hxxps://doublethedonation[.]com/api/v1/company/99/mg-form?donation-identifier-b64=MDA2UGwwMDAwMDZtNGxBSUFR&api_key=jPlPbkWoZZr1O2tw&source=email

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
12/02/2024, 02:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://doublethedonation.com/api/v1/company/99/mg-form?donation-identifier-b64=MDA2UGwwMDAwMDZtNGxBSUFR&api_key=jPlPbkWoZZr1O2tw&source=email

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133521787397936245"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2380	chrome.exe
2380	chrome.exe
1776	chrome.exe
1776	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2432	2380	chrome.exe	85
PID 2380 wrote to memory of 2432	2380	chrome.exe	85
PID 2380 wrote to memory of 512	2380	chrome.exe	88
PID 2380 wrote to memory of 512	2380	chrome.exe	88
PID 2380 wrote to memory of 512	2380	chrome.exe	88
PID 2380 wrote to memory of 512	2380	chrome.exe	88
PID 2380 wrote to memory of 512	2380	chrome.exe	88
PID 2380 wrote to memory of 512	2380	chrome.exe	88
PID 2380 wrote to memory of 512	2380	chrome.exe	88
PID 2380 wrote to memory of 512	2380	chrome.exe	88
PID 2380 wrote to memory of 512	2380	chrome.exe	88
PID 2380 wrote to memory of 512	2380	chrome.exe	88
PID 2380 wrote to memory of 512	2380	chrome.exe	88
PID 2380 wrote to memory of 512	2380	chrome.exe	88
PID 2380 wrote to memory of 512	2380	chrome.exe	88
PID 2380 wrote to memory of 512	2380	chrome.exe	88
PID 2380 wrote to memory of 512	2380	chrome.exe	88
PID 2380 wrote to memory of 512	2380	chrome.exe	88
PID 2380 wrote to memory of 512	2380	chrome.exe	88
PID 2380 wrote to memory of 512	2380	chrome.exe	88
PID 2380 wrote to memory of 512	2380	chrome.exe	88
PID 2380 wrote to memory of 512	2380	chrome.exe	88
PID 2380 wrote to memory of 512	2380	chrome.exe	88
PID 2380 wrote to memory of 512	2380	chrome.exe	88
PID 2380 wrote to memory of 512	2380	chrome.exe	88
PID 2380 wrote to memory of 512	2380	chrome.exe	88
PID 2380 wrote to memory of 512	2380	chrome.exe	88
PID 2380 wrote to memory of 512	2380	chrome.exe	88
PID 2380 wrote to memory of 512	2380	chrome.exe	88
PID 2380 wrote to memory of 512	2380	chrome.exe	88
PID 2380 wrote to memory of 512	2380	chrome.exe	88
PID 2380 wrote to memory of 512	2380	chrome.exe	88
PID 2380 wrote to memory of 512	2380	chrome.exe	88
PID 2380 wrote to memory of 512	2380	chrome.exe	88
PID 2380 wrote to memory of 512	2380	chrome.exe	88
PID 2380 wrote to memory of 512	2380	chrome.exe	88
PID 2380 wrote to memory of 512	2380	chrome.exe	88
PID 2380 wrote to memory of 512	2380	chrome.exe	88
PID 2380 wrote to memory of 512	2380	chrome.exe	88
PID 2380 wrote to memory of 512	2380	chrome.exe	88
PID 2380 wrote to memory of 3108	2380	chrome.exe	90
PID 2380 wrote to memory of 3108	2380	chrome.exe	90
PID 2380 wrote to memory of 3136	2380	chrome.exe	89
PID 2380 wrote to memory of 3136	2380	chrome.exe	89
PID 2380 wrote to memory of 3136	2380	chrome.exe	89
PID 2380 wrote to memory of 3136	2380	chrome.exe	89
PID 2380 wrote to memory of 3136	2380	chrome.exe	89
PID 2380 wrote to memory of 3136	2380	chrome.exe	89
PID 2380 wrote to memory of 3136	2380	chrome.exe	89
PID 2380 wrote to memory of 3136	2380	chrome.exe	89
PID 2380 wrote to memory of 3136	2380	chrome.exe	89
PID 2380 wrote to memory of 3136	2380	chrome.exe	89
PID 2380 wrote to memory of 3136	2380	chrome.exe	89
PID 2380 wrote to memory of 3136	2380	chrome.exe	89
PID 2380 wrote to memory of 3136	2380	chrome.exe	89
PID 2380 wrote to memory of 3136	2380	chrome.exe	89
PID 2380 wrote to memory of 3136	2380	chrome.exe	89
PID 2380 wrote to memory of 3136	2380	chrome.exe	89
PID 2380 wrote to memory of 3136	2380	chrome.exe	89
PID 2380 wrote to memory of 3136	2380	chrome.exe	89
PID 2380 wrote to memory of 3136	2380	chrome.exe	89
PID 2380 wrote to memory of 3136	2380	chrome.exe	89
PID 2380 wrote to memory of 3136	2380	chrome.exe	89
PID 2380 wrote to memory of 3136	2380	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://doublethedonation.com/api/v1/company/99/mg-form?donation-identifier-b64=MDA2UGwwMDAwMDZtNGxBSUFR&api_key=jPlPbkWoZZr1O2tw&source=email
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffde629758,0x7fffde629768,0x7fffde629778
  2⤵
  PID:2432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1736 --field-trial-handle=1848,i,3548058091207712547,6819816596891491863,131072 /prefetch:2
  2⤵
  PID:512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2204 --field-trial-handle=1848,i,3548058091207712547,6819816596891491863,131072 /prefetch:8
  2⤵
  PID:3136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1848,i,3548058091207712547,6819816596891491863,131072 /prefetch:8
  2⤵
  PID:3108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2868 --field-trial-handle=1848,i,3548058091207712547,6819816596891491863,131072 /prefetch:1
  2⤵
  PID:1940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2860 --field-trial-handle=1848,i,3548058091207712547,6819816596891491863,131072 /prefetch:1
  2⤵
  PID:2332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4720 --field-trial-handle=1848,i,3548058091207712547,6819816596891491863,131072 /prefetch:1
  2⤵
  PID:1848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2864 --field-trial-handle=1848,i,3548058091207712547,6819816596891491863,131072 /prefetch:8
  2⤵
  PID:3536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4824 --field-trial-handle=1848,i,3548058091207712547,6819816596891491863,131072 /prefetch:8
  2⤵
  PID:2728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4684 --field-trial-handle=1848,i,3548058091207712547,6819816596891491863,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1776

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
46c3f6b0064c7e003a369ad2dbe50c14

SHA1
1c541e737e7b188fd07a87f188d3c4f5f6f2a774

SHA256
0d334be71e8457664327f085262e790e49c548678e87baedeed6282de583ddd4

SHA512
32e75ef1dfd1cc3aaea52de796d1cedb333ac420db7d824156efa55e9267c0853987d7804f85cce2fbcf9d388b9c3c64dc753030c0b8a3e7fbe473e6fad7006c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
56c808e14450320f6a6e7dadfb3dbffc

SHA1
c1ec95e92c5185b96e42a50b368fdf55221a4e52

SHA256
bd411687b2ff4c6b7285ea1e5a319b79e9e2c318feb568bd132b792d931fd02f

SHA512
d7d777af827293b8771ffe28582038bde88db349d082de41e947b724f89e4a737fec29723889ceaeb2af0d80f479ab234f1a65050c8d87847af389ce1b25f17f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
80de1c889dcf544addc664459039ae43

SHA1
fdd06fb1deae1035409fce80638689c11d32f569

SHA256
c1f167240d4ed78e289abd49766d4df5c323cea3a26eb7b68c1553f06fee4acf

SHA512
062688c97fd9a9b15242622ff1e95f1704562074ff98fc2502c7263e9cc5fdb59a973468504d0283293f0f1fb6e7403f60806b9eb0e49f1ff85f09518fe93238

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
52c01cc92612d59ed22b17d86826d620

SHA1
7567506af71a1fcdd41620eaafd148f789040fb8

SHA256
bb1e175897c3a086782a6922c1af232ba81b19b99cd21e369c86b24093bf4e62

SHA512
515cc6546e27b17514b9228151ac71534281e2c6a231c3a71013656e641808afce188304243305635fdd39c9e473282b1c99131dbb73eb9b91e2dd3926305dcd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
0019874a6397d37e6c307b4bc6a1d2d3

SHA1
b8db172051d8eb093aa6e19d9e3eb1a3868720bb

SHA256
02801b0b15a36be14374d680eb3bb962fbb89089050dacc57e27a3eda41c31f7

SHA512
ec61393902ae602449cf6438188f5b11624466fe6174e8a9cf0d0a9d9757ee1c9d13db78103b61d72d59eda95f5e9b34796abec11f79e4b474560ff5a4d5dd6b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit