hxxps://recover-account-mobile[.]com

Analysis

max time kernel
299s
max time network
296s
platform
windows10-1703_x64
resource
win10-20240214-en
resource tags

arch:x64arch:x86image:win10-20240214-enlocale:en-usos:windows10-1703-x64system
submitted
19/02/2024, 15:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://recover-account-mobile.com

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133528309456032131"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4276	chrome.exe
4276	chrome.exe
1552	chrome.exe
1552	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4276 wrote to memory of 1864	4276	chrome.exe	72
PID 4276 wrote to memory of 1864	4276	chrome.exe	72
PID 4276 wrote to memory of 4172	4276	chrome.exe	75
PID 4276 wrote to memory of 4172	4276	chrome.exe	75
PID 4276 wrote to memory of 4172	4276	chrome.exe	75
PID 4276 wrote to memory of 4172	4276	chrome.exe	75
PID 4276 wrote to memory of 4172	4276	chrome.exe	75
PID 4276 wrote to memory of 4172	4276	chrome.exe	75
PID 4276 wrote to memory of 4172	4276	chrome.exe	75
PID 4276 wrote to memory of 4172	4276	chrome.exe	75
PID 4276 wrote to memory of 4172	4276	chrome.exe	75
PID 4276 wrote to memory of 4172	4276	chrome.exe	75
PID 4276 wrote to memory of 4172	4276	chrome.exe	75
PID 4276 wrote to memory of 4172	4276	chrome.exe	75
PID 4276 wrote to memory of 4172	4276	chrome.exe	75
PID 4276 wrote to memory of 4172	4276	chrome.exe	75
PID 4276 wrote to memory of 4172	4276	chrome.exe	75
PID 4276 wrote to memory of 4172	4276	chrome.exe	75
PID 4276 wrote to memory of 4172	4276	chrome.exe	75
PID 4276 wrote to memory of 4172	4276	chrome.exe	75
PID 4276 wrote to memory of 4172	4276	chrome.exe	75
PID 4276 wrote to memory of 4172	4276	chrome.exe	75
PID 4276 wrote to memory of 4172	4276	chrome.exe	75
PID 4276 wrote to memory of 4172	4276	chrome.exe	75
PID 4276 wrote to memory of 4172	4276	chrome.exe	75
PID 4276 wrote to memory of 4172	4276	chrome.exe	75
PID 4276 wrote to memory of 4172	4276	chrome.exe	75
PID 4276 wrote to memory of 4172	4276	chrome.exe	75
PID 4276 wrote to memory of 4172	4276	chrome.exe	75
PID 4276 wrote to memory of 4172	4276	chrome.exe	75
PID 4276 wrote to memory of 4172	4276	chrome.exe	75
PID 4276 wrote to memory of 4172	4276	chrome.exe	75
PID 4276 wrote to memory of 4172	4276	chrome.exe	75
PID 4276 wrote to memory of 4172	4276	chrome.exe	75
PID 4276 wrote to memory of 4172	4276	chrome.exe	75
PID 4276 wrote to memory of 4172	4276	chrome.exe	75
PID 4276 wrote to memory of 4172	4276	chrome.exe	75
PID 4276 wrote to memory of 4172	4276	chrome.exe	75
PID 4276 wrote to memory of 4172	4276	chrome.exe	75
PID 4276 wrote to memory of 4172	4276	chrome.exe	75
PID 4276 wrote to memory of 740	4276	chrome.exe	74
PID 4276 wrote to memory of 740	4276	chrome.exe	74
PID 4276 wrote to memory of 3344	4276	chrome.exe	76
PID 4276 wrote to memory of 3344	4276	chrome.exe	76
PID 4276 wrote to memory of 3344	4276	chrome.exe	76
PID 4276 wrote to memory of 3344	4276	chrome.exe	76
PID 4276 wrote to memory of 3344	4276	chrome.exe	76
PID 4276 wrote to memory of 3344	4276	chrome.exe	76
PID 4276 wrote to memory of 3344	4276	chrome.exe	76
PID 4276 wrote to memory of 3344	4276	chrome.exe	76
PID 4276 wrote to memory of 3344	4276	chrome.exe	76
PID 4276 wrote to memory of 3344	4276	chrome.exe	76
PID 4276 wrote to memory of 3344	4276	chrome.exe	76
PID 4276 wrote to memory of 3344	4276	chrome.exe	76
PID 4276 wrote to memory of 3344	4276	chrome.exe	76
PID 4276 wrote to memory of 3344	4276	chrome.exe	76
PID 4276 wrote to memory of 3344	4276	chrome.exe	76
PID 4276 wrote to memory of 3344	4276	chrome.exe	76
PID 4276 wrote to memory of 3344	4276	chrome.exe	76
PID 4276 wrote to memory of 3344	4276	chrome.exe	76
PID 4276 wrote to memory of 3344	4276	chrome.exe	76
PID 4276 wrote to memory of 3344	4276	chrome.exe	76
PID 4276 wrote to memory of 3344	4276	chrome.exe	76
PID 4276 wrote to memory of 3344	4276	chrome.exe	76

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://recover-account-mobile.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffd0d109758,0x7ffd0d109768,0x7ffd0d109778
  2⤵
  PID:1864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1828 --field-trial-handle=1716,i,3313245560081703908,16727071592743854659,131072 /prefetch:8
  2⤵
  PID:740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1516 --field-trial-handle=1716,i,3313245560081703908,16727071592743854659,131072 /prefetch:2
  2⤵
  PID:4172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2080 --field-trial-handle=1716,i,3313245560081703908,16727071592743854659,131072 /prefetch:8
  2⤵
  PID:3344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2884 --field-trial-handle=1716,i,3313245560081703908,16727071592743854659,131072 /prefetch:1
  2⤵
  PID:644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2876 --field-trial-handle=1716,i,3313245560081703908,16727071592743854659,131072 /prefetch:1
  2⤵
  PID:2408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4884 --field-trial-handle=1716,i,3313245560081703908,16727071592743854659,131072 /prefetch:8
  2⤵
  PID:4144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4876 --field-trial-handle=1716,i,3313245560081703908,16727071592743854659,131072 /prefetch:8
  2⤵
  PID:3364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=5008 --field-trial-handle=1716,i,3313245560081703908,16727071592743854659,131072 /prefetch:1
  2⤵
  PID:1208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=928 --field-trial-handle=1716,i,3313245560081703908,16727071592743854659,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1552

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\3f1de125-b66a-4cd5-87eb-dc1e59189689.tmp

Filesize
129KB

MD5
c47fccf84532f8ddeca3cce6a35a3cbb

SHA1
ca6e93724fe18a45c42579f1675a3f977c1212b7

SHA256
f852008baa3f7b855c535e43ff06e256d224cc5c7999ecb4b6ad26ba2de8f202

SHA512
ced68b4c4bb9554689ac90ca4e350505e72f62eeef46e77070b605eded362c03649542fcbda8d7911069ffb7c0d2e140729d5c58ff34f026eb996c6c37eaee9e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
d58e29731c434c1211a206c7a4ef222b

SHA1
493de9f1a6c2e0b488825678494036f5382cf8c7

SHA256
653d6caf05e42b9f75c23e0f36078198b8adc365d41ce92d5a5a63874d3afc44

SHA512
50920b0e1e7fe766d2dbf957922e0b78076d0c30b1523fde65ce9b4391cc1e1cf5d3cc68214710dfd88a015b5555afe99e58a7f584d5686e0170cf37958fa5d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
e6efacdd9f9ce06b575336608fd3790e

SHA1
b7fb17f1a2b17d14dc464300489dd8836f225620

SHA256
a3c8923be894bfb4091ac25fb67b88405acb3aeddbd8486d799a5b7d08d8a2fb

SHA512
a8f75c2629a5c16528834ac4dbaf1b0e1734cf79fae7c88fc31bb84681a582c99091153e9d7ec01275090f2965715d615e32f0f5917c3e6580a844004c0dbd41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
32452ba619c4dab01b3f831f4678f34c

SHA1
f3785b5b54829bb160d835c45c85c16c0f1175ea

SHA256
29099e48263736f9f364af10ec3b047710199c56fa5578e3c3552e77cf252d8d

SHA512
aabea72085d842f209783a10328072a47264b3b9aa7b5ef509d4fb24c750fd2667acdd2947adac7d5cbf01e7642b1bbf10e413c3a3669a485d249789428fbeeb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
48c36a0bfabc188dd604192c579726a0

SHA1
3b93fd35541ba098c2a1340e04db36dcf4519ce6

SHA256
df3fcc530708f25d8afc7614d36786761db3d1a4965e13a45ab6f7686bcff6bc

SHA512
73bcac56ded0bc37bc0f57bb3a04532498217aaff4953732a1c0ffbc32a4e50327fefe52ee2c34eabadef970f6b25b1842aa162e350c850312adb9534913edf9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
1edb932ea0982c9d61bfdbf8445ad87d

SHA1
d15a44b99f6e285cd0f0410e260889fd98314b29

SHA256
eea77094162d80816ea36fa6f33d1defb45c813f1c6e011a74cb04edff4bb90e

SHA512
39617a1c2b7a1d5ef3623f0dd520b92d298ff7877c401e43ec1496cfb928dd28375fcd3acd5a7a8e9aa3f968441b98f9c753236ba0b147143b9da2dd09901f42

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
221dba5a9da84bdca399d416d3a1a682

SHA1
055f5f85b857ac61b47a2ab12f97d278af3f5b96

SHA256
f336e7ceaf6956f145212d5bdd4169e13456b1b362732f33a9d9a96ff38d8242

SHA512
266df94de39c4b720fedd27f794ac93b0e0313cd9ec64599c1bf068ce5efd8410740214b6dd7121f07366355724408538d4878f3e4502e7ea33691a1f014cc0b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit