hxxps://umleitungserinnerung[.]net/well-known

Analysis

max time kernel
600s
max time network
600s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
14-10-2023 23:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://umleitungserinnerung.net/well-known

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133417985060141592"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4948	chrome.exe
4948	chrome.exe
1068	chrome.exe
1068	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4948 wrote to memory of 764	4948	chrome.exe	81
PID 4948 wrote to memory of 764	4948	chrome.exe	81
PID 4948 wrote to memory of 5088	4948	chrome.exe	88
PID 4948 wrote to memory of 5088	4948	chrome.exe	88
PID 4948 wrote to memory of 5088	4948	chrome.exe	88
PID 4948 wrote to memory of 5088	4948	chrome.exe	88
PID 4948 wrote to memory of 5088	4948	chrome.exe	88
PID 4948 wrote to memory of 5088	4948	chrome.exe	88
PID 4948 wrote to memory of 5088	4948	chrome.exe	88
PID 4948 wrote to memory of 5088	4948	chrome.exe	88
PID 4948 wrote to memory of 5088	4948	chrome.exe	88
PID 4948 wrote to memory of 5088	4948	chrome.exe	88
PID 4948 wrote to memory of 5088	4948	chrome.exe	88
PID 4948 wrote to memory of 5088	4948	chrome.exe	88
PID 4948 wrote to memory of 5088	4948	chrome.exe	88
PID 4948 wrote to memory of 5088	4948	chrome.exe	88
PID 4948 wrote to memory of 5088	4948	chrome.exe	88
PID 4948 wrote to memory of 5088	4948	chrome.exe	88
PID 4948 wrote to memory of 5088	4948	chrome.exe	88
PID 4948 wrote to memory of 5088	4948	chrome.exe	88
PID 4948 wrote to memory of 5088	4948	chrome.exe	88
PID 4948 wrote to memory of 5088	4948	chrome.exe	88
PID 4948 wrote to memory of 5088	4948	chrome.exe	88
PID 4948 wrote to memory of 5088	4948	chrome.exe	88
PID 4948 wrote to memory of 5088	4948	chrome.exe	88
PID 4948 wrote to memory of 5088	4948	chrome.exe	88
PID 4948 wrote to memory of 5088	4948	chrome.exe	88
PID 4948 wrote to memory of 5088	4948	chrome.exe	88
PID 4948 wrote to memory of 5088	4948	chrome.exe	88
PID 4948 wrote to memory of 5088	4948	chrome.exe	88
PID 4948 wrote to memory of 5088	4948	chrome.exe	88
PID 4948 wrote to memory of 5088	4948	chrome.exe	88
PID 4948 wrote to memory of 5088	4948	chrome.exe	88
PID 4948 wrote to memory of 5088	4948	chrome.exe	88
PID 4948 wrote to memory of 5088	4948	chrome.exe	88
PID 4948 wrote to memory of 5088	4948	chrome.exe	88
PID 4948 wrote to memory of 5088	4948	chrome.exe	88
PID 4948 wrote to memory of 5088	4948	chrome.exe	88
PID 4948 wrote to memory of 5088	4948	chrome.exe	88
PID 4948 wrote to memory of 5088	4948	chrome.exe	88
PID 4948 wrote to memory of 2668	4948	chrome.exe	89
PID 4948 wrote to memory of 2668	4948	chrome.exe	89
PID 4948 wrote to memory of 3116	4948	chrome.exe	90
PID 4948 wrote to memory of 3116	4948	chrome.exe	90
PID 4948 wrote to memory of 3116	4948	chrome.exe	90
PID 4948 wrote to memory of 3116	4948	chrome.exe	90
PID 4948 wrote to memory of 3116	4948	chrome.exe	90
PID 4948 wrote to memory of 3116	4948	chrome.exe	90
PID 4948 wrote to memory of 3116	4948	chrome.exe	90
PID 4948 wrote to memory of 3116	4948	chrome.exe	90
PID 4948 wrote to memory of 3116	4948	chrome.exe	90
PID 4948 wrote to memory of 3116	4948	chrome.exe	90
PID 4948 wrote to memory of 3116	4948	chrome.exe	90
PID 4948 wrote to memory of 3116	4948	chrome.exe	90
PID 4948 wrote to memory of 3116	4948	chrome.exe	90
PID 4948 wrote to memory of 3116	4948	chrome.exe	90
PID 4948 wrote to memory of 3116	4948	chrome.exe	90
PID 4948 wrote to memory of 3116	4948	chrome.exe	90
PID 4948 wrote to memory of 3116	4948	chrome.exe	90
PID 4948 wrote to memory of 3116	4948	chrome.exe	90
PID 4948 wrote to memory of 3116	4948	chrome.exe	90
PID 4948 wrote to memory of 3116	4948	chrome.exe	90
PID 4948 wrote to memory of 3116	4948	chrome.exe	90
PID 4948 wrote to memory of 3116	4948	chrome.exe	90

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://umleitungserinnerung.net/well-known
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa83f39758,0x7ffa83f39768,0x7ffa83f39778
  2⤵
  PID:764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1768 --field-trial-handle=1800,i,6028249224000289650,12861634079032374492,131072 /prefetch:2
  2⤵
  PID:5088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 --field-trial-handle=1800,i,6028249224000289650,12861634079032374492,131072 /prefetch:8
  2⤵
  PID:2668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2184 --field-trial-handle=1800,i,6028249224000289650,12861634079032374492,131072 /prefetch:8
  2⤵
  PID:3116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2948 --field-trial-handle=1800,i,6028249224000289650,12861634079032374492,131072 /prefetch:1
  2⤵
  PID:5080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3004 --field-trial-handle=1800,i,6028249224000289650,12861634079032374492,131072 /prefetch:1
  2⤵
  PID:2684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4976 --field-trial-handle=1800,i,6028249224000289650,12861634079032374492,131072 /prefetch:8
  2⤵
  PID:1608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 --field-trial-handle=1800,i,6028249224000289650,12861634079032374492,131072 /prefetch:8
  2⤵
  PID:4248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=5188 --field-trial-handle=1800,i,6028249224000289650,12861634079032374492,131072 /prefetch:1
  2⤵
  PID:3344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=960 --field-trial-handle=1800,i,6028249224000289650,12861634079032374492,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1068

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
36deb404b0b0867b7e7f74400f6aaf07

SHA1
bc41273c728a97612dbdee5a67d931a340c5ecf0

SHA256
7305ada60a0ff07166dd156bf6c8acc9c512d8d03cd575bd79b432bfaa0f80cf

SHA512
d716cda34bb28d910de7247310176783d9dfe14e4d3ffdcb4091c72dbeb164670cb25d65a46760ca0b261aac6132634ee834bedad25b7cf0052e2f35e0655baa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
fb02e7dd88e3df9eee61a9c721fe01eb

SHA1
e804a6880c9481beffad271ab10a38f5c812f4bf

SHA256
653e4674eabd372b0dc40f33a6dcbf52006b2c0d587419e7e2a90f34aa21ed4a

SHA512
332c50e1388c4f4abe28354a61c467627ec18d82c115b28dc58053c6c17c4b3e21d8042efc5165093c77323371d96bc4ff3d12bb5fdbaa8ba2a78065f188dbe2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
5af1060aea1a3183ace8f0d75def6295

SHA1
13d0088d1d910f9807eaad18b2de0cd33ba16a9a

SHA256
ad63919778219d8fd0be0ef858ead91b59c5e25af9c0623d41259a1488ca4450

SHA512
bbdb978a9d22607719988a0b58a41c2315b372b0ac79ba14da9ccabe4e568b1b821fbc2d43d3a405cc8549f2a1c88ff07310eb667352ca8a64fc9b5d9b2a06fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
537B

MD5
43b304a7c315cb1c79028743f13a1307

SHA1
9a2d924b1c9775176dec94b9294e87976dcf0f36

SHA256
c92c841e02144b316fb5bc79710779989b5191e00d5a782fd56b2a05cdecf4f5

SHA512
696e9a4c537c541476c60152c631922ca32f7448f7c753da5e160bd89bb27dd96286e97e90f0561ab4b3616f1e9e963da96b5aebcf9c5e3e6cc3865263463e81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
83d9293f6a04a300417f5ccc05d96129

SHA1
5f61bc6a577bc7b318987a5d25017a077be6df17

SHA256
3595d2e6ad759af3cb549563cf2b34a523e10c752dd984e5e53f94c6c62c491d

SHA512
dfdda310fcc442a83f7927167bc8ad0ef114710a2c3c788d3e115b3731caee0a070273eb64dcfecdf8bb4da56d63ddcbed11beda18824c85236cb03c259bdebd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
04ac1e46bb51ca881c3dfd76b24e0349

SHA1
c946866aeccc4f1f4fa4d20d25b2c1115492273e

SHA256
e33a7cf0c026ae2a08b6e3edcbe85ab2e1dff4edfbaa4c21aeee13d5ba45d3ab

SHA512
8101a515353ca2adb13d2eb0f2f569b737c438ff3377a6aed542290fbba8ebd68f5fc27e6e15a4eebb1ba674002ee5370d2256b92c675f5bd2983c99553ac76c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit