hxxps://reurl[.]cc/eWeDnW

Resubmissions

21/08/2023, 11:18

230821-nel2jaec7s 1

21/08/2023, 11:07

230821-m72r1scd73 1

Analysis

max time kernel
29s
max time network
34s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
21/08/2023, 11:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://reurl.cc/eWeDnW

Score

1^/10

Malware Config

Signatures

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133370903384296004"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4672	chrome.exe
4672	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: 33	4936	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4936	AUDIODG.EXE
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4672 wrote to memory of 2340	4672	chrome.exe	70
PID 4672 wrote to memory of 2340	4672	chrome.exe	70
PID 4672 wrote to memory of 4772	4672	chrome.exe	73
PID 4672 wrote to memory of 4772	4672	chrome.exe	73
PID 4672 wrote to memory of 4772	4672	chrome.exe	73
PID 4672 wrote to memory of 4772	4672	chrome.exe	73
PID 4672 wrote to memory of 4772	4672	chrome.exe	73
PID 4672 wrote to memory of 4772	4672	chrome.exe	73
PID 4672 wrote to memory of 4772	4672	chrome.exe	73
PID 4672 wrote to memory of 4772	4672	chrome.exe	73
PID 4672 wrote to memory of 4772	4672	chrome.exe	73
PID 4672 wrote to memory of 4772	4672	chrome.exe	73
PID 4672 wrote to memory of 4772	4672	chrome.exe	73
PID 4672 wrote to memory of 4772	4672	chrome.exe	73
PID 4672 wrote to memory of 4772	4672	chrome.exe	73
PID 4672 wrote to memory of 4772	4672	chrome.exe	73
PID 4672 wrote to memory of 4772	4672	chrome.exe	73
PID 4672 wrote to memory of 4772	4672	chrome.exe	73
PID 4672 wrote to memory of 4772	4672	chrome.exe	73
PID 4672 wrote to memory of 4772	4672	chrome.exe	73
PID 4672 wrote to memory of 4772	4672	chrome.exe	73
PID 4672 wrote to memory of 4772	4672	chrome.exe	73
PID 4672 wrote to memory of 4772	4672	chrome.exe	73
PID 4672 wrote to memory of 4772	4672	chrome.exe	73
PID 4672 wrote to memory of 4772	4672	chrome.exe	73
PID 4672 wrote to memory of 4772	4672	chrome.exe	73
PID 4672 wrote to memory of 4772	4672	chrome.exe	73
PID 4672 wrote to memory of 4772	4672	chrome.exe	73
PID 4672 wrote to memory of 4772	4672	chrome.exe	73
PID 4672 wrote to memory of 4772	4672	chrome.exe	73
PID 4672 wrote to memory of 4772	4672	chrome.exe	73
PID 4672 wrote to memory of 4772	4672	chrome.exe	73
PID 4672 wrote to memory of 4772	4672	chrome.exe	73
PID 4672 wrote to memory of 4772	4672	chrome.exe	73
PID 4672 wrote to memory of 4772	4672	chrome.exe	73
PID 4672 wrote to memory of 4772	4672	chrome.exe	73
PID 4672 wrote to memory of 4772	4672	chrome.exe	73
PID 4672 wrote to memory of 4772	4672	chrome.exe	73
PID 4672 wrote to memory of 4772	4672	chrome.exe	73
PID 4672 wrote to memory of 4772	4672	chrome.exe	73
PID 4672 wrote to memory of 1972	4672	chrome.exe	72
PID 4672 wrote to memory of 1972	4672	chrome.exe	72
PID 4672 wrote to memory of 3928	4672	chrome.exe	74
PID 4672 wrote to memory of 3928	4672	chrome.exe	74
PID 4672 wrote to memory of 3928	4672	chrome.exe	74
PID 4672 wrote to memory of 3928	4672	chrome.exe	74
PID 4672 wrote to memory of 3928	4672	chrome.exe	74
PID 4672 wrote to memory of 3928	4672	chrome.exe	74
PID 4672 wrote to memory of 3928	4672	chrome.exe	74
PID 4672 wrote to memory of 3928	4672	chrome.exe	74
PID 4672 wrote to memory of 3928	4672	chrome.exe	74
PID 4672 wrote to memory of 3928	4672	chrome.exe	74
PID 4672 wrote to memory of 3928	4672	chrome.exe	74
PID 4672 wrote to memory of 3928	4672	chrome.exe	74
PID 4672 wrote to memory of 3928	4672	chrome.exe	74
PID 4672 wrote to memory of 3928	4672	chrome.exe	74
PID 4672 wrote to memory of 3928	4672	chrome.exe	74
PID 4672 wrote to memory of 3928	4672	chrome.exe	74
PID 4672 wrote to memory of 3928	4672	chrome.exe	74
PID 4672 wrote to memory of 3928	4672	chrome.exe	74
PID 4672 wrote to memory of 3928	4672	chrome.exe	74
PID 4672 wrote to memory of 3928	4672	chrome.exe	74
PID 4672 wrote to memory of 3928	4672	chrome.exe	74
PID 4672 wrote to memory of 3928	4672	chrome.exe	74

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://reurl.cc/eWeDnW
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffd46119758,0x7ffd46119768,0x7ffd46119778
  2⤵
  PID:2340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1840 --field-trial-handle=1788,i,8660844026979150921,8966325097630606548,131072 /prefetch:8
  2⤵
  PID:1972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1560 --field-trial-handle=1788,i,8660844026979150921,8966325097630606548,131072 /prefetch:2
  2⤵
  PID:4772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2104 --field-trial-handle=1788,i,8660844026979150921,8966325097630606548,131072 /prefetch:8
  2⤵
  PID:3928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3056 --field-trial-handle=1788,i,8660844026979150921,8966325097630606548,131072 /prefetch:1
  2⤵
  PID:820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3052 --field-trial-handle=1788,i,8660844026979150921,8966325097630606548,131072 /prefetch:1
  2⤵
  PID:1896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4756 --field-trial-handle=1788,i,8660844026979150921,8966325097630606548,131072 /prefetch:1
  2⤵
  PID:824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 --field-trial-handle=1788,i,8660844026979150921,8966325097630606548,131072 /prefetch:8
  2⤵
  PID:832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4972 --field-trial-handle=1788,i,8660844026979150921,8966325097630606548,131072 /prefetch:8
  2⤵
  PID:3736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3316 --field-trial-handle=1788,i,8660844026979150921,8966325097630606548,131072 /prefetch:8
  2⤵
  PID:5004

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5092

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x408
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4936

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
2e31bae7cab80be089e35bae7428884b

SHA1
af3b728682e4bb31a2cfc1371445447bf701a93a

SHA256
827dc66f23d6fb247c67f3793fd441be1bf82274b2cfec7d04eeecbf3da35f64

SHA512
66b20a30e681d7295e9505129ca52da5c7f46e1a5f3aa0628c72ae40128480c39cf986c6a521aea53c2340b502b3f7ede31819a54bbbbfa324c792b6f45b8b8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
971afa10701bcb5d280a2356abc929a6

SHA1
23f02917b5111f230300dd5886f6d71b915f3ad9

SHA256
386b9445cfc6764b44b02975a301323a2febf7d64b3256b3945ed95413dd3f2b

SHA512
fc5cbc8da396d69d988048fd6a0df7701711d504a19c11ad1d1dcbe23df6cc107812cb61e2f80383c660518f637d68f23aad0fe7654aef39c77703eb0700e493

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
33b8cd3750fd257defabf80b9e84f1c7

SHA1
4a352d19cc47410cf24a160223542bc169f23219

SHA256
ff5ad44a6beba6a442a7cdeaeb1690292e4c9cdcbe130fa164a179fdcd06a4ea

SHA512
84c4deb503b4f0e53da294fd2f01ee85dc534fcd587b0f3ad99802675aea0df9bd7bc2447a4cb90068e8fe72c287845f93bc872fbcdcbe80d9f8c0dccc2947b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
652a173026e8f4bf98c22e9897efdc87

SHA1
69647b2cc5b024c5737097dd07c99297c511e57c

SHA256
c8e81c60f5ab5ddab669faf7041507d206d8f5188903c7553d661c6a1438f952

SHA512
665fc46f1cbb53acc45dd497031e5998e5b9f61dca18398dbe59b88b5266bf0536fb7ba11b92ffb8f0e5c515458a291c4b939580a82a10e6c6d8086f6d9d6d4c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit