hxxps://2n8w[.]app[.]link/?~channel=Email&~feature=ConfirmationEmail--AtocETicket&~campaign=WebToApp&~tags=locale%3Den_GB&~tags=version%3D1&~tags=marketing_code%3DBSH3675&$android_url=https%3A%2F%2Fplay[.]google[.]com%2Fstore%2Fapps%2Fdetails%3Fid%3Dcom[.]thetrainline%26hl%3Den-GB&$android_deepview=false&$android_passive_deepview=false&$ios_url=https%3A%2F%2Fitunes[.]apple[.]com%2FGB%2Fapp%2Fthetrainline%2Fid334235181&$ios_deepview=false&$ios_passive_deepview=false&$fallback_url=hxxps://closeup[.]com[.]bo/cps/json/w3wfq8/marcus[.]kvist@beijerbygg[.]se

General

Target

https://2n8w.app.link/?~channel=Email&~feature=ConfirmationEmail--AtocETicket&~campaign=WebToApp&~tags=locale%3Den_GB&~tags=version%3D1&~tags=marketing_code%3DBSH3675&$android_url=https%3A%2F%2Fplay.google.com%2Fstore%2Fapps%2Fdetails%3Fid%3Dcom.thetrainline%26hl%3Den-GB&$android_deepview=false&$android_passive_deepview=false&$ios_url=https%3A%2F%2Fitunes.apple.com%2FGB%2Fapp%2Fthetrainline%2Fid334235181&$ios_deepview=false&$ios_passive_deepview=false&$fallback_url=https://closeup.com.bo/cps/json/w3wfq8/[email protected]

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133506759410735901"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

2524 chrome.exe
2524 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

2524 chrome.exe
2524 chrome.exe
2524 chrome.exe
2524 chrome.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2524 wrote to memory of 4168	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 4168	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 2936	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 2936	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 2936	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 2936	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 2936	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 2936	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 2936	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 2936	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 2936	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 2936	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 2936	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 2936	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 2936	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 2936	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 2936	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 2936	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 2936	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 2936	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 2936	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 2936	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 2936	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 2936	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 2936	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 2936	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 2936	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 2936	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 2936	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 2936	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 2936	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 2936	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 2936	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 2936	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 2936	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 2936	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 2936	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 2936	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 2936	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 2936	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 764	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 764	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1936	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1936	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1936	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1936	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1936	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1936	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1936	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1936	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1936	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1936	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1936	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1936	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1936	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1936	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1936	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1936	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1936	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1936	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1936	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1936	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1936	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1936	2524	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://2n8w.app.link/?~channel=Email&~feature=ConfirmationEmail--AtocETicket&~campaign=WebToApp&~tags=locale%3Den_GB&~tags=version%3D1&~tags=marketing_code%3DBSH3675&$android_url=https%3A%2F%2Fplay.google.com%2Fstore%2Fapps%2Fdetails%3Fid%3Dcom.thetrainline%26hl%3Den-GB&$android_deepview=false&$android_passive_deepview=false&$ios_url=https%3A%2F%2Fitunes.apple.com%2FGB%2Fapp%2Fthetrainline%2Fid334235181&$ios_deepview=false&$ios_passive_deepview=false&$fallback_url=https://closeup.com.bo/cps/json/w3wfq8/[email protected]
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fffb8359758,0x7fffb8359768,0x7fffb8359778
2⤵
PID:4168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2856 --field-trial-handle=1804,i,10397995952013730835,13528461463472508288,131072 /prefetch:1
2⤵
PID:3508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2844 --field-trial-handle=1804,i,10397995952013730835,13528461463472508288,131072 /prefetch:1
2⤵
PID:4416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2080 --field-trial-handle=1804,i,10397995952013730835,13528461463472508288,131072 /prefetch:8
2⤵
PID:1936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1784 --field-trial-handle=1804,i,10397995952013730835,13528461463472508288,131072 /prefetch:8
2⤵
PID:764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1520 --field-trial-handle=1804,i,10397995952013730835,13528461463472508288,131072 /prefetch:2
2⤵
PID:2936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4808 --field-trial-handle=1804,i,10397995952013730835,13528461463472508288,131072 /prefetch:1
2⤵
PID:4956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=5008 --field-trial-handle=1804,i,10397995952013730835,13528461463472508288,131072 /prefetch:1
2⤵
PID:3632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3804 --field-trial-handle=1804,i,10397995952013730835,13528461463472508288,131072 /prefetch:8
2⤵
PID:2080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4600 --field-trial-handle=1804,i,10397995952013730835,13528461463472508288,131072 /prefetch:8
2⤵
PID:1512

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
538B

MD5
6df23659a8a51432f361bc738b6d8b12

SHA1
e71b9117d23b155c5533494d902827259ca5b7d0

SHA256
4c9ac58ca425897555b7164d3aaac74afef5f10ff0bfb58c7abed5a771c8e67c

SHA512
7beba58f48ca6a5d76d8bdb23312bd2e1ef9f561e155b8753ce7d8606203c21c8398ee258f4c85d8ccc1035bf9ff7824d292b436ea78a07375b0e6fe9d2c5098

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
23e0dd790ab1780414b9ab70945ba3e6

SHA1
2fa90c514339efe3f70d2dc5c3e1d826edbe7f01

SHA256
27d5cca6d4421b3e7af9f68c1030887aee6af557b2a38c2cc413a63e740e1778

SHA512
c32eaa08b54d4430971ed3f113f8471df2a18c5f45c513872e28a4f030dac560b55e3f8b7f5a568ffbb2dc5c1bdf5c94c5b7d40e3ea4ff4abdaa0f5bc00bb303

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
114KB

MD5
173357ea92bcb9e74a59b62e9d243226

SHA1
d4757c2db62584a7c4718ba097d87f3717c238c8

SHA256
d813d1a0eefd86880231d0d4d5b919594c3f618372c0ebb0af58064db7a6aa17

SHA512
0111748934f55a2f8ee866d5414dd21cb0ff9137ad381a3d63bb7fbd44ded282bc14e333e7d004bfd567992399ca9de7c3ea822a96752dd6638e4c345bce8304

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
\??\pipe\crashpad_2524_RHFNTRKQVYDZMJCX
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads