hxxps://splashthat[.]com/unsubscribe?unsubscribe=1&gz=059654d6580e9c95679213b2323e353a185e1dbc80ec00ae0ffd91d0166ce83c&event_id=458918840

Analysis

max time kernel
300s
max time network
303s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2024, 11:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://splashthat.com/unsubscribe?unsubscribe=1&gz=059654d6580e9c95679213b2323e353a185e1dbc80ec00ae0ffd91d0166ce83c&event_id=458918840

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133541974965816730"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3028	chrome.exe
3028	chrome.exe
4360	chrome.exe
4360	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3028	chrome.exe
3028	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 3824	3028	chrome.exe	89
PID 3028 wrote to memory of 3824	3028	chrome.exe	89
PID 3028 wrote to memory of 1744	3028	chrome.exe	91
PID 3028 wrote to memory of 1744	3028	chrome.exe	91
PID 3028 wrote to memory of 1744	3028	chrome.exe	91
PID 3028 wrote to memory of 1744	3028	chrome.exe	91
PID 3028 wrote to memory of 1744	3028	chrome.exe	91
PID 3028 wrote to memory of 1744	3028	chrome.exe	91
PID 3028 wrote to memory of 1744	3028	chrome.exe	91
PID 3028 wrote to memory of 1744	3028	chrome.exe	91
PID 3028 wrote to memory of 1744	3028	chrome.exe	91
PID 3028 wrote to memory of 1744	3028	chrome.exe	91
PID 3028 wrote to memory of 1744	3028	chrome.exe	91
PID 3028 wrote to memory of 1744	3028	chrome.exe	91
PID 3028 wrote to memory of 1744	3028	chrome.exe	91
PID 3028 wrote to memory of 1744	3028	chrome.exe	91
PID 3028 wrote to memory of 1744	3028	chrome.exe	91
PID 3028 wrote to memory of 1744	3028	chrome.exe	91
PID 3028 wrote to memory of 1744	3028	chrome.exe	91
PID 3028 wrote to memory of 1744	3028	chrome.exe	91
PID 3028 wrote to memory of 1744	3028	chrome.exe	91
PID 3028 wrote to memory of 1744	3028	chrome.exe	91
PID 3028 wrote to memory of 1744	3028	chrome.exe	91
PID 3028 wrote to memory of 1744	3028	chrome.exe	91
PID 3028 wrote to memory of 1744	3028	chrome.exe	91
PID 3028 wrote to memory of 1744	3028	chrome.exe	91
PID 3028 wrote to memory of 1744	3028	chrome.exe	91
PID 3028 wrote to memory of 1744	3028	chrome.exe	91
PID 3028 wrote to memory of 1744	3028	chrome.exe	91
PID 3028 wrote to memory of 1744	3028	chrome.exe	91
PID 3028 wrote to memory of 1744	3028	chrome.exe	91
PID 3028 wrote to memory of 1744	3028	chrome.exe	91
PID 3028 wrote to memory of 1744	3028	chrome.exe	91
PID 3028 wrote to memory of 1744	3028	chrome.exe	91
PID 3028 wrote to memory of 1744	3028	chrome.exe	91
PID 3028 wrote to memory of 1744	3028	chrome.exe	91
PID 3028 wrote to memory of 1744	3028	chrome.exe	91
PID 3028 wrote to memory of 1744	3028	chrome.exe	91
PID 3028 wrote to memory of 1744	3028	chrome.exe	91
PID 3028 wrote to memory of 1744	3028	chrome.exe	91
PID 3028 wrote to memory of 4436	3028	chrome.exe	92
PID 3028 wrote to memory of 4436	3028	chrome.exe	92
PID 3028 wrote to memory of 1460	3028	chrome.exe	93
PID 3028 wrote to memory of 1460	3028	chrome.exe	93
PID 3028 wrote to memory of 1460	3028	chrome.exe	93
PID 3028 wrote to memory of 1460	3028	chrome.exe	93
PID 3028 wrote to memory of 1460	3028	chrome.exe	93
PID 3028 wrote to memory of 1460	3028	chrome.exe	93
PID 3028 wrote to memory of 1460	3028	chrome.exe	93
PID 3028 wrote to memory of 1460	3028	chrome.exe	93
PID 3028 wrote to memory of 1460	3028	chrome.exe	93
PID 3028 wrote to memory of 1460	3028	chrome.exe	93
PID 3028 wrote to memory of 1460	3028	chrome.exe	93
PID 3028 wrote to memory of 1460	3028	chrome.exe	93
PID 3028 wrote to memory of 1460	3028	chrome.exe	93
PID 3028 wrote to memory of 1460	3028	chrome.exe	93
PID 3028 wrote to memory of 1460	3028	chrome.exe	93
PID 3028 wrote to memory of 1460	3028	chrome.exe	93
PID 3028 wrote to memory of 1460	3028	chrome.exe	93
PID 3028 wrote to memory of 1460	3028	chrome.exe	93
PID 3028 wrote to memory of 1460	3028	chrome.exe	93
PID 3028 wrote to memory of 1460	3028	chrome.exe	93
PID 3028 wrote to memory of 1460	3028	chrome.exe	93
PID 3028 wrote to memory of 1460	3028	chrome.exe	93

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://splashthat.com/unsubscribe?unsubscribe=1&gz=059654d6580e9c95679213b2323e353a185e1dbc80ec00ae0ffd91d0166ce83c&event_id=458918840
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8d0c39758,0x7ff8d0c39768,0x7ff8d0c39778
  2⤵
  PID:3824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1696 --field-trial-handle=1756,i,13085404585227254635,48223016683474468,131072 /prefetch:2
  2⤵
  PID:1744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1996 --field-trial-handle=1756,i,13085404585227254635,48223016683474468,131072 /prefetch:8
  2⤵
  PID:4436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1756,i,13085404585227254635,48223016683474468,131072 /prefetch:8
  2⤵
  PID:1460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3076 --field-trial-handle=1756,i,13085404585227254635,48223016683474468,131072 /prefetch:1
  2⤵
  PID:2224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3108 --field-trial-handle=1756,i,13085404585227254635,48223016683474468,131072 /prefetch:1
  2⤵
  PID:3160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4608 --field-trial-handle=1756,i,13085404585227254635,48223016683474468,131072 /prefetch:8
  2⤵
  PID:5000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 --field-trial-handle=1756,i,13085404585227254635,48223016683474468,131072 /prefetch:8
  2⤵
  PID:5168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4708 --field-trial-handle=1756,i,13085404585227254635,48223016683474468,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4360

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
e599e4e8f6aa181d21228bf2d0f7227c

SHA1
39c0eaec26464c4a9cf12c55a8d2582f144b1d5e

SHA256
87815e9056fb6d0867df01280391c95bedefdfd579eeedc903c5e61e2a18d350

SHA512
d91fd82f64c6cb49f36b3a9b34b88a18fb826cfd0c607ed3a7c9a780b9cf8e76e9475d01bfa8a2d30f11b50f8d174421fdf7c09aced467384355594d449bd91d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
2b20f55c8b3a3631834df3d08832874d

SHA1
458a174963bea4d93d351ae6060118167323121d

SHA256
fa457ee593238b474e3722252037a1eb647d4479eb6f6b909d67471c8488b75b

SHA512
dda28d41a16f3947b27296fb4250325185761ab91c668c0fb63350abab2799f41fa30f94500fe4b2e14baeae206faeed6d0988dc92895ddb5eea8573de42daf9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
705B

MD5
eeb2a8415c0a4590d034504a21c75437

SHA1
5ea967db31229909f9d1dcef274f953562f6609a

SHA256
9f027ae58e6d1fb3b163df6905c6acbc36d3cba65ebd3cddaaaf39a4fd5811ba

SHA512
cdb631e32a76543b783753e1713d5970b1c5a3b3845cef2e914c87047b905554dceb2c1a4b3c034696753e63c1657a929990af72d4a837a71e60cbd76dcd0ec8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f5c99ab3af3e68c584e25dc8cca304e9

SHA1
453f8ec5df89652bc7e5f487d42f791840f704db

SHA256
7b431c1e57ad898f91e21177257a55a7493099ddead31f0bdb759bef68ee3fa0

SHA512
b41b1060dff23d28997497a54f1351b0c2e04d35b31940db71d9628a1a86526370aa769350f93313a753f8e1a9da27f99d4d9467bde616dc1bb235464175c725

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
a8a7a2fb26987503a67c8d4c0b99db77

SHA1
fb4ffb61958fd84959b97481dddfcfb79fe695af

SHA256
1bd873680564917e33ac3846c5b8dbfd2091b602bf51bc51c0b083b103a7b830

SHA512
f8572073ad55ddaaf4b705057d0eb729de36966de68754db83385c2bb285ecd3a007fed6300ae654deabc9836eec2c653f30474c99d8569a03878e74b59b94e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit