hxxps://escapetechnologiesinc[.]orjuliet[.]com/api/mailings/unsubscribe/PMRGSZBCHIYTOOBXHEWCE33SM4RDUITBMVSTINRWHE4S2ZRQHAZC2NDFGNSS2OBVMZRC2ZRUGY4TENRSGU4WKYRQEIWCE5TFOJZWS33OEI5CENBCFQRHG2LHEI5CEZCDKNQUELL2MFMHG3CHGBWV6MSUJRJFEMSNM5BG62JXK43XO2TWI4YHK43BNRDWON3LKE6SE7I=

Resubmissions

28-01-2024 06:49

240128-hlggqsded2 1

28-01-2024 06:44

240128-hhqagadea2 1

Analysis

max time kernel
150s
max time network
131s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
28-01-2024 06:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://escapetechnologiesinc.orjuliet.com/api/mailings/unsubscribe/PMRGSZBCHIYTOOBXHEWCE33SM4RDUITBMVSTINRWHE4S2ZRQHAZC2NDFGNSS2OBVMZRC2ZRUGY4TENRSGU4WKYRQEIWCE5TFOJZWS33OEI5CENBCFQRHG2LHEI5CEZCDKNQUELL2MFMHG3CHGBWV6MSUJRJFEMSNM5BG62JXK43XO2TWI4YHK43BNRDWON3LKE6SE7I=

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133508981764740417"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4344	chrome.exe
4344	chrome.exe
1800	chrome.exe
1800	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4344	chrome.exe
4344	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4344	chrome.exe
Token: SeCreatePagefilePrivilege	4344	chrome.exe
Token: SeShutdownPrivilege	4344	chrome.exe
Token: SeCreatePagefilePrivilege	4344	chrome.exe
Token: SeShutdownPrivilege	4344	chrome.exe
Token: SeCreatePagefilePrivilege	4344	chrome.exe
Token: SeShutdownPrivilege	4344	chrome.exe
Token: SeCreatePagefilePrivilege	4344	chrome.exe
Token: SeShutdownPrivilege	4344	chrome.exe
Token: SeCreatePagefilePrivilege	4344	chrome.exe
Token: SeShutdownPrivilege	4344	chrome.exe
Token: SeCreatePagefilePrivilege	4344	chrome.exe
Token: SeShutdownPrivilege	4344	chrome.exe
Token: SeCreatePagefilePrivilege	4344	chrome.exe
Token: SeShutdownPrivilege	4344	chrome.exe
Token: SeCreatePagefilePrivilege	4344	chrome.exe
Token: SeShutdownPrivilege	4344	chrome.exe
Token: SeCreatePagefilePrivilege	4344	chrome.exe
Token: SeShutdownPrivilege	4344	chrome.exe
Token: SeCreatePagefilePrivilege	4344	chrome.exe
Token: SeShutdownPrivilege	4344	chrome.exe
Token: SeCreatePagefilePrivilege	4344	chrome.exe
Token: SeShutdownPrivilege	4344	chrome.exe
Token: SeCreatePagefilePrivilege	4344	chrome.exe
Token: SeShutdownPrivilege	4344	chrome.exe
Token: SeCreatePagefilePrivilege	4344	chrome.exe
Token: SeShutdownPrivilege	4344	chrome.exe
Token: SeCreatePagefilePrivilege	4344	chrome.exe
Token: SeShutdownPrivilege	4344	chrome.exe
Token: SeCreatePagefilePrivilege	4344	chrome.exe
Token: SeShutdownPrivilege	4344	chrome.exe
Token: SeCreatePagefilePrivilege	4344	chrome.exe
Token: SeShutdownPrivilege	4344	chrome.exe
Token: SeCreatePagefilePrivilege	4344	chrome.exe
Token: SeShutdownPrivilege	4344	chrome.exe
Token: SeCreatePagefilePrivilege	4344	chrome.exe
Token: SeShutdownPrivilege	4344	chrome.exe
Token: SeCreatePagefilePrivilege	4344	chrome.exe
Token: SeShutdownPrivilege	4344	chrome.exe
Token: SeCreatePagefilePrivilege	4344	chrome.exe
Token: SeShutdownPrivilege	4344	chrome.exe
Token: SeCreatePagefilePrivilege	4344	chrome.exe
Token: SeShutdownPrivilege	4344	chrome.exe
Token: SeCreatePagefilePrivilege	4344	chrome.exe
Token: SeShutdownPrivilege	4344	chrome.exe
Token: SeCreatePagefilePrivilege	4344	chrome.exe
Token: SeShutdownPrivilege	4344	chrome.exe
Token: SeCreatePagefilePrivilege	4344	chrome.exe
Token: SeShutdownPrivilege	4344	chrome.exe
Token: SeCreatePagefilePrivilege	4344	chrome.exe
Token: SeShutdownPrivilege	4344	chrome.exe
Token: SeCreatePagefilePrivilege	4344	chrome.exe
Token: SeShutdownPrivilege	4344	chrome.exe
Token: SeCreatePagefilePrivilege	4344	chrome.exe
Token: SeShutdownPrivilege	4344	chrome.exe
Token: SeCreatePagefilePrivilege	4344	chrome.exe
Token: SeShutdownPrivilege	4344	chrome.exe
Token: SeCreatePagefilePrivilege	4344	chrome.exe
Token: SeShutdownPrivilege	4344	chrome.exe
Token: SeCreatePagefilePrivilege	4344	chrome.exe
Token: SeShutdownPrivilege	4344	chrome.exe
Token: SeCreatePagefilePrivilege	4344	chrome.exe
Token: SeShutdownPrivilege	4344	chrome.exe
Token: SeCreatePagefilePrivilege	4344	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4344 wrote to memory of 296	4344	chrome.exe	14
PID 4344 wrote to memory of 296	4344	chrome.exe	14
PID 4344 wrote to memory of 1848	4344	chrome.exe	75
PID 4344 wrote to memory of 1848	4344	chrome.exe	75
PID 4344 wrote to memory of 1848	4344	chrome.exe	75
PID 4344 wrote to memory of 1848	4344	chrome.exe	75
PID 4344 wrote to memory of 1848	4344	chrome.exe	75
PID 4344 wrote to memory of 1848	4344	chrome.exe	75
PID 4344 wrote to memory of 1848	4344	chrome.exe	75
PID 4344 wrote to memory of 1848	4344	chrome.exe	75
PID 4344 wrote to memory of 1848	4344	chrome.exe	75
PID 4344 wrote to memory of 1848	4344	chrome.exe	75
PID 4344 wrote to memory of 1848	4344	chrome.exe	75
PID 4344 wrote to memory of 1848	4344	chrome.exe	75
PID 4344 wrote to memory of 1848	4344	chrome.exe	75
PID 4344 wrote to memory of 1848	4344	chrome.exe	75
PID 4344 wrote to memory of 1848	4344	chrome.exe	75
PID 4344 wrote to memory of 1848	4344	chrome.exe	75
PID 4344 wrote to memory of 1848	4344	chrome.exe	75
PID 4344 wrote to memory of 1848	4344	chrome.exe	75
PID 4344 wrote to memory of 1848	4344	chrome.exe	75
PID 4344 wrote to memory of 1848	4344	chrome.exe	75
PID 4344 wrote to memory of 1848	4344	chrome.exe	75
PID 4344 wrote to memory of 1848	4344	chrome.exe	75
PID 4344 wrote to memory of 1848	4344	chrome.exe	75
PID 4344 wrote to memory of 1848	4344	chrome.exe	75
PID 4344 wrote to memory of 1848	4344	chrome.exe	75
PID 4344 wrote to memory of 1848	4344	chrome.exe	75
PID 4344 wrote to memory of 1848	4344	chrome.exe	75
PID 4344 wrote to memory of 1848	4344	chrome.exe	75
PID 4344 wrote to memory of 1848	4344	chrome.exe	75
PID 4344 wrote to memory of 1848	4344	chrome.exe	75
PID 4344 wrote to memory of 1848	4344	chrome.exe	75
PID 4344 wrote to memory of 1848	4344	chrome.exe	75
PID 4344 wrote to memory of 1848	4344	chrome.exe	75
PID 4344 wrote to memory of 1848	4344	chrome.exe	75
PID 4344 wrote to memory of 1848	4344	chrome.exe	75
PID 4344 wrote to memory of 1848	4344	chrome.exe	75
PID 4344 wrote to memory of 1848	4344	chrome.exe	75
PID 4344 wrote to memory of 1848	4344	chrome.exe	75
PID 4344 wrote to memory of 4824	4344	chrome.exe	74
PID 4344 wrote to memory of 4824	4344	chrome.exe	74
PID 4344 wrote to memory of 1856	4344	chrome.exe	76
PID 4344 wrote to memory of 1856	4344	chrome.exe	76
PID 4344 wrote to memory of 1856	4344	chrome.exe	76
PID 4344 wrote to memory of 1856	4344	chrome.exe	76
PID 4344 wrote to memory of 1856	4344	chrome.exe	76
PID 4344 wrote to memory of 1856	4344	chrome.exe	76
PID 4344 wrote to memory of 1856	4344	chrome.exe	76
PID 4344 wrote to memory of 1856	4344	chrome.exe	76
PID 4344 wrote to memory of 1856	4344	chrome.exe	76
PID 4344 wrote to memory of 1856	4344	chrome.exe	76
PID 4344 wrote to memory of 1856	4344	chrome.exe	76
PID 4344 wrote to memory of 1856	4344	chrome.exe	76
PID 4344 wrote to memory of 1856	4344	chrome.exe	76
PID 4344 wrote to memory of 1856	4344	chrome.exe	76
PID 4344 wrote to memory of 1856	4344	chrome.exe	76
PID 4344 wrote to memory of 1856	4344	chrome.exe	76
PID 4344 wrote to memory of 1856	4344	chrome.exe	76
PID 4344 wrote to memory of 1856	4344	chrome.exe	76
PID 4344 wrote to memory of 1856	4344	chrome.exe	76
PID 4344 wrote to memory of 1856	4344	chrome.exe	76
PID 4344 wrote to memory of 1856	4344	chrome.exe	76
PID 4344 wrote to memory of 1856	4344	chrome.exe	76

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffea5b29758,0x7ffea5b29768,0x7ffea5b29778
1⤵
PID:296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://escapetechnologiesinc.orjuliet.com/api/mailings/unsubscribe/PMRGSZBCHIYTOOBXHEWCE33SM4RDUITBMVSTINRWHE4S2ZRQHAZC2NDFGNSS2OBVMZRC2ZRUGY4TENRSGU4WKYRQEIWCE5TFOJZWS33OEI5CENBCFQRHG2LHEI5CEZCDKNQUELL2MFMHG3CHGBWV6MSUJRJFEMSNM5BG62JXK43XO2TWI4YHK43BNRDWON3LKE6SE7I=
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1784 --field-trial-handle=1800,i,13264131138116098017,11296357424903571244,131072 /prefetch:8
  2⤵
  PID:4824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1548 --field-trial-handle=1800,i,13264131138116098017,11296357424903571244,131072 /prefetch:2
  2⤵
  PID:1848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2100 --field-trial-handle=1800,i,13264131138116098017,11296357424903571244,131072 /prefetch:8
  2⤵
  PID:1856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2848 --field-trial-handle=1800,i,13264131138116098017,11296357424903571244,131072 /prefetch:1
  2⤵
  PID:1872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2840 --field-trial-handle=1800,i,13264131138116098017,11296357424903571244,131072 /prefetch:1
  2⤵
  PID:824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4344 --field-trial-handle=1800,i,13264131138116098017,11296357424903571244,131072 /prefetch:8
  2⤵
  PID:2788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4872 --field-trial-handle=1800,i,13264131138116098017,11296357424903571244,131072 /prefetch:8
  2⤵
  PID:4220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1632 --field-trial-handle=1800,i,13264131138116098017,11296357424903571244,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1800

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
722B

MD5
1ce4970fe3b0cb0ae7912c086d9278d9

SHA1
3f2791fd7b973af978e074a885f6bfd7685dffc1

SHA256
a68510f55897249b91eb30b2e45c145a5c6f18a2f5a544f52002684c70084d1b

SHA512
37b05e4fdaf7175edb1b4a2af47e069c9de46f2ab40e9ab93b5ae3c3c22ce19d8ff2bd4a80c2f540d7d74a223c8b7f80325dbe31974147239e9b782682eef514

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
e42b26747f01b0014fd0bdfc5d3e2b7c

SHA1
51ba6ea2180b2409e65c995e923ca4aaf3f7d575

SHA256
f73219d4f8edb6e7dd9379d29f071390be999c60fda037590396cac831b1fe19

SHA512
b36f2f8c50ff2466be8645298edfda2964d8c026969f93375127334b7214c64690233d3a9e8705f9002e8ecca00de2ae5a18f2049a7cece8dfb7b2251045cc95

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
6fe2b0d6d7e26c4a785a39da35d1d4c6

SHA1
0d94a54af98339e5f5a412bb5cc2b9785cfd4fa1

SHA256
23287a3e4f1e9b90c2e73929a2405dc5d5bcd1572d85050b2c0d33f93dc16ffa

SHA512
4f8cbbf8a784865e41efe60e64c27f848561799e7469d7b762e4a2bf443610c6c9c2e96f9d0c25bf43c120ebc517f25659cc57fe66bb328b579a5153823f458d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
88738e2122b920c4fb174882ee71c12f

SHA1
8634c3edc6960f96a4e09cd7ea07b5ce6944c1da

SHA256
149a7432b30f46286c4e3ba2475978c13198cd31a361250a20d3c92fdf103768

SHA512
b93502a53c4344ea42b79ec1a0a5a684b3f59791baa7a16fc89c4331585c0feea4115a86b11884a7d33a32a532eb1b5e91a0032d378d958aa27df309d9bb22f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
3c2646656924247ce7ee3663cc90278c

SHA1
c113a2cc6ef8afd0b125b931ae533329b1f48560

SHA256
41cbfd68e32dd250df362f98d370fc7ba270a992674e1886cfc31e14dd134c49

SHA512
134906db8362c5fc192b1112338258843cc8373ae6065f43f8263dbf9de763d16b654e5dd384414be4902ae7d6777e6a4981cbe1f8a8d7b16af133755a61d097

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
361727c5f41534f09fca16de7a4037b9

SHA1
8c5fb1664c1112739e7c22b191e8da55b2fd44a0

SHA256
95fd93b43df541547f79a1d65e60073311e3e7aca15c1871a91b33345e61c8af

SHA512
52a0867644b9b79ad6042ff5b1d3f02e97842bfaf93de50488f31ca54130b3759bd2dcc704a41cf71294f20262ab1bfa5968d410ea7bd0bb3ae681339be7ac4e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit