hxxps://l[.]ead[.]me/podhc63tv

Analysis

max time kernel
150s
max time network
145s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
21/09/2023, 19:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://l.ead.me/podhc63tv

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133397972068136486"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
768	chrome.exe
768	chrome.exe
1640	chrome.exe
1640	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 768 wrote to memory of 4396	768	chrome.exe	52
PID 768 wrote to memory of 4396	768	chrome.exe	52
PID 768 wrote to memory of 4772	768	chrome.exe	73
PID 768 wrote to memory of 4772	768	chrome.exe	73
PID 768 wrote to memory of 4772	768	chrome.exe	73
PID 768 wrote to memory of 4772	768	chrome.exe	73
PID 768 wrote to memory of 4772	768	chrome.exe	73
PID 768 wrote to memory of 4772	768	chrome.exe	73
PID 768 wrote to memory of 4772	768	chrome.exe	73
PID 768 wrote to memory of 4772	768	chrome.exe	73
PID 768 wrote to memory of 4772	768	chrome.exe	73
PID 768 wrote to memory of 4772	768	chrome.exe	73
PID 768 wrote to memory of 4772	768	chrome.exe	73
PID 768 wrote to memory of 4772	768	chrome.exe	73
PID 768 wrote to memory of 4772	768	chrome.exe	73
PID 768 wrote to memory of 4772	768	chrome.exe	73
PID 768 wrote to memory of 4772	768	chrome.exe	73
PID 768 wrote to memory of 4772	768	chrome.exe	73
PID 768 wrote to memory of 4772	768	chrome.exe	73
PID 768 wrote to memory of 4772	768	chrome.exe	73
PID 768 wrote to memory of 4772	768	chrome.exe	73
PID 768 wrote to memory of 4772	768	chrome.exe	73
PID 768 wrote to memory of 4772	768	chrome.exe	73
PID 768 wrote to memory of 4772	768	chrome.exe	73
PID 768 wrote to memory of 4772	768	chrome.exe	73
PID 768 wrote to memory of 4772	768	chrome.exe	73
PID 768 wrote to memory of 4772	768	chrome.exe	73
PID 768 wrote to memory of 4772	768	chrome.exe	73
PID 768 wrote to memory of 4772	768	chrome.exe	73
PID 768 wrote to memory of 4772	768	chrome.exe	73
PID 768 wrote to memory of 4772	768	chrome.exe	73
PID 768 wrote to memory of 4772	768	chrome.exe	73
PID 768 wrote to memory of 4772	768	chrome.exe	73
PID 768 wrote to memory of 4772	768	chrome.exe	73
PID 768 wrote to memory of 4772	768	chrome.exe	73
PID 768 wrote to memory of 4772	768	chrome.exe	73
PID 768 wrote to memory of 4772	768	chrome.exe	73
PID 768 wrote to memory of 4772	768	chrome.exe	73
PID 768 wrote to memory of 4772	768	chrome.exe	73
PID 768 wrote to memory of 4772	768	chrome.exe	73
PID 768 wrote to memory of 4452	768	chrome.exe	72
PID 768 wrote to memory of 4452	768	chrome.exe	72
PID 768 wrote to memory of 3784	768	chrome.exe	74
PID 768 wrote to memory of 3784	768	chrome.exe	74
PID 768 wrote to memory of 3784	768	chrome.exe	74
PID 768 wrote to memory of 3784	768	chrome.exe	74
PID 768 wrote to memory of 3784	768	chrome.exe	74
PID 768 wrote to memory of 3784	768	chrome.exe	74
PID 768 wrote to memory of 3784	768	chrome.exe	74
PID 768 wrote to memory of 3784	768	chrome.exe	74
PID 768 wrote to memory of 3784	768	chrome.exe	74
PID 768 wrote to memory of 3784	768	chrome.exe	74
PID 768 wrote to memory of 3784	768	chrome.exe	74
PID 768 wrote to memory of 3784	768	chrome.exe	74
PID 768 wrote to memory of 3784	768	chrome.exe	74
PID 768 wrote to memory of 3784	768	chrome.exe	74
PID 768 wrote to memory of 3784	768	chrome.exe	74
PID 768 wrote to memory of 3784	768	chrome.exe	74
PID 768 wrote to memory of 3784	768	chrome.exe	74
PID 768 wrote to memory of 3784	768	chrome.exe	74
PID 768 wrote to memory of 3784	768	chrome.exe	74
PID 768 wrote to memory of 3784	768	chrome.exe	74
PID 768 wrote to memory of 3784	768	chrome.exe	74
PID 768 wrote to memory of 3784	768	chrome.exe	74

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://l.ead.me/podhc63tv
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffc84569758,0x7ffc84569768,0x7ffc84569778
  2⤵
  PID:4396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1888 --field-trial-handle=1748,i,18056522262510437005,3239910686083636035,131072 /prefetch:8
  2⤵
  PID:4452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1636 --field-trial-handle=1748,i,18056522262510437005,3239910686083636035,131072 /prefetch:2
  2⤵
  PID:4772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2072 --field-trial-handle=1748,i,18056522262510437005,3239910686083636035,131072 /prefetch:8
  2⤵
  PID:3784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3076 --field-trial-handle=1748,i,18056522262510437005,3239910686083636035,131072 /prefetch:1
  2⤵
  PID:1944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3064 --field-trial-handle=1748,i,18056522262510437005,3239910686083636035,131072 /prefetch:1
  2⤵
  PID:4640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4552 --field-trial-handle=1748,i,18056522262510437005,3239910686083636035,131072 /prefetch:1
  2⤵
  PID:3140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3832 --field-trial-handle=1748,i,18056522262510437005,3239910686083636035,131072 /prefetch:1
  2⤵
  PID:1264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 --field-trial-handle=1748,i,18056522262510437005,3239910686083636035,131072 /prefetch:8
  2⤵
  PID:3864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5064 --field-trial-handle=1748,i,18056522262510437005,3239910686083636035,131072 /prefetch:8
  2⤵
  PID:4852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 --field-trial-handle=1748,i,18056522262510437005,3239910686083636035,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1640

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
aa2aa401d2d81a5c509f572683ef3f70

SHA1
ea76a1824bbbf349f0474cca55914bd2f54e8122

SHA256
3e3dbbd82081928c8d107630a557a9747499f0f8251a506aab1caaea8d5ffbe6

SHA512
62e0c66f29544ed4174c8159ca4e6fe86bcdbfae412e26db9471799ae40282dc456251f9bf279d23671a2826ee33af2fec77fa590c6e92fb7d973299b0ce6414

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
ba2d8d344fdeb63d8c71604aefe47d7a

SHA1
38f8e05c83f9d56e280095ec6f746bdf44e597d2

SHA256
d9e72d4b5c06d9929eefec4b073350f33291b6fd4f26e9b9aea99489c22f37c4

SHA512
4c6b5cd3e0271c6bc0bf1e36534d94d977320ad2973c23b729f9e2fc420545315e7506347142add13cc85bcec5182db7a6218788409e4898bf4d5616a5394c58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
0ed6c3a4b8aef3d6505bfc1a1e350eb3

SHA1
f5d2c2a7d82a6a2f96619871e12a7de99d1d91da

SHA256
c304f2a15cd42e7ce09315ebee237a43358a5a8d8b1020de2785e29bbfbcd59b

SHA512
6ea2dd4dd70a89f961658356331bc227afe3e764aa49292b6f2cc726bd16138421f51bef1aec631c738bcf7e90c492c05fd9421fba402ce9dd205c5eb9950008

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
83f04367b21924e4bfc1c8b02a300114

SHA1
e9f75e1ecddf2a5d2c0209522d1d8a18c7fa8d66

SHA256
9f7ee4890368893b11fda6a9bd77d06b0cae3caf4d9238bb79a1316f9adeb1b4

SHA512
da37dd7f2ee05f246c3ba71b85758b96aa56427355162d015e86b4a5ec9b140b7338278463daaadc587adf8e14c4b0ba37c5903b0fc5d35b6ebb26dc96ea5e40

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
24b841f360ac9c47b88fe47fc2a70cb6

SHA1
64e058b6f4c8aafc5115afb0869a5c9e68528092

SHA256
7d6556de7936f0402481d642a724ab25edcc3eee1539839438642ed6d3763295

SHA512
34975754ea66111f7ba5c45015515917a5500222af4c2d5590edaf172241bb0596a9cdd69b78f376077e8b794a6d82870dfa25804a8b203ded254321a05e00a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
76335041e4c58dabf8945b3391d18bbb

SHA1
4f563cc2243d4b1f8dd21d37d093165f82165a40

SHA256
2a895b18855daf39e9585b6634245e178a125d99693ff18628cf7a0cd6a27e6a

SHA512
2e85568c743e3fb4675ac67913297600e9026c1aeaa4671301bcb420c357a1526e62b3fb5494306f16c9462c0f16b1faa7571933a0801de4e51ec760900cd58c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
102KB

MD5
09d4bb3549872d35558a793898f3f044

SHA1
224f45bdf28654fd8bf11a03ca9d7ec3fb59ed8a

SHA256
54001eeecf4d0dba941269bfd3f06e68399398709c0bf5358d4a640cd5a2ce06

SHA512
445320b1b61b4f16e4483bbd9a51448388bb5717d0a90fd3a7de536d3ebfcc1de1e3a7f201a728ca7c5e2374fcd861cd28de37150436b9d8c8e355b45598635b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit