hxxps://www[.]luftbildsuche[.]de/search[.]php?text=John+Deere+Europe

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
23-01-2024 02:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.luftbildsuche.de/search.php?text=John+Deere+Europe

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133504522974066182"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5064	chrome.exe
5064	chrome.exe
4024	chrome.exe
4024	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
5064	chrome.exe
5064	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5064 wrote to memory of 3876	5064	chrome.exe	76
PID 5064 wrote to memory of 3876	5064	chrome.exe	76
PID 5064 wrote to memory of 116	5064	chrome.exe	89
PID 5064 wrote to memory of 116	5064	chrome.exe	89
PID 5064 wrote to memory of 116	5064	chrome.exe	89
PID 5064 wrote to memory of 116	5064	chrome.exe	89
PID 5064 wrote to memory of 116	5064	chrome.exe	89
PID 5064 wrote to memory of 116	5064	chrome.exe	89
PID 5064 wrote to memory of 116	5064	chrome.exe	89
PID 5064 wrote to memory of 116	5064	chrome.exe	89
PID 5064 wrote to memory of 116	5064	chrome.exe	89
PID 5064 wrote to memory of 116	5064	chrome.exe	89
PID 5064 wrote to memory of 116	5064	chrome.exe	89
PID 5064 wrote to memory of 116	5064	chrome.exe	89
PID 5064 wrote to memory of 116	5064	chrome.exe	89
PID 5064 wrote to memory of 116	5064	chrome.exe	89
PID 5064 wrote to memory of 116	5064	chrome.exe	89
PID 5064 wrote to memory of 116	5064	chrome.exe	89
PID 5064 wrote to memory of 116	5064	chrome.exe	89
PID 5064 wrote to memory of 116	5064	chrome.exe	89
PID 5064 wrote to memory of 116	5064	chrome.exe	89
PID 5064 wrote to memory of 116	5064	chrome.exe	89
PID 5064 wrote to memory of 116	5064	chrome.exe	89
PID 5064 wrote to memory of 116	5064	chrome.exe	89
PID 5064 wrote to memory of 116	5064	chrome.exe	89
PID 5064 wrote to memory of 116	5064	chrome.exe	89
PID 5064 wrote to memory of 116	5064	chrome.exe	89
PID 5064 wrote to memory of 116	5064	chrome.exe	89
PID 5064 wrote to memory of 116	5064	chrome.exe	89
PID 5064 wrote to memory of 116	5064	chrome.exe	89
PID 5064 wrote to memory of 116	5064	chrome.exe	89
PID 5064 wrote to memory of 116	5064	chrome.exe	89
PID 5064 wrote to memory of 116	5064	chrome.exe	89
PID 5064 wrote to memory of 116	5064	chrome.exe	89
PID 5064 wrote to memory of 116	5064	chrome.exe	89
PID 5064 wrote to memory of 116	5064	chrome.exe	89
PID 5064 wrote to memory of 116	5064	chrome.exe	89
PID 5064 wrote to memory of 116	5064	chrome.exe	89
PID 5064 wrote to memory of 116	5064	chrome.exe	89
PID 5064 wrote to memory of 116	5064	chrome.exe	89
PID 5064 wrote to memory of 452	5064	chrome.exe	90
PID 5064 wrote to memory of 452	5064	chrome.exe	90
PID 5064 wrote to memory of 1412	5064	chrome.exe	92
PID 5064 wrote to memory of 1412	5064	chrome.exe	92
PID 5064 wrote to memory of 1412	5064	chrome.exe	92
PID 5064 wrote to memory of 1412	5064	chrome.exe	92
PID 5064 wrote to memory of 1412	5064	chrome.exe	92
PID 5064 wrote to memory of 1412	5064	chrome.exe	92
PID 5064 wrote to memory of 1412	5064	chrome.exe	92
PID 5064 wrote to memory of 1412	5064	chrome.exe	92
PID 5064 wrote to memory of 1412	5064	chrome.exe	92
PID 5064 wrote to memory of 1412	5064	chrome.exe	92
PID 5064 wrote to memory of 1412	5064	chrome.exe	92
PID 5064 wrote to memory of 1412	5064	chrome.exe	92
PID 5064 wrote to memory of 1412	5064	chrome.exe	92
PID 5064 wrote to memory of 1412	5064	chrome.exe	92
PID 5064 wrote to memory of 1412	5064	chrome.exe	92
PID 5064 wrote to memory of 1412	5064	chrome.exe	92
PID 5064 wrote to memory of 1412	5064	chrome.exe	92
PID 5064 wrote to memory of 1412	5064	chrome.exe	92
PID 5064 wrote to memory of 1412	5064	chrome.exe	92
PID 5064 wrote to memory of 1412	5064	chrome.exe	92
PID 5064 wrote to memory of 1412	5064	chrome.exe	92
PID 5064 wrote to memory of 1412	5064	chrome.exe	92

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.luftbildsuche.de/search.php?text=John+Deere+Europe
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcae169758,0x7ffcae169768,0x7ffcae169778
  2⤵
  PID:3876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1728 --field-trial-handle=1868,i,16982391452732769727,9825411525231646554,131072 /prefetch:2
  2⤵
  PID:116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1868,i,16982391452732769727,9825411525231646554,131072 /prefetch:8
  2⤵
  PID:452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2960 --field-trial-handle=1868,i,16982391452732769727,9825411525231646554,131072 /prefetch:1
  2⤵
  PID:4900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2216 --field-trial-handle=1868,i,16982391452732769727,9825411525231646554,131072 /prefetch:8
  2⤵
  PID:1412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2984 --field-trial-handle=1868,i,16982391452732769727,9825411525231646554,131072 /prefetch:1
  2⤵
  PID:1984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 --field-trial-handle=1868,i,16982391452732769727,9825411525231646554,131072 /prefetch:8
  2⤵
  PID:3176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5008 --field-trial-handle=1868,i,16982391452732769727,9825411525231646554,131072 /prefetch:8
  2⤵
  PID:4024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3376 --field-trial-handle=1868,i,16982391452732769727,9825411525231646554,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4024

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
0b5276fbba26ee50091a6e2ccb1f37e7

SHA1
6483d60f6f22f2ca4ddca0110c26df9f535b7281

SHA256
646e3c5f1aaa465eec9f797b820586946750ccd57f8004488d4a5d30524d8467

SHA512
c9ea3e4443f0e7f7d7e09e6122dd79b20be7c7666a9e3ffa911ddfe5438743c0c1a78f4e714920690002a99eed465f911d35e2f9d624ad36ec26c6aede968598

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
df657b9f887fe5f2afdcc43b29e1f48a

SHA1
6b54fec36c803dbd2886c5836ccc123642ea7498

SHA256
97172da420af968d0db2980590282dbacb3ac84a3144d708b17a73020a1fc9c1

SHA512
5b0597260e4e0bbebe44dc14a086aabb49d9b91969c7345f5b36ea58497b69a570f1aa4ee53cfc47dad8e29e1c94f270ded9d051dbeab4da97c45008a99bfd9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
9f666d4cf63ec6a25bc954d09323f1ae

SHA1
c4c05a968902306e9ddaec36b54ff74fdc5115b5

SHA256
e1d5aa13e7bf940b0a2acb286e7eabcd5646e9b495322f4fc2fbdb7976ebaaae

SHA512
87a01cffb4f4cba64c2e9268ae5f7d8b271057015d0793985ef885e61454f98dca4180405015f7b86bd8322dfe62f9a5b08fedfc258bbf9a8d53000ea20c4f3c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e0db3410e679bf9a527468e9510e3e40

SHA1
124dded187ab978e0b591393e646003fc3053db6

SHA256
cbd6886c663fdd7967aff32a7be346898b1834a2243f5f8d27deb3001dbc3bb8

SHA512
5adc3079c306ef7449f73fd26022b41ea14fa18e26c0c01f4a39e69d88e1ca7115f0ea143acadedd58eeba1210e8b1af08bfe2481f3d7541538f4ae0d71fd106

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
03a5041c580a069448b4bb2052a17e89

SHA1
9fb2d830853ab34b31fef1e46b90aacc121247ac

SHA256
34af7c4d2206619b414e86248e15a60d9269dd6c65f55523ae51cb8a9edea443

SHA512
6b14ae71ca85fa1df3b0c9fdb943affbbb0f22f28a2f44e4a16cea678ecc8ec3ca69dc3dfb2caa99d2d200cc4b56841ad702be6a59fc2c68d70b52e1f9d44bcc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit