hxxp://www[.]rainbowhotel[.]cc/

Resubmissions

02/08/2023, 01:13

230802-blj5asdb61 1

02/08/2023, 00:42

230802-a2d3jsda9y 1

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2023, 00:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

http://www.rainbowhotel.cc/

Score

1^/10

Malware Config

Signatures

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133354105551319612"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4616	chrome.exe
4616	chrome.exe
1408	chrome.exe
1408	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4616	chrome.exe
4616	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4616 wrote to memory of 1008	4616	chrome.exe	85
PID 4616 wrote to memory of 1008	4616	chrome.exe	85
PID 4616 wrote to memory of 3944	4616	chrome.exe	88
PID 4616 wrote to memory of 3944	4616	chrome.exe	88
PID 4616 wrote to memory of 3944	4616	chrome.exe	88
PID 4616 wrote to memory of 3944	4616	chrome.exe	88
PID 4616 wrote to memory of 3944	4616	chrome.exe	88
PID 4616 wrote to memory of 3944	4616	chrome.exe	88
PID 4616 wrote to memory of 3944	4616	chrome.exe	88
PID 4616 wrote to memory of 3944	4616	chrome.exe	88
PID 4616 wrote to memory of 3944	4616	chrome.exe	88
PID 4616 wrote to memory of 3944	4616	chrome.exe	88
PID 4616 wrote to memory of 3944	4616	chrome.exe	88
PID 4616 wrote to memory of 3944	4616	chrome.exe	88
PID 4616 wrote to memory of 3944	4616	chrome.exe	88
PID 4616 wrote to memory of 3944	4616	chrome.exe	88
PID 4616 wrote to memory of 3944	4616	chrome.exe	88
PID 4616 wrote to memory of 3944	4616	chrome.exe	88
PID 4616 wrote to memory of 3944	4616	chrome.exe	88
PID 4616 wrote to memory of 3944	4616	chrome.exe	88
PID 4616 wrote to memory of 3944	4616	chrome.exe	88
PID 4616 wrote to memory of 3944	4616	chrome.exe	88
PID 4616 wrote to memory of 3944	4616	chrome.exe	88
PID 4616 wrote to memory of 3944	4616	chrome.exe	88
PID 4616 wrote to memory of 3944	4616	chrome.exe	88
PID 4616 wrote to memory of 3944	4616	chrome.exe	88
PID 4616 wrote to memory of 3944	4616	chrome.exe	88
PID 4616 wrote to memory of 3944	4616	chrome.exe	88
PID 4616 wrote to memory of 3944	4616	chrome.exe	88
PID 4616 wrote to memory of 3944	4616	chrome.exe	88
PID 4616 wrote to memory of 3944	4616	chrome.exe	88
PID 4616 wrote to memory of 3944	4616	chrome.exe	88
PID 4616 wrote to memory of 3944	4616	chrome.exe	88
PID 4616 wrote to memory of 3944	4616	chrome.exe	88
PID 4616 wrote to memory of 3944	4616	chrome.exe	88
PID 4616 wrote to memory of 3944	4616	chrome.exe	88
PID 4616 wrote to memory of 3944	4616	chrome.exe	88
PID 4616 wrote to memory of 3944	4616	chrome.exe	88
PID 4616 wrote to memory of 3944	4616	chrome.exe	88
PID 4616 wrote to memory of 3944	4616	chrome.exe	88
PID 4616 wrote to memory of 4004	4616	chrome.exe	89
PID 4616 wrote to memory of 4004	4616	chrome.exe	89
PID 4616 wrote to memory of 4708	4616	chrome.exe	90
PID 4616 wrote to memory of 4708	4616	chrome.exe	90
PID 4616 wrote to memory of 4708	4616	chrome.exe	90
PID 4616 wrote to memory of 4708	4616	chrome.exe	90
PID 4616 wrote to memory of 4708	4616	chrome.exe	90
PID 4616 wrote to memory of 4708	4616	chrome.exe	90
PID 4616 wrote to memory of 4708	4616	chrome.exe	90
PID 4616 wrote to memory of 4708	4616	chrome.exe	90
PID 4616 wrote to memory of 4708	4616	chrome.exe	90
PID 4616 wrote to memory of 4708	4616	chrome.exe	90
PID 4616 wrote to memory of 4708	4616	chrome.exe	90
PID 4616 wrote to memory of 4708	4616	chrome.exe	90
PID 4616 wrote to memory of 4708	4616	chrome.exe	90
PID 4616 wrote to memory of 4708	4616	chrome.exe	90
PID 4616 wrote to memory of 4708	4616	chrome.exe	90
PID 4616 wrote to memory of 4708	4616	chrome.exe	90
PID 4616 wrote to memory of 4708	4616	chrome.exe	90
PID 4616 wrote to memory of 4708	4616	chrome.exe	90
PID 4616 wrote to memory of 4708	4616	chrome.exe	90
PID 4616 wrote to memory of 4708	4616	chrome.exe	90
PID 4616 wrote to memory of 4708	4616	chrome.exe	90
PID 4616 wrote to memory of 4708	4616	chrome.exe	90

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://www.rainbowhotel.cc/
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb0b699758,0x7ffb0b699768,0x7ffb0b699778
  2⤵
  PID:1008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1764 --field-trial-handle=1892,i,3658770857151208555,11836593669131740532,131072 /prefetch:2
  2⤵
  PID:3944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=1892,i,3658770857151208555,11836593669131740532,131072 /prefetch:8
  2⤵
  PID:4004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2216 --field-trial-handle=1892,i,3658770857151208555,11836593669131740532,131072 /prefetch:8
  2⤵
  PID:4708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2988 --field-trial-handle=1892,i,3658770857151208555,11836593669131740532,131072 /prefetch:1
  2⤵
  PID:2504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2996 --field-trial-handle=1892,i,3658770857151208555,11836593669131740532,131072 /prefetch:1
  2⤵
  PID:2712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 --field-trial-handle=1892,i,3658770857151208555,11836593669131740532,131072 /prefetch:8
  2⤵
  PID:1748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4840 --field-trial-handle=1892,i,3658770857151208555,11836593669131740532,131072 /prefetch:8
  2⤵
  PID:2880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2300 --field-trial-handle=1892,i,3658770857151208555,11836593669131740532,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1408

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3248

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
a83cef5cd4cdb060e5470d71d0081828

SHA1
9f68521de0b357b8792fc45e376ef6dabea725ec

SHA256
891b818bf660314bd61009c4457cb9dc2fb16a3f7dd75a1ff03634ef9b0b770d

SHA512
8eb5e91bce53aefaca1922e77959adba241f1dc6074fd22ef84bd8df5dc54a0f922fba5037bfa5ae718bb868e9432aaea8e6d721d432ca986949e90ebc27dda4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
dbc36b144c6f60c7a0539ba97e3d106c

SHA1
d23d33eec35c1f1f78fa4870461b90af18c9cd02

SHA256
07f55bfe0d8a900938ef6ffd9a114d1d77559b956c521d893d8166c997a6b5d0

SHA512
41e5c1ee6fb338ff9e90d8089dde1cc2ad87b8cddc28ede5d663c5261a020d0260e2973021b7a528d4b1054b84d96a633bf66285582d6a96f6b9b859e3400ee0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
d6ac580da1d188613d146932e674b362

SHA1
73066c2754800048af11d3e19896751112c205a4

SHA256
d098dd9124bd689fd6c3fcf36436f64df3eedffb204356371aa18989c2904eb3

SHA512
3e355de7840a7e3eb605e194865353e26b4c3dc913e45c76facb2e3a97ef6a64996203f9496a54ae6dc5e70c7ce3e57bab19bfe2ae48e0cbaf08ddc03da71387

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
1483ad2f35bc5696d2f5c1f626cc374d

SHA1
799398b4fb6860c868cfd2e5b93a16d18256d80c

SHA256
f66462c7a884590b6a129fa789bced937d9cce92f2cb58514dabae971d55bbd2

SHA512
24b68f1dac87b475f09476549f3ad22d808528ce8cc44f191b5919bb3e76b21fe8808dfeba32b1e9ed613400770f32e56cf5a9ed79ca34915f18b215f218dfcb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
a349077befbafc4528b5dba37387f201

SHA1
ed2364261e1f8f54b69957578e9af9a07492c75a

SHA256
545ecefcbf1a8e8f95b1950fc63a48f6c31da43edff62b0006c47bd9f79e8941

SHA512
5c1d018a4f533f3c9e5edf4f1c3cc5e2bbdb2be2477f5a522e9c005ec8554031d0262528efc609a3863d6b114edecc4a37ce7d54a164cdf9b83235d5de0382e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
cb541e29e83a3657d34050e99b646134

SHA1
8549f01ec8b3c32aba0ad5d35a1c13e322b108c1

SHA256
2f4eb8a3a49a6f9e34573f6fe8983b8053c8414aa413907d96fac7af777d0b55

SHA512
6348043bf4d68352af9e6c08e110378f825131cafbac0db79f63c5299f7e0060ff2fd08ca179b0f2bb43bd8a5cbd0e8444d1c72a8f5ff31de3747c02e2c39a33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e6574965b57d7ed78b262ed1b219c666

SHA1
52679cbf0679153f801a089d93cabdfbdd1197c8

SHA256
8f9b218ae01eb912e755d2f5e28aa5c8e9427c159d350f6d40b0d5ee862077a3

SHA512
daad12ddd94f583c5f86f7620715edbd5b9d1ebcf65c3e8c7572e21ca43da237130f1fcca63c8885909bf4a83b09f90d144dd548790e028ffd912bfa4a6076f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
0dc25984d6edcbadcd861d4c40dc46e2

SHA1
87db6821bf56edf6e4e7f246eb7b702db6bfd74c

SHA256
7932db59a8f55b9c184dd742df9843876ae8687eedd06ca0fbfffd50cb490e22

SHA512
36d94acf1190c3e82dec9fd7d14e891e5d09c71f99a19fdf5996f5b112f9adb962459fd8bbed8d84f7596a6b91a7bc4914c2b13d73d442f80077204ecbe18973

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
7c54195247655a08dd50abb55f92e7d8

SHA1
ed67f07b8a64e0d8b6045f2ac2af86340010ae3f

SHA256
fb0b2551b527ab892f55fc734e5c5dc5b64d1efcae0f42292f785eff122b0ea2

SHA512
5c9e4ca382c6900c25e86536cbcc359c24a1991e9a9297a9c394b70834b59ee5d763589c10b4df2aac0e19dc0f18b71f3bbff8acdbbfafc699cff26eb3715944

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
de10eb77f7f3eb3e341072b822cbe455

SHA1
647f63a41e000e5a34d36bd668dc68c3ef05d67a

SHA256
78106085183984be26adb829b9137548d3359cc471186b5e179e0441742e8bf0

SHA512
c5340a3fa6009ccaabdf63528e3048d95c9228e6c0e1e76d139a6d8889afce7a0fc2e7cf0bce56c6687cd29b4efb2f929fec508447a34f288a436a6614139327

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit