hxxps://e9d02e[.]6x669ripr[.]ru/ab@manulifeam[.]com

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
05-10-2023 01:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://e9d02e.6x669ripr.ru/[email protected]

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133409426189178162"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2252	chrome.exe
2252	chrome.exe
4752	chrome.exe
4752	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2252	chrome.exe
2252	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 1476	2252	chrome.exe	21
PID 2252 wrote to memory of 1476	2252	chrome.exe	21
PID 2252 wrote to memory of 1932	2252	chrome.exe	89
PID 2252 wrote to memory of 1932	2252	chrome.exe	89
PID 2252 wrote to memory of 1932	2252	chrome.exe	89
PID 2252 wrote to memory of 1932	2252	chrome.exe	89
PID 2252 wrote to memory of 1932	2252	chrome.exe	89
PID 2252 wrote to memory of 1932	2252	chrome.exe	89
PID 2252 wrote to memory of 1932	2252	chrome.exe	89
PID 2252 wrote to memory of 1932	2252	chrome.exe	89
PID 2252 wrote to memory of 1932	2252	chrome.exe	89
PID 2252 wrote to memory of 1932	2252	chrome.exe	89
PID 2252 wrote to memory of 1932	2252	chrome.exe	89
PID 2252 wrote to memory of 1932	2252	chrome.exe	89
PID 2252 wrote to memory of 1932	2252	chrome.exe	89
PID 2252 wrote to memory of 1932	2252	chrome.exe	89
PID 2252 wrote to memory of 1932	2252	chrome.exe	89
PID 2252 wrote to memory of 1932	2252	chrome.exe	89
PID 2252 wrote to memory of 1932	2252	chrome.exe	89
PID 2252 wrote to memory of 1932	2252	chrome.exe	89
PID 2252 wrote to memory of 1932	2252	chrome.exe	89
PID 2252 wrote to memory of 1932	2252	chrome.exe	89
PID 2252 wrote to memory of 1932	2252	chrome.exe	89
PID 2252 wrote to memory of 1932	2252	chrome.exe	89
PID 2252 wrote to memory of 1932	2252	chrome.exe	89
PID 2252 wrote to memory of 1932	2252	chrome.exe	89
PID 2252 wrote to memory of 1932	2252	chrome.exe	89
PID 2252 wrote to memory of 1932	2252	chrome.exe	89
PID 2252 wrote to memory of 1932	2252	chrome.exe	89
PID 2252 wrote to memory of 1932	2252	chrome.exe	89
PID 2252 wrote to memory of 1932	2252	chrome.exe	89
PID 2252 wrote to memory of 1932	2252	chrome.exe	89
PID 2252 wrote to memory of 1932	2252	chrome.exe	89
PID 2252 wrote to memory of 1932	2252	chrome.exe	89
PID 2252 wrote to memory of 1932	2252	chrome.exe	89
PID 2252 wrote to memory of 1932	2252	chrome.exe	89
PID 2252 wrote to memory of 1932	2252	chrome.exe	89
PID 2252 wrote to memory of 1932	2252	chrome.exe	89
PID 2252 wrote to memory of 1932	2252	chrome.exe	89
PID 2252 wrote to memory of 1932	2252	chrome.exe	89
PID 2252 wrote to memory of 1996	2252	chrome.exe	91
PID 2252 wrote to memory of 1996	2252	chrome.exe	91
PID 2252 wrote to memory of 4392	2252	chrome.exe	90
PID 2252 wrote to memory of 4392	2252	chrome.exe	90
PID 2252 wrote to memory of 4392	2252	chrome.exe	90
PID 2252 wrote to memory of 4392	2252	chrome.exe	90
PID 2252 wrote to memory of 4392	2252	chrome.exe	90
PID 2252 wrote to memory of 4392	2252	chrome.exe	90
PID 2252 wrote to memory of 4392	2252	chrome.exe	90
PID 2252 wrote to memory of 4392	2252	chrome.exe	90
PID 2252 wrote to memory of 4392	2252	chrome.exe	90
PID 2252 wrote to memory of 4392	2252	chrome.exe	90
PID 2252 wrote to memory of 4392	2252	chrome.exe	90
PID 2252 wrote to memory of 4392	2252	chrome.exe	90
PID 2252 wrote to memory of 4392	2252	chrome.exe	90
PID 2252 wrote to memory of 4392	2252	chrome.exe	90
PID 2252 wrote to memory of 4392	2252	chrome.exe	90
PID 2252 wrote to memory of 4392	2252	chrome.exe	90
PID 2252 wrote to memory of 4392	2252	chrome.exe	90
PID 2252 wrote to memory of 4392	2252	chrome.exe	90
PID 2252 wrote to memory of 4392	2252	chrome.exe	90
PID 2252 wrote to memory of 4392	2252	chrome.exe	90
PID 2252 wrote to memory of 4392	2252	chrome.exe	90
PID 2252 wrote to memory of 4392	2252	chrome.exe	90

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://e9d02e.6x669ripr.ru/[email protected]
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xe0,0xe4,0xd8,0xdc,0x108,0x7fffd15a9758,0x7fffd15a9768,0x7fffd15a9778
  2⤵
  PID:1476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1712 --field-trial-handle=1864,i,6860126887393763646,9682369055206513148,131072 /prefetch:2
  2⤵
  PID:1932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2180 --field-trial-handle=1864,i,6860126887393763646,9682369055206513148,131072 /prefetch:8
  2⤵
  PID:4392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 --field-trial-handle=1864,i,6860126887393763646,9682369055206513148,131072 /prefetch:8
  2⤵
  PID:1996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2976 --field-trial-handle=1864,i,6860126887393763646,9682369055206513148,131072 /prefetch:1
  2⤵
  PID:4364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2968 --field-trial-handle=1864,i,6860126887393763646,9682369055206513148,131072 /prefetch:1
  2⤵
  PID:3688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4832 --field-trial-handle=1864,i,6860126887393763646,9682369055206513148,131072 /prefetch:8
  2⤵
  PID:5076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4948 --field-trial-handle=1864,i,6860126887393763646,9682369055206513148,131072 /prefetch:8
  2⤵
  PID:2364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5160 --field-trial-handle=1864,i,6860126887393763646,9682369055206513148,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4752

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
86a66851dae753512cc6f486360696c3

SHA1
94226b087e3d66e2f7d16823ea5c8445a31586d9

SHA256
d79cbd62c3d9a1db39d0dd5933d87b6eeb965cd1882c760b40abde0648d4d544

SHA512
0d4b793664fa75e2922d95c04c7db5d7071904a548c43edb5755d988ea344b90545ee08c82f5345bcceed11453d72e166ecc90bdfe053a4ea766d1f515d5eae9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
0798bf1aa30ea177e8a7a84e4c05ac3b

SHA1
c4b7d546b7ae03d728a7887831f967d9cee2730d

SHA256
bc393aebe0385e77c1e1fc9b8a80fed4d8b35db5ccfc5682117de2b6ed5fab52

SHA512
77acc78d385a9cab10503c71e342d2d7930ef5ca4151c3f0ecc6a5e66c7f0fcff78273cd93beb32ec04bf7bc41d1c431e4b9196354e23dd233a8c54d31fb1294

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
f6858454b2356a77db144866b2a118c0

SHA1
26628a640c1e4699c13f695ebd0c5af85f54ad23

SHA256
c96bd9010084345098b8f2d9a0778593ff8ad52bdfd0c1b6c4455f76f04ae748

SHA512
871756051f5c8fdc11f295c84356f0a069f7accee226a39ed397308851988c69e1d1aaf89ec136429bda0b0f088dfa3410dd274c003ef58a43e28061eebb66c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
eda6220aa6fbf30c05843d162942fd94

SHA1
2060f19d8927a0ab3a75b63c94c65bb4dd25a2db

SHA256
b56eea8eafadcfaac267d7b6e83146fe0fd04e43e044dec5b2fffe8db0106cda

SHA512
7f5182f0e860abfdd8eb74ba0e8d0a4b84b2dfbed1eb89e69d9c58189f382cca03d54f98342a5190133daaf5559502bdcb10adba0e89908ffef828daa6c4b240

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
9ec65384716632f2669e08527907aee7

SHA1
88d75cc4657a925944d6ca66bca65c061af02490

SHA256
fefea0fdf5c84d80ff898772e48a4dc241112e86c680c33610ce3430a157a9ff

SHA512
b8a280312bd6afbd6527712841bb0ca7b0e0c4ae2cc101b817663de7daaf5f8d6c28a7438360f1f9fcb17c7740accb341902c4eb9fa3b447d198409ca4502b78

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
50fb8bf96024caab880515b3ec5a24fd

SHA1
49b4dfb5aaa76e7adadda9b66ea7cf12237daad1

SHA256
cdbcf591366c87667450a387ba5787d2c44425da6809eba70bc09a5b75d4a589

SHA512
9f358d4c329e603ddbda982573d50da07805bc6959cc8b505caea60c4724604f1f1ae2b313908f4c72c4c92b238aaab610ab24b3e4b564d214543367acd257c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit