hxxp://logmein[.]design

General

Target

http://logmein.design

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133522352153625750"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

4740 chrome.exe
4740 chrome.exe
712 chrome.exe
712 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

4740 chrome.exe
4740 chrome.exe
4740 chrome.exe
4740 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	4740	chrome.exe
Token: SeCreatePagefilePrivilege	4740	chrome.exe
Token: SeShutdownPrivilege	4740	chrome.exe
Token: SeCreatePagefilePrivilege	4740	chrome.exe
Token: SeShutdownPrivilege	4740	chrome.exe
Token: SeCreatePagefilePrivilege	4740	chrome.exe
Token: SeShutdownPrivilege	4740	chrome.exe
Token: SeCreatePagefilePrivilege	4740	chrome.exe
Token: SeShutdownPrivilege	4740	chrome.exe
Token: SeCreatePagefilePrivilege	4740	chrome.exe
Token: SeShutdownPrivilege	4740	chrome.exe
Token: SeCreatePagefilePrivilege	4740	chrome.exe
Token: SeShutdownPrivilege	4740	chrome.exe
Token: SeCreatePagefilePrivilege	4740	chrome.exe
Token: SeShutdownPrivilege	4740	chrome.exe
Token: SeCreatePagefilePrivilege	4740	chrome.exe
Token: SeShutdownPrivilege	4740	chrome.exe
Token: SeCreatePagefilePrivilege	4740	chrome.exe
Token: SeShutdownPrivilege	4740	chrome.exe
Token: SeCreatePagefilePrivilege	4740	chrome.exe
Token: SeShutdownPrivilege	4740	chrome.exe
Token: SeCreatePagefilePrivilege	4740	chrome.exe
Token: SeShutdownPrivilege	4740	chrome.exe
Token: SeCreatePagefilePrivilege	4740	chrome.exe
Token: SeShutdownPrivilege	4740	chrome.exe
Token: SeCreatePagefilePrivilege	4740	chrome.exe
Token: SeShutdownPrivilege	4740	chrome.exe
Token: SeCreatePagefilePrivilege	4740	chrome.exe
Token: SeShutdownPrivilege	4740	chrome.exe
Token: SeCreatePagefilePrivilege	4740	chrome.exe
Token: SeShutdownPrivilege	4740	chrome.exe
Token: SeCreatePagefilePrivilege	4740	chrome.exe
Token: SeShutdownPrivilege	4740	chrome.exe
Token: SeCreatePagefilePrivilege	4740	chrome.exe
Token: SeShutdownPrivilege	4740	chrome.exe
Token: SeCreatePagefilePrivilege	4740	chrome.exe
Token: SeShutdownPrivilege	4740	chrome.exe
Token: SeCreatePagefilePrivilege	4740	chrome.exe
Token: SeShutdownPrivilege	4740	chrome.exe
Token: SeCreatePagefilePrivilege	4740	chrome.exe
Token: SeShutdownPrivilege	4740	chrome.exe
Token: SeCreatePagefilePrivilege	4740	chrome.exe
Token: SeShutdownPrivilege	4740	chrome.exe
Token: SeCreatePagefilePrivilege	4740	chrome.exe
Token: SeShutdownPrivilege	4740	chrome.exe
Token: SeCreatePagefilePrivilege	4740	chrome.exe
Token: SeShutdownPrivilege	4740	chrome.exe
Token: SeCreatePagefilePrivilege	4740	chrome.exe
Token: SeShutdownPrivilege	4740	chrome.exe
Token: SeCreatePagefilePrivilege	4740	chrome.exe
Token: SeShutdownPrivilege	4740	chrome.exe
Token: SeCreatePagefilePrivilege	4740	chrome.exe
Token: SeShutdownPrivilege	4740	chrome.exe
Token: SeCreatePagefilePrivilege	4740	chrome.exe
Token: SeShutdownPrivilege	4740	chrome.exe
Token: SeCreatePagefilePrivilege	4740	chrome.exe
Token: SeShutdownPrivilege	4740	chrome.exe
Token: SeCreatePagefilePrivilege	4740	chrome.exe
Token: SeShutdownPrivilege	4740	chrome.exe
Token: SeCreatePagefilePrivilege	4740	chrome.exe
Token: SeShutdownPrivilege	4740	chrome.exe
Token: SeCreatePagefilePrivilege	4740	chrome.exe
Token: SeShutdownPrivilege	4740	chrome.exe
Token: SeCreatePagefilePrivilege	4740	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4740 wrote to memory of 4768	4740	chrome.exe	chrome.exe
PID 4740 wrote to memory of 4768	4740	chrome.exe	chrome.exe
PID 4740 wrote to memory of 4804	4740	chrome.exe	chrome.exe
PID 4740 wrote to memory of 4804	4740	chrome.exe	chrome.exe
PID 4740 wrote to memory of 4804	4740	chrome.exe	chrome.exe
PID 4740 wrote to memory of 4804	4740	chrome.exe	chrome.exe
PID 4740 wrote to memory of 4804	4740	chrome.exe	chrome.exe
PID 4740 wrote to memory of 4804	4740	chrome.exe	chrome.exe
PID 4740 wrote to memory of 4804	4740	chrome.exe	chrome.exe
PID 4740 wrote to memory of 4804	4740	chrome.exe	chrome.exe
PID 4740 wrote to memory of 4804	4740	chrome.exe	chrome.exe
PID 4740 wrote to memory of 4804	4740	chrome.exe	chrome.exe
PID 4740 wrote to memory of 4804	4740	chrome.exe	chrome.exe
PID 4740 wrote to memory of 4804	4740	chrome.exe	chrome.exe
PID 4740 wrote to memory of 4804	4740	chrome.exe	chrome.exe
PID 4740 wrote to memory of 4804	4740	chrome.exe	chrome.exe
PID 4740 wrote to memory of 4804	4740	chrome.exe	chrome.exe
PID 4740 wrote to memory of 4804	4740	chrome.exe	chrome.exe
PID 4740 wrote to memory of 4804	4740	chrome.exe	chrome.exe
PID 4740 wrote to memory of 4804	4740	chrome.exe	chrome.exe
PID 4740 wrote to memory of 4804	4740	chrome.exe	chrome.exe
PID 4740 wrote to memory of 4804	4740	chrome.exe	chrome.exe
PID 4740 wrote to memory of 4804	4740	chrome.exe	chrome.exe
PID 4740 wrote to memory of 4804	4740	chrome.exe	chrome.exe
PID 4740 wrote to memory of 4804	4740	chrome.exe	chrome.exe
PID 4740 wrote to memory of 4804	4740	chrome.exe	chrome.exe
PID 4740 wrote to memory of 4804	4740	chrome.exe	chrome.exe
PID 4740 wrote to memory of 4804	4740	chrome.exe	chrome.exe
PID 4740 wrote to memory of 4804	4740	chrome.exe	chrome.exe
PID 4740 wrote to memory of 4804	4740	chrome.exe	chrome.exe
PID 4740 wrote to memory of 4804	4740	chrome.exe	chrome.exe
PID 4740 wrote to memory of 4804	4740	chrome.exe	chrome.exe
PID 4740 wrote to memory of 4804	4740	chrome.exe	chrome.exe
PID 4740 wrote to memory of 4804	4740	chrome.exe	chrome.exe
PID 4740 wrote to memory of 4804	4740	chrome.exe	chrome.exe
PID 4740 wrote to memory of 4804	4740	chrome.exe	chrome.exe
PID 4740 wrote to memory of 4804	4740	chrome.exe	chrome.exe
PID 4740 wrote to memory of 4804	4740	chrome.exe	chrome.exe
PID 4740 wrote to memory of 4804	4740	chrome.exe	chrome.exe
PID 4740 wrote to memory of 4804	4740	chrome.exe	chrome.exe
PID 4740 wrote to memory of 4880	4740	chrome.exe	chrome.exe
PID 4740 wrote to memory of 4880	4740	chrome.exe	chrome.exe
PID 4740 wrote to memory of 3120	4740	chrome.exe	chrome.exe
PID 4740 wrote to memory of 3120	4740	chrome.exe	chrome.exe
PID 4740 wrote to memory of 3120	4740	chrome.exe	chrome.exe
PID 4740 wrote to memory of 3120	4740	chrome.exe	chrome.exe
PID 4740 wrote to memory of 3120	4740	chrome.exe	chrome.exe
PID 4740 wrote to memory of 3120	4740	chrome.exe	chrome.exe
PID 4740 wrote to memory of 3120	4740	chrome.exe	chrome.exe
PID 4740 wrote to memory of 3120	4740	chrome.exe	chrome.exe
PID 4740 wrote to memory of 3120	4740	chrome.exe	chrome.exe
PID 4740 wrote to memory of 3120	4740	chrome.exe	chrome.exe
PID 4740 wrote to memory of 3120	4740	chrome.exe	chrome.exe
PID 4740 wrote to memory of 3120	4740	chrome.exe	chrome.exe
PID 4740 wrote to memory of 3120	4740	chrome.exe	chrome.exe
PID 4740 wrote to memory of 3120	4740	chrome.exe	chrome.exe
PID 4740 wrote to memory of 3120	4740	chrome.exe	chrome.exe
PID 4740 wrote to memory of 3120	4740	chrome.exe	chrome.exe
PID 4740 wrote to memory of 3120	4740	chrome.exe	chrome.exe
PID 4740 wrote to memory of 3120	4740	chrome.exe	chrome.exe
PID 4740 wrote to memory of 3120	4740	chrome.exe	chrome.exe
PID 4740 wrote to memory of 3120	4740	chrome.exe	chrome.exe
PID 4740 wrote to memory of 3120	4740	chrome.exe	chrome.exe
PID 4740 wrote to memory of 3120	4740	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://logmein.design
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffada369758,0x7ffada369768,0x7ffada369778
2⤵
PID:4768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1788 --field-trial-handle=1808,i,5368283002935064714,11226562473724797389,131072 /prefetch:8
2⤵
PID:4880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1532 --field-trial-handle=1808,i,5368283002935064714,11226562473724797389,131072 /prefetch:2
2⤵
PID:4804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2100 --field-trial-handle=1808,i,5368283002935064714,11226562473724797389,131072 /prefetch:8
2⤵
PID:3120

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2672 --field-trial-handle=1808,i,5368283002935064714,11226562473724797389,131072 /prefetch:1
2⤵
PID:4392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2644 --field-trial-handle=1808,i,5368283002935064714,11226562473724797389,131072 /prefetch:1
2⤵
PID:5112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3600 --field-trial-handle=1808,i,5368283002935064714,11226562473724797389,131072 /prefetch:8
2⤵
PID:3904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4204 --field-trial-handle=1808,i,5368283002935064714,11226562473724797389,131072 /prefetch:8
2⤵
PID:2156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3936 --field-trial-handle=1808,i,5368283002935064714,11226562473724797389,131072 /prefetch:1
2⤵
PID:1380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3128 --field-trial-handle=1808,i,5368283002935064714,11226562473724797389,131072 /prefetch:1
2⤵
PID:4984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3596 --field-trial-handle=1808,i,5368283002935064714,11226562473724797389,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:712

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b72e9d8f8afa191fbc9395464ca683cd

SHA1
5fe0b6b356efae54e56d07909d26b6e3979c7d47

SHA256
d663ce00eff7c3d862ee86e2094901b591ff4a0ba4f0403908148d82dcba8bc0

SHA512
70f8d3fa332a36e0645b0caa4800e7518578225f507076c6c985016d2603de1c1f2845f3fa24a82ca994a13acdd8d6c5fb8962c27595f986eb93cfec812a90bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
ecd925c847080ef221d394db8105244c

SHA1
e8eb4ee06f02fa3c89f2f5e4f34faeaf621326e0

SHA256
4626d3e259e0b36df66cd3631dcfbfd80ce22ecca4b422a94f53f70ff5a50536

SHA512
9be12744f7a24d56d4ecd614299b042b085e7c3bf45256c2d69b38e3b0d4666277ca6dad13e7a12ec274afb45533220de36a9857f60754c1a31947cbe3955d46

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
1598173f0d5d4763e462919948e16708

SHA1
ed913a4159b4e122977f4530032e8b095455b23e

SHA256
5d4ac1342202a3103db37f8074bc789fc8179bb054791a5794e5df048de96e39

SHA512
8b76acd387a93d3eb215fff2f4d48cdfdae85902f2da9a48b47d00adbd312b470c6b759057443b8f931d5e8ca34a74c7d98dd877c15794c35300500f01414c6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
a31c6de5ff93a64e1a8cc6243ca61315

SHA1
3b72efe1de822bb5841106d7d9ec11865453116f

SHA256
c7213b5464dc6e32f2fd3eecde6c0c04770207b49f469559c19f788a959729a1

SHA512
cabe3fb9668baaadb2f8bf9c3a9836f33c88d0083cb77f0a20e7a9abfb20ec61b53348ed932891929989f115dc46245a83b3b5f2be8b82ca767045ff628549d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
b84f059debcffad76cbf5ecea90d5f25

SHA1
66629348f35e2d33aee8dafc532819e873235c84

SHA256
2d74759c605b667c364bd24f3f7808e23d2fe449a1d32d173978f951ab5c9e70

SHA512
492a128447a2b9c2e5943303424168b771dceb4fc5b670fc9daea123b99cceb3f996b60a58cfade05594f1f94cf04d649db817df1d00c02f1c963ef98e5deaf9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
\??\pipe\crashpad_4740_FGSNEUNGZYXSXZXN

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads