrome.exe
PID 4256 wrote to memory of 3312	4256	chrome.exe	chrome.exe
PID 4256 wrote to memory of 3312	4256	chrome.exe	chrome.exe
PID 4256 wrote to memory of 3312	4256	chrome.exe	chrome.exe
PID 4256 wrote to memory of 3312	4256	chrome.exe	chrome.exe
PID 4256 wrote to memory of 3312	4256	chrome.exe	chrome.exe
PID 4256 wrote to memory of 3312	4256	chrome.exe	chrome.exe
PID 4256 wrote to memory of 3312	4256	chrome.exe	chrome.exe
PID 4256 wrote to memory of 3312	4256	chrome.exe	chrome.exe
PID 4256 wrote to memory of 3312	4256	chrome.exe	chrome.exe
PID 4256 wrote to memory of 3312	4256	chrome.exe	chrome.exe
PID 4256 wrote to memory of 3312	4256	chrome.exe	chrome.exe
PID 4256 wrote to memory of 2956	4256	chrome.exe	chrome.exe
PID 4256 wrote to memory of 2956	4256	chrome.exe	chrome.exe
PID 4256 wrote to memory of 3384	4256	chrome.exe	chrome.exe
PID 4256 wrote to memory of 3384	4256	chrome.exe	chrome.exe
PID 4256 wrote to memory of 3384	4256	chrome.exe	chrome.exe
PID 4256 wrote to memory of 3384	4256	chrome.exe	chrome.exe
PID 4256 wrote to memory of 3384	4256	chrome.exe	chrome.exe
PID 4256 wrote to memory of 3384	4256	chrome.exe	chrome.exe
PID 4256 wrote to memory of 3384	4256	chrome.exe	chrome.exe
PID 4256 wrote to memory of 3384	4256	chrome.exe	chrome.exe
PID 4256 wrote to memory of 3384	4256	chrome.exe	chrome.exe
PID 4256 wrote to memory of 3384	4256	chrome.exe	chrome.exe
PID 4256 wrote to memory of 3384	4256	chrome.exe	chrome.exe
PID 4256 wrote to memory of 3384	4256	chrome.exe	chrome.exe
PID 4256 wrote to memory of 3384	4256	chrome.exe	chrome.exe
PID 4256 wrote to memory of 3384	4256	chrome.exe	chrome.exe
PID 4256 wrote to memory of 3384	4256	chrome.exe	chrome.exe
PID 4256 wrote to memory of 3384	4256	chrome.exe	chrome.exe
PID 4256 wrote to memory of 3384	4256	chrome.exe	chrome.exe
PID 4256 wrote to memory of 3384	4256	chrome.exe	chrome.exe
PID 4256 wrote to memory of 3384	4256	chrome.exe	chrome.exe
PID 4256 wrote to memory of 3384	4256	chrome.exe	chrome.exe
PID 4256 wrote to memory of 3384	4256	chrome.exe	chrome.exe
PID 4256 wrote to memory of 3384	4256	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://cardinvitenow.com/ve75c5b5222/e19e5b30481ba57cddf91933/index.php?id=ca02ef5b4a922ca0236834b4f147d15c
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4256

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ffb61ac9758,0x7ffb61ac9768,0x7ffb61ac9778
2⤵
PID:868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1820 --field-trial-handle=1836,i,3979563537472902837,2917130359135552613,131072 /prefetch:2
2⤵
PID:3312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1836,i,3979563537472902837,2917130359135552613,131072 /prefetch:8
2⤵
PID:2956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1304 --field-trial-handle=1836,i,3979563537472902837,2917130359135552613,131072 /prefetch:8
2⤵
PID:3384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3172 --field-trial-handle=1836,i,3979563537472902837,2917130359135552613,131072 /prefetch:1
2⤵
PID:4420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3192 --field-trial-handle=1836,i,3979563537472902837,2917130359135552613,131072 /prefetch:1
2⤵
PID:4152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 --field-trial-handle=1836,i,3979563537472902837,2917130359135552613,131072 /prefetch:8
2⤵
PID:4888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5272 --field-trial-handle=1836,i,3979563537472902837,2917130359135552613,131072 /prefetch:8
2⤵
PID:4084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5292 --field-trial-handle=1836,i,3979563537472902837,2917130359135552613,131072 /prefetch:8
2⤵
PID:3804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5280 --field-trial-handle=1836,i,3979563537472902837,2917130359135552613,131072 /prefetch:8
2⤵
PID:2168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4580 --field-trial-handle=1836,i,3979563537472902837,2917130359135552613,131072 /prefetch:8
2⤵
PID:1860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5468 --field-trial-handle=1836,i,3979563537472902837,2917130359135552613,131072 /prefetch:8
2⤵
PID:4100

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:640

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\8f8ec255-f308-45c3-823f-915719848f14.tmp
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
538B

MD5
e80212834cbbcfdea6bdd13023770825

SHA1
ad1e6affaa3ec78ba1fe3d190b7932e8fbd3f1ea

SHA256
a7d69e15eab75a3353babd082022aa5bcc49ee98add68199423c035278fe67a0

SHA512
aec0d9fe4dad9a86ee74c13e63f476558170a96f03be7b703b51b9db9e66d05285dc351916b135c1c5bb6ce1f301c474c0e4c4182975af329472ee5823f93adb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
ecfa1d5bfdd0fe3540b25f640edbb0f9

SHA1
6a524fc83f6474d9b137af5449ac360a748d23d7

SHA256
dff2a482f3b61b7642ac55c46ed755cf7325bbd7138cc197f9c22ba1e0ebbedb

SHA512
0100933db0eafd147e0d07b8d827833528df305bf7b475ba665612d5556da1a097fd629f5df5acb59fa8fcb16c7fe064db568d498b99b6b5e7d4401b35e5fd76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
15KB

MD5
b14a12a015c8f36f5f192c129636136d

SHA1
2bde3886daed5b6912250ee1c1dcac3de793c43b

SHA256
ab7f55a6e55318a3e9dce045a73d51fe67009fbec40396665660c46cba7a49a8

SHA512
04af9d59fe4affde5837720eddc56eed8fd70f64c3e148961be9a2f498739f5f256769b6c51e6a8f3761d09411584c5101f14fae05d2015a332e0f7a585bcac4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
158KB

MD5
3d1070109083f7e615c32d26bdcfc6fa

SHA1
0f33ec9d66f02cf8056256b167af621910a84f91

SHA256
1dcb73246a8c675d4639ea9c43e5edb0c168e0caa10fe6b679a0f389f31723c3

SHA512
6d23adab78e0ef7d7c2e06681ff95701b37de64586912dce08d330d8b64b2fc8def5833868d98ad7fbc20a0c4364da76f20f2f4c2646cf3b881df1443d6ea43d

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4256_1682227775\e0fee745-32e5-4a90-9dc9-5f7451dad11c.tmp
Filesize
88KB

MD5
2cc86b681f2cd1d9f095584fd3153a61

SHA1
2a0ac7262fb88908a453bc125c5c3fc72b8d490e

SHA256
d412fbbeb84e2a6882b2f0267b058f2ceb97f501e440fe3f9f70fac5c2277b9c

SHA512
14ba32c3cd5b1faf100d06f78981deebbbb673299a355b6eaec88e6cb5543725242c850235a541afa8abba4a609bb2ec26e4a0526c6b198016b08d8af868b986

Download Submit
\??\pipe\crashpad_4256_YYYCFFFQHPWZYSAP
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads