hxxps://escapetechnologiesinc[.]orjuliet[.]com/api/mailings/unsubscribe/PMRGSZBCHIYTOOBXHEWCE33SM4RDUITBMVSTINRWHE4S2ZRQHAZC2NDFGNSS2OBVMZRC2ZRUGY4TENRSGU4WKYRQEIWCE5TFOJZWS33OEI5CENBCFQRHG2LHEI5CEZCDKNQUELL2MFMHG3CHGBWV6MSUJRJFEMSNM5BG62JXK43XO2TWI4YHK43BNRDWON3LKE6SE7I=

Resubmissions

28/01/2024, 06:49

240128-hlggqsded2 1

28/01/2024, 06:44

240128-hhqagadea2 1

Analysis

max time kernel
149s
max time network
145s
platform
windows10-1703_x64
resource
win10-20231220-en
resource tags

arch:x64arch:x86image:win10-20231220-enlocale:en-usos:windows10-1703-x64system
submitted
28/01/2024, 06:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://escapetechnologiesinc.orjuliet.com/api/mailings/unsubscribe/PMRGSZBCHIYTOOBXHEWCE33SM4RDUITBMVSTINRWHE4S2ZRQHAZC2NDFGNSS2OBVMZRC2ZRUGY4TENRSGU4WKYRQEIWCE5TFOJZWS33OEI5CENBCFQRHG2LHEI5CEZCDKNQUELL2MFMHG3CHGBWV6MSUJRJFEMSNM5BG62JXK43XO2TWI4YHK43BNRDWON3LKE6SE7I=

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133508978818847061"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
96	chrome.exe
96	chrome.exe
4152	chrome.exe
4152	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
96	chrome.exe
96	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	96	chrome.exe
Token: SeCreatePagefilePrivilege	96	chrome.exe
Token: SeShutdownPrivilege	96	chrome.exe
Token: SeCreatePagefilePrivilege	96	chrome.exe
Token: SeShutdownPrivilege	96	chrome.exe
Token: SeCreatePagefilePrivilege	96	chrome.exe
Token: SeShutdownPrivilege	96	chrome.exe
Token: SeCreatePagefilePrivilege	96	chrome.exe
Token: SeShutdownPrivilege	96	chrome.exe
Token: SeCreatePagefilePrivilege	96	chrome.exe
Token: SeShutdownPrivilege	96	chrome.exe
Token: SeCreatePagefilePrivilege	96	chrome.exe
Token: SeShutdownPrivilege	96	chrome.exe
Token: SeCreatePagefilePrivilege	96	chrome.exe
Token: SeShutdownPrivilege	96	chrome.exe
Token: SeCreatePagefilePrivilege	96	chrome.exe
Token: SeShutdownPrivilege	96	chrome.exe
Token: SeCreatePagefilePrivilege	96	chrome.exe
Token: SeShutdownPrivilege	96	chrome.exe
Token: SeCreatePagefilePrivilege	96	chrome.exe
Token: SeShutdownPrivilege	96	chrome.exe
Token: SeCreatePagefilePrivilege	96	chrome.exe
Token: SeShutdownPrivilege	96	chrome.exe
Token: SeCreatePagefilePrivilege	96	chrome.exe
Token: SeShutdownPrivilege	96	chrome.exe
Token: SeCreatePagefilePrivilege	96	chrome.exe
Token: SeShutdownPrivilege	96	chrome.exe
Token: SeCreatePagefilePrivilege	96	chrome.exe
Token: SeShutdownPrivilege	96	chrome.exe
Token: SeCreatePagefilePrivilege	96	chrome.exe
Token: SeShutdownPrivilege	96	chrome.exe
Token: SeCreatePagefilePrivilege	96	chrome.exe
Token: SeShutdownPrivilege	96	chrome.exe
Token: SeCreatePagefilePrivilege	96	chrome.exe
Token: SeShutdownPrivilege	96	chrome.exe
Token: SeCreatePagefilePrivilege	96	chrome.exe
Token: SeShutdownPrivilege	96	chrome.exe
Token: SeCreatePagefilePrivilege	96	chrome.exe
Token: SeShutdownPrivilege	96	chrome.exe
Token: SeCreatePagefilePrivilege	96	chrome.exe
Token: SeShutdownPrivilege	96	chrome.exe
Token: SeCreatePagefilePrivilege	96	chrome.exe
Token: SeShutdownPrivilege	96	chrome.exe
Token: SeCreatePagefilePrivilege	96	chrome.exe
Token: SeShutdownPrivilege	96	chrome.exe
Token: SeCreatePagefilePrivilege	96	chrome.exe
Token: SeShutdownPrivilege	96	chrome.exe
Token: SeCreatePagefilePrivilege	96	chrome.exe
Token: SeShutdownPrivilege	96	chrome.exe
Token: SeCreatePagefilePrivilege	96	chrome.exe
Token: SeShutdownPrivilege	96	chrome.exe
Token: SeCreatePagefilePrivilege	96	chrome.exe
Token: SeShutdownPrivilege	96	chrome.exe
Token: SeCreatePagefilePrivilege	96	chrome.exe
Token: SeShutdownPrivilege	96	chrome.exe
Token: SeCreatePagefilePrivilege	96	chrome.exe
Token: SeShutdownPrivilege	96	chrome.exe
Token: SeCreatePagefilePrivilege	96	chrome.exe
Token: SeShutdownPrivilege	96	chrome.exe
Token: SeCreatePagefilePrivilege	96	chrome.exe
Token: SeShutdownPrivilege	96	chrome.exe
Token: SeCreatePagefilePrivilege	96	chrome.exe
Token: SeShutdownPrivilege	96	chrome.exe
Token: SeCreatePagefilePrivilege	96	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 96 wrote to memory of 5104	96	chrome.exe	17
PID 96 wrote to memory of 5104	96	chrome.exe	17
PID 96 wrote to memory of 4692	96	chrome.exe	48
PID 96 wrote to memory of 4692	96	chrome.exe	48
PID 96 wrote to memory of 4692	96	chrome.exe	48
PID 96 wrote to memory of 4692	96	chrome.exe	48
PID 96 wrote to memory of 4692	96	chrome.exe	48
PID 96 wrote to memory of 4692	96	chrome.exe	48
PID 96 wrote to memory of 4692	96	chrome.exe	48
PID 96 wrote to memory of 4692	96	chrome.exe	48
PID 96 wrote to memory of 4692	96	chrome.exe	48
PID 96 wrote to memory of 4692	96	chrome.exe	48
PID 96 wrote to memory of 4692	96	chrome.exe	48
PID 96 wrote to memory of 4692	96	chrome.exe	48
PID 96 wrote to memory of 4692	96	chrome.exe	48
PID 96 wrote to memory of 4692	96	chrome.exe	48
PID 96 wrote to memory of 4692	96	chrome.exe	48
PID 96 wrote to memory of 4692	96	chrome.exe	48
PID 96 wrote to memory of 4692	96	chrome.exe	48
PID 96 wrote to memory of 4692	96	chrome.exe	48
PID 96 wrote to memory of 4692	96	chrome.exe	48
PID 96 wrote to memory of 4692	96	chrome.exe	48
PID 96 wrote to memory of 4692	96	chrome.exe	48
PID 96 wrote to memory of 4692	96	chrome.exe	48
PID 96 wrote to memory of 4692	96	chrome.exe	48
PID 96 wrote to memory of 4692	96	chrome.exe	48
PID 96 wrote to memory of 4692	96	chrome.exe	48
PID 96 wrote to memory of 4692	96	chrome.exe	48
PID 96 wrote to memory of 4692	96	chrome.exe	48
PID 96 wrote to memory of 4692	96	chrome.exe	48
PID 96 wrote to memory of 4692	96	chrome.exe	48
PID 96 wrote to memory of 4692	96	chrome.exe	48
PID 96 wrote to memory of 4692	96	chrome.exe	48
PID 96 wrote to memory of 4692	96	chrome.exe	48
PID 96 wrote to memory of 4692	96	chrome.exe	48
PID 96 wrote to memory of 4692	96	chrome.exe	48
PID 96 wrote to memory of 4692	96	chrome.exe	48
PID 96 wrote to memory of 4692	96	chrome.exe	48
PID 96 wrote to memory of 4692	96	chrome.exe	48
PID 96 wrote to memory of 4692	96	chrome.exe	48
PID 96 wrote to memory of 1416	96	chrome.exe	50
PID 96 wrote to memory of 1416	96	chrome.exe	50
PID 96 wrote to memory of 3188	96	chrome.exe	49
PID 96 wrote to memory of 3188	96	chrome.exe	49
PID 96 wrote to memory of 3188	96	chrome.exe	49
PID 96 wrote to memory of 3188	96	chrome.exe	49
PID 96 wrote to memory of 3188	96	chrome.exe	49
PID 96 wrote to memory of 3188	96	chrome.exe	49
PID 96 wrote to memory of 3188	96	chrome.exe	49
PID 96 wrote to memory of 3188	96	chrome.exe	49
PID 96 wrote to memory of 3188	96	chrome.exe	49
PID 96 wrote to memory of 3188	96	chrome.exe	49
PID 96 wrote to memory of 3188	96	chrome.exe	49
PID 96 wrote to memory of 3188	96	chrome.exe	49
PID 96 wrote to memory of 3188	96	chrome.exe	49
PID 96 wrote to memory of 3188	96	chrome.exe	49
PID 96 wrote to memory of 3188	96	chrome.exe	49
PID 96 wrote to memory of 3188	96	chrome.exe	49
PID 96 wrote to memory of 3188	96	chrome.exe	49
PID 96 wrote to memory of 3188	96	chrome.exe	49
PID 96 wrote to memory of 3188	96	chrome.exe	49
PID 96 wrote to memory of 3188	96	chrome.exe	49
PID 96 wrote to memory of 3188	96	chrome.exe	49
PID 96 wrote to memory of 3188	96	chrome.exe	49

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffd88e19758,0x7ffd88e19768,0x7ffd88e19778
1⤵
PID:5104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://escapetechnologiesinc.orjuliet.com/api/mailings/unsubscribe/PMRGSZBCHIYTOOBXHEWCE33SM4RDUITBMVSTINRWHE4S2ZRQHAZC2NDFGNSS2OBVMZRC2ZRUGY4TENRSGU4WKYRQEIWCE5TFOJZWS33OEI5CENBCFQRHG2LHEI5CEZCDKNQUELL2MFMHG3CHGBWV6MSUJRJFEMSNM5BG62JXK43XO2TWI4YHK43BNRDWON3LKE6SE7I=
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:96
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1528 --field-trial-handle=1756,i,4245914836693821136,12263422732015717334,131072 /prefetch:2
  2⤵
  PID:4692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2072 --field-trial-handle=1756,i,4245914836693821136,12263422732015717334,131072 /prefetch:8
  2⤵
  PID:3188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2000 --field-trial-handle=1756,i,4245914836693821136,12263422732015717334,131072 /prefetch:8
  2⤵
  PID:1416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2980 --field-trial-handle=1756,i,4245914836693821136,12263422732015717334,131072 /prefetch:1
  2⤵
  PID:4376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2972 --field-trial-handle=1756,i,4245914836693821136,12263422732015717334,131072 /prefetch:1
  2⤵
  PID:2388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4872 --field-trial-handle=1756,i,4245914836693821136,12263422732015717334,131072 /prefetch:8
  2⤵
  PID:2568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4868 --field-trial-handle=1756,i,4245914836693821136,12263422732015717334,131072 /prefetch:8
  2⤵
  PID:4776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3748 --field-trial-handle=1756,i,4245914836693821136,12263422732015717334,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4152

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
915B

MD5
6bd6b539ef66977464844d00db0c7b20

SHA1
d335500f4b04d2bca51ad5a509512310669f51b8

SHA256
0f1f92a7822a0090bf974beb1e39a85491475e3475a59027d9cdc50e2214c1c2

SHA512
0d0f2a24b944c484e552aaa593d24940c5a7020078297a2e64814d1df91eb57a1e275a7161a4208a69e9f715acc586c8b3fea72339643168b9ebfa9ec4686436

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
34264e31d2f0a550a57bce9d4d02d9bb

SHA1
1de92f5bd97df184e0da6d011a268be4bc801ac5

SHA256
592f1eab0ae6940ad51c9f32a570e307a6e4de1f8994c652541a6e0b015e67c1

SHA512
9424afb6eb03f5f7c2bcf496f8e6cc00ba789d79b0386c152b26b9e6354e9b4b1820cd15dfd2a18f2ab723aab95b41e4c80ebcbea4f82dab5baceccfec59f5ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b237d5bef61eb22adaa61e68ce29488d

SHA1
fafc4def40006629e42865cd8d9f746c65a9f2d5

SHA256
55eefd1eae7a33c81e479508186f90591dd0306bb2b6aa503ac5a7c0b875e058

SHA512
ba38d15d2f6fb2a9dc6561e228ba4e1773d5d51b1bc6573d581763e82f6d9f49d4c31cf9a9d2c049056d15b6b025d3393e862466ec81c08da4abcec3635017ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
056bdf77777a0ac4bf9a02792fde90af

SHA1
74a19125a3c8a74c0f62f1009112fa703f30579b

SHA256
22447f03d6a34c90f9674138bfb2059095e49388af863eade1e167e9d64ba3db

SHA512
3d3605edecfedbcfe95023032cfdfc5bb7d3a070a7d4ff17edd052e3b7447120abd47e344040884990aafd23fa421d830376fae1ee811824aed1ee8fa4069cd4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit