hxxp://egefjbi[.]r[.]af[.]d[.]sendibt2[.]com

Analysis

max time kernel
149s
max time network
147s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
29/08/2023, 05:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://egefjbi.r.af.d.sendibt2.com

Score

1^/10

Malware Config

Signatures

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133377590522782229"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4320	chrome.exe
4320	chrome.exe
2264	chrome.exe
2264	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4320 wrote to memory of 2036	4320	chrome.exe	70
PID 4320 wrote to memory of 2036	4320	chrome.exe	70
PID 4320 wrote to memory of 4916	4320	chrome.exe	72
PID 4320 wrote to memory of 4916	4320	chrome.exe	72
PID 4320 wrote to memory of 4916	4320	chrome.exe	72
PID 4320 wrote to memory of 4916	4320	chrome.exe	72
PID 4320 wrote to memory of 4916	4320	chrome.exe	72
PID 4320 wrote to memory of 4916	4320	chrome.exe	72
PID 4320 wrote to memory of 4916	4320	chrome.exe	72
PID 4320 wrote to memory of 4916	4320	chrome.exe	72
PID 4320 wrote to memory of 4916	4320	chrome.exe	72
PID 4320 wrote to memory of 4916	4320	chrome.exe	72
PID 4320 wrote to memory of 4916	4320	chrome.exe	72
PID 4320 wrote to memory of 4916	4320	chrome.exe	72
PID 4320 wrote to memory of 4916	4320	chrome.exe	72
PID 4320 wrote to memory of 4916	4320	chrome.exe	72
PID 4320 wrote to memory of 4916	4320	chrome.exe	72
PID 4320 wrote to memory of 4916	4320	chrome.exe	72
PID 4320 wrote to memory of 4916	4320	chrome.exe	72
PID 4320 wrote to memory of 4916	4320	chrome.exe	72
PID 4320 wrote to memory of 4916	4320	chrome.exe	72
PID 4320 wrote to memory of 4916	4320	chrome.exe	72
PID 4320 wrote to memory of 4916	4320	chrome.exe	72
PID 4320 wrote to memory of 4916	4320	chrome.exe	72
PID 4320 wrote to memory of 4916	4320	chrome.exe	72
PID 4320 wrote to memory of 4916	4320	chrome.exe	72
PID 4320 wrote to memory of 4916	4320	chrome.exe	72
PID 4320 wrote to memory of 4916	4320	chrome.exe	72
PID 4320 wrote to memory of 4916	4320	chrome.exe	72
PID 4320 wrote to memory of 4916	4320	chrome.exe	72
PID 4320 wrote to memory of 4916	4320	chrome.exe	72
PID 4320 wrote to memory of 4916	4320	chrome.exe	72
PID 4320 wrote to memory of 4916	4320	chrome.exe	72
PID 4320 wrote to memory of 4916	4320	chrome.exe	72
PID 4320 wrote to memory of 4916	4320	chrome.exe	72
PID 4320 wrote to memory of 4916	4320	chrome.exe	72
PID 4320 wrote to memory of 4916	4320	chrome.exe	72
PID 4320 wrote to memory of 4916	4320	chrome.exe	72
PID 4320 wrote to memory of 4916	4320	chrome.exe	72
PID 4320 wrote to memory of 4916	4320	chrome.exe	72
PID 4320 wrote to memory of 4860	4320	chrome.exe	74
PID 4320 wrote to memory of 4860	4320	chrome.exe	74
PID 4320 wrote to memory of 3836	4320	chrome.exe	73
PID 4320 wrote to memory of 3836	4320	chrome.exe	73
PID 4320 wrote to memory of 3836	4320	chrome.exe	73
PID 4320 wrote to memory of 3836	4320	chrome.exe	73
PID 4320 wrote to memory of 3836	4320	chrome.exe	73
PID 4320 wrote to memory of 3836	4320	chrome.exe	73
PID 4320 wrote to memory of 3836	4320	chrome.exe	73
PID 4320 wrote to memory of 3836	4320	chrome.exe	73
PID 4320 wrote to memory of 3836	4320	chrome.exe	73
PID 4320 wrote to memory of 3836	4320	chrome.exe	73
PID 4320 wrote to memory of 3836	4320	chrome.exe	73
PID 4320 wrote to memory of 3836	4320	chrome.exe	73
PID 4320 wrote to memory of 3836	4320	chrome.exe	73
PID 4320 wrote to memory of 3836	4320	chrome.exe	73
PID 4320 wrote to memory of 3836	4320	chrome.exe	73
PID 4320 wrote to memory of 3836	4320	chrome.exe	73
PID 4320 wrote to memory of 3836	4320	chrome.exe	73
PID 4320 wrote to memory of 3836	4320	chrome.exe	73
PID 4320 wrote to memory of 3836	4320	chrome.exe	73
PID 4320 wrote to memory of 3836	4320	chrome.exe	73
PID 4320 wrote to memory of 3836	4320	chrome.exe	73
PID 4320 wrote to memory of 3836	4320	chrome.exe	73

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://egefjbi.r.af.d.sendibt2.com
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffd889e9758,0x7ffd889e9768,0x7ffd889e9778
  2⤵
  PID:2036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1584 --field-trial-handle=1748,i,1894357658919508602,17696765521091805424,131072 /prefetch:2
  2⤵
  PID:4916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2032 --field-trial-handle=1748,i,1894357658919508602,17696765521091805424,131072 /prefetch:8
  2⤵
  PID:3836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1996 --field-trial-handle=1748,i,1894357658919508602,17696765521091805424,131072 /prefetch:8
  2⤵
  PID:4860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2700 --field-trial-handle=1748,i,1894357658919508602,17696765521091805424,131072 /prefetch:1
  2⤵
  PID:2208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2680 --field-trial-handle=1748,i,1894357658919508602,17696765521091805424,131072 /prefetch:1
  2⤵
  PID:752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4400 --field-trial-handle=1748,i,1894357658919508602,17696765521091805424,131072 /prefetch:1
  2⤵
  PID:4324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5156 --field-trial-handle=1748,i,1894357658919508602,17696765521091805424,131072 /prefetch:8
  2⤵
  PID:1832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 --field-trial-handle=1748,i,1894357658919508602,17696765521091805424,131072 /prefetch:8
  2⤵
  PID:4204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1556 --field-trial-handle=1748,i,1894357658919508602,17696765521091805424,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2264

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4616

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\64551993-b68d-49f6-b2ad-7d1b6a14808c.tmp

Filesize
6KB

MD5
a5aa09b88b10655c709b3aa40ded9a6a

SHA1
d337e14041c11a6cbc85254cdfe60ef14338558d

SHA256
b43e666e3cb1d2eeca8b1763420fc285f1db544c6071bee59ea80dfabe667dbf

SHA512
7deaba46c738f8cc60b3fd03ab702cda9b1b7165c94e5e6b222dd28dad7a21d2e15af93af8bafc93cbc35df16468f6b15e15a88c3395db30c5610976c761f8b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
888B

MD5
db0fdee13bcf88226ce5cb564a096f38

SHA1
b8f46d6e955604a0d53b39aaa2731d1475c1bfa1

SHA256
ba03bfb3cd1775a3f4e824fc379fc4d550295de2ba8f808eac26bd0177b05ba6

SHA512
61ec5e3606b539a796c75c308c3a91fe286977ecb4312509754a394b283e09ce5d2a5929d5f0958ea43f05be4c6acfa4c25dea89cddfd379f6911303e5712511

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
cc167a3dae604b2785f3cb11878c2cfe

SHA1
830778b08172bd8246787463886ca84e84c508a2

SHA256
8fdff0cf775a1621d86cb4371498e5e1d009c4c86cf0940d179f77f774c10748

SHA512
d57b2ec1fc66d9f243a74b993c5d7c8c0a3597335f01f852479a2b5a1b4290dd36260607a9d2c504c9773821098cdbe8d09b4846051f8aae49695456d8af114d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
2aa364ff5ffb5c214e30f23bec8a67ae

SHA1
0a0cd7bdfcb32cea390f0dab6239536b887f018a

SHA256
8e32750192832683e2769f5939358841aa203fb9d8318cb04c7272bdd2013da0

SHA512
d1a778697c62ca91456f89ff26a6228de5ffac4c8305964ceeab37a64bfcf3b45301a086ced1a37a5bedee1de9b89c8c7bab48b88793a3a01e52033f419c30d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
83f2b13a1d970168d2462caecb562b3e

SHA1
3d43873d6de1b446107ea63d193b65f0a9a4e6db

SHA256
1257477f0f0568f3a8ceb0a3ce71bdc52e6a3eb4c26dcb37f3b192b83829e8ef

SHA512
93f06ed1f6732df6d965b16d5d3b2849f6c60332c546f4819d45c6bd70d7d69cd566bc35db0aa6db8f3a8e5c1ed5148182bc17a1ce98941f8e5526729f3da76c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d4cf5e0b0a967deb17e3eb0ea878ecd5

SHA1
0df43b36b9b3fc6b83b6397131cdfe58115e7106

SHA256
b1280e75daf33302ebec46530eaf3d150870eaf03dfa289e4e6ba518f18a0866

SHA512
c26dc605570dd9c272cbc98141725db905fe883b740f64d991377d1f9f6584298c53a7816e7ce72c172208d327ee6c00925495cc6a66cff11ea79d7699e01434

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
61d6488ecbdfa8aa484aa64bb1c338d4

SHA1
0c1bdde00485680e1bb11498971935ced39ea4d6

SHA256
8c542b5fbe7d463cf87ebd2720872b457760c987e1c1053d3efaffd8b562eaad

SHA512
653ccdc91e48158874a51b37c11971493c8b5213aac7adffe56ad8d83113c362dcdd51feccf12394d52163623b302ce97d3c62be5ae5364d94b0a2eb7089a85a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit