hxxps://citii-mails[.]com/ger/magt/

Analysis

max time kernel
76s
max time network
77s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
25-03-2024 17:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://citii-mails.com/ger/magt/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133558614069661387"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4460	chrome.exe
4460	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4460	chrome.exe
4460	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4460 wrote to memory of 2492	4460	chrome.exe	89
PID 4460 wrote to memory of 2492	4460	chrome.exe	89
PID 4460 wrote to memory of 4788	4460	chrome.exe	92
PID 4460 wrote to memory of 4788	4460	chrome.exe	92
PID 4460 wrote to memory of 4788	4460	chrome.exe	92
PID 4460 wrote to memory of 4788	4460	chrome.exe	92
PID 4460 wrote to memory of 4788	4460	chrome.exe	92
PID 4460 wrote to memory of 4788	4460	chrome.exe	92
PID 4460 wrote to memory of 4788	4460	chrome.exe	92
PID 4460 wrote to memory of 4788	4460	chrome.exe	92
PID 4460 wrote to memory of 4788	4460	chrome.exe	92
PID 4460 wrote to memory of 4788	4460	chrome.exe	92
PID 4460 wrote to memory of 4788	4460	chrome.exe	92
PID 4460 wrote to memory of 4788	4460	chrome.exe	92
PID 4460 wrote to memory of 4788	4460	chrome.exe	92
PID 4460 wrote to memory of 4788	4460	chrome.exe	92
PID 4460 wrote to memory of 4788	4460	chrome.exe	92
PID 4460 wrote to memory of 4788	4460	chrome.exe	92
PID 4460 wrote to memory of 4788	4460	chrome.exe	92
PID 4460 wrote to memory of 4788	4460	chrome.exe	92
PID 4460 wrote to memory of 4788	4460	chrome.exe	92
PID 4460 wrote to memory of 4788	4460	chrome.exe	92
PID 4460 wrote to memory of 4788	4460	chrome.exe	92
PID 4460 wrote to memory of 4788	4460	chrome.exe	92
PID 4460 wrote to memory of 4788	4460	chrome.exe	92
PID 4460 wrote to memory of 4788	4460	chrome.exe	92
PID 4460 wrote to memory of 4788	4460	chrome.exe	92
PID 4460 wrote to memory of 4788	4460	chrome.exe	92
PID 4460 wrote to memory of 4788	4460	chrome.exe	92
PID 4460 wrote to memory of 4788	4460	chrome.exe	92
PID 4460 wrote to memory of 4788	4460	chrome.exe	92
PID 4460 wrote to memory of 4788	4460	chrome.exe	92
PID 4460 wrote to memory of 4788	4460	chrome.exe	92
PID 4460 wrote to memory of 4788	4460	chrome.exe	92
PID 4460 wrote to memory of 4788	4460	chrome.exe	92
PID 4460 wrote to memory of 4788	4460	chrome.exe	92
PID 4460 wrote to memory of 4788	4460	chrome.exe	92
PID 4460 wrote to memory of 4788	4460	chrome.exe	92
PID 4460 wrote to memory of 4788	4460	chrome.exe	92
PID 4460 wrote to memory of 4788	4460	chrome.exe	92
PID 4460 wrote to memory of 4400	4460	chrome.exe	93
PID 4460 wrote to memory of 4400	4460	chrome.exe	93
PID 4460 wrote to memory of 324	4460	chrome.exe	94
PID 4460 wrote to memory of 324	4460	chrome.exe	94
PID 4460 wrote to memory of 324	4460	chrome.exe	94
PID 4460 wrote to memory of 324	4460	chrome.exe	94
PID 4460 wrote to memory of 324	4460	chrome.exe	94
PID 4460 wrote to memory of 324	4460	chrome.exe	94
PID 4460 wrote to memory of 324	4460	chrome.exe	94
PID 4460 wrote to memory of 324	4460	chrome.exe	94
PID 4460 wrote to memory of 324	4460	chrome.exe	94
PID 4460 wrote to memory of 324	4460	chrome.exe	94
PID 4460 wrote to memory of 324	4460	chrome.exe	94
PID 4460 wrote to memory of 324	4460	chrome.exe	94
PID 4460 wrote to memory of 324	4460	chrome.exe	94
PID 4460 wrote to memory of 324	4460	chrome.exe	94
PID 4460 wrote to memory of 324	4460	chrome.exe	94
PID 4460 wrote to memory of 324	4460	chrome.exe	94
PID 4460 wrote to memory of 324	4460	chrome.exe	94
PID 4460 wrote to memory of 324	4460	chrome.exe	94
PID 4460 wrote to memory of 324	4460	chrome.exe	94
PID 4460 wrote to memory of 324	4460	chrome.exe	94
PID 4460 wrote to memory of 324	4460	chrome.exe	94
PID 4460 wrote to memory of 324	4460	chrome.exe	94

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://citii-mails.com/ger/magt/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe133f9758,0x7ffe133f9768,0x7ffe133f9778
  2⤵
  PID:2492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1728 --field-trial-handle=1880,i,5242587911714106706,833056882426155947,131072 /prefetch:2
  2⤵
  PID:4788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1928 --field-trial-handle=1880,i,5242587911714106706,833056882426155947,131072 /prefetch:8
  2⤵
  PID:4400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1880,i,5242587911714106706,833056882426155947,131072 /prefetch:8
  2⤵
  PID:324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3044 --field-trial-handle=1880,i,5242587911714106706,833056882426155947,131072 /prefetch:1
  2⤵
  PID:1160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3052 --field-trial-handle=1880,i,5242587911714106706,833056882426155947,131072 /prefetch:1
  2⤵
  PID:4680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4844 --field-trial-handle=1880,i,5242587911714106706,833056882426155947,131072 /prefetch:8
  2⤵
  PID:4136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4920 --field-trial-handle=1880,i,5242587911714106706,833056882426155947,131072 /prefetch:8
  2⤵
  PID:4336

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
48dc9ec56f78a09a50e107d48156bb4d

SHA1
0834834c55ebd6339379be5a4bf19091b5f46910

SHA256
6deb3c8ff9523d3f76cc62f9782db358cc756a4f305d2aced6bf7f7c9aaba6c6

SHA512
7bf0af51cd2efc3ef7cc273516a4434a598863040987a52c799ab5f76feab9ba2f6eae8a730c719534f79b4e2bc3bd5198ec03ae222afb7f6cd3e7258d6d2312

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
96b54cf3246ccf5bb296981c7c15de46

SHA1
d532d1eec0638dbfceb4d7c0c33be904063204e6

SHA256
509da5bf3aac15ec18618bb32f576eb726f5469e2e80a2b38d6df0281b34cb70

SHA512
3e9dff39cd7c9558ef4cf3a381b7638397fb053e2031ed93c76466c85d4333d5fa08b07377c348d3156d59b384902b91551e763e54acb175b7b4de35f82a0e45

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
a462951f22ce917559cc852ba23a4b17

SHA1
b0d872d41080e3e37a3d7808df708407db8e658e

SHA256
e06c27c02bfc6632a87ae0cf6ef12302642ad50033dbc5961f1cf726c8aa7b78

SHA512
2b10db4dc74b79e5d9cb077f707eafdeabe2a9227d48c452cb485eb9e074576b4e5cda916810c1414ecd100a3dc1f7d5d0eb81a101d99543fa0ea46c35ef87c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
f59fbda01508f8b40225e456b1b31461

SHA1
3707d57d99fd0f03b1ff57592f5c81bba6c388bc

SHA256
7beb2ad5a6c83da617e5de9a5e302561148de3ef6abe0fddb55b300ac6370ff0

SHA512
4f9de8dd30ee13abdb14a2f34431de8aca7abdf6bffd846e37348fe961bfbc90118ff2446eea5bbe63f5c3247d75aa554a1384d34cc523a7e718b82de6d11418

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d8463ecf2f70ac4e6782d64f8f03c1ba

SHA1
9ab850d6e2cec31b41dadf0c48e4797eed2bbfdb

SHA256
e4dd4bd77960ec092f72363f23487f954699e25f49f0ad68296a5a7b2a1001c4

SHA512
2a9aca8e1a195cf4622c463027355f9889765e7a7d7c5fdac66d19951474bb9015ed5a7eb5a0c21a0c579275448ecca476b22a6a3bebd0dc15fc931da6f15f5e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
1208a8bf68263a21f578ee74a4ce5090

SHA1
d189bbb3e3cf3cf8e5086ba4f7ab99f483578581

SHA256
cabbc77fca0a7b74d7834ba843066bba7c9d40cb97d7dce52350d3962e6390f0

SHA512
bdc49102da678cb9dc2f3f7ab5cc5375e9d838a3ab2cbe18b6190c8df5ea6c271dec5a8874ef54a744bc6dea8a0559fd9eac4651f5ba8fdb11d1e66495aad4c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
4c2b78dbf04266f0183b490a0b2fc255

SHA1
793aa4cb98dcb602ea20ed11b81a62d6e0657bf6

SHA256
c52d380d254222a5c875028cee5f72d79e95bc4c3c8b81d7d1e059406dd0023e

SHA512
e9e67c629cd0f705ab2bf070e7f4dd57f815f16ce8b8130b870bd427d7574cf07d59ca182a3d107ec22feb8d4a40527744ab2e9c3c370022ef488f2cd3491077

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
66bb548bf71b31bde97c705dbf791ec3

SHA1
790e22e14c4ed3dde59f8dd868fd513d17d7c886

SHA256
bc39604bca18d8c8a333bc7f2b3e15ff93288cd2e82b90dc3ceab6c4388c4719

SHA512
313df50ae9230ffdce40713edc3dcc6209116a604c4cff0d93bf8ac49be5b6fdd079e3eca4c7bacb7950a5220357d391540f3a92599c38aad02dba4f873d61cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit