hxxps://ibit[.]ly/2B-pi

Analysis

max time kernel
149s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/04/2024, 14:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://ibit.ly/2B-pi

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133570600338821632"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2524	chrome.exe
2524	chrome.exe
4980	chrome.exe
4980	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2524	chrome.exe
2524	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 3692	2524	chrome.exe	85
PID 2524 wrote to memory of 3692	2524	chrome.exe	85
PID 2524 wrote to memory of 1848	2524	chrome.exe	89
PID 2524 wrote to memory of 1848	2524	chrome.exe	89
PID 2524 wrote to memory of 1848	2524	chrome.exe	89
PID 2524 wrote to memory of 1848	2524	chrome.exe	89
PID 2524 wrote to memory of 1848	2524	chrome.exe	89
PID 2524 wrote to memory of 1848	2524	chrome.exe	89
PID 2524 wrote to memory of 1848	2524	chrome.exe	89
PID 2524 wrote to memory of 1848	2524	chrome.exe	89
PID 2524 wrote to memory of 1848	2524	chrome.exe	89
PID 2524 wrote to memory of 1848	2524	chrome.exe	89
PID 2524 wrote to memory of 1848	2524	chrome.exe	89
PID 2524 wrote to memory of 1848	2524	chrome.exe	89
PID 2524 wrote to memory of 1848	2524	chrome.exe	89
PID 2524 wrote to memory of 1848	2524	chrome.exe	89
PID 2524 wrote to memory of 1848	2524	chrome.exe	89
PID 2524 wrote to memory of 1848	2524	chrome.exe	89
PID 2524 wrote to memory of 1848	2524	chrome.exe	89
PID 2524 wrote to memory of 1848	2524	chrome.exe	89
PID 2524 wrote to memory of 1848	2524	chrome.exe	89
PID 2524 wrote to memory of 1848	2524	chrome.exe	89
PID 2524 wrote to memory of 1848	2524	chrome.exe	89
PID 2524 wrote to memory of 1848	2524	chrome.exe	89
PID 2524 wrote to memory of 1848	2524	chrome.exe	89
PID 2524 wrote to memory of 1848	2524	chrome.exe	89
PID 2524 wrote to memory of 1848	2524	chrome.exe	89
PID 2524 wrote to memory of 1848	2524	chrome.exe	89
PID 2524 wrote to memory of 1848	2524	chrome.exe	89
PID 2524 wrote to memory of 1848	2524	chrome.exe	89
PID 2524 wrote to memory of 1848	2524	chrome.exe	89
PID 2524 wrote to memory of 1848	2524	chrome.exe	89
PID 2524 wrote to memory of 1848	2524	chrome.exe	89
PID 2524 wrote to memory of 1848	2524	chrome.exe	89
PID 2524 wrote to memory of 1848	2524	chrome.exe	89
PID 2524 wrote to memory of 1848	2524	chrome.exe	89
PID 2524 wrote to memory of 1848	2524	chrome.exe	89
PID 2524 wrote to memory of 1848	2524	chrome.exe	89
PID 2524 wrote to memory of 1848	2524	chrome.exe	89
PID 2524 wrote to memory of 1848	2524	chrome.exe	89
PID 2524 wrote to memory of 116	2524	chrome.exe	90
PID 2524 wrote to memory of 116	2524	chrome.exe	90
PID 2524 wrote to memory of 972	2524	chrome.exe	91
PID 2524 wrote to memory of 972	2524	chrome.exe	91
PID 2524 wrote to memory of 972	2524	chrome.exe	91
PID 2524 wrote to memory of 972	2524	chrome.exe	91
PID 2524 wrote to memory of 972	2524	chrome.exe	91
PID 2524 wrote to memory of 972	2524	chrome.exe	91
PID 2524 wrote to memory of 972	2524	chrome.exe	91
PID 2524 wrote to memory of 972	2524	chrome.exe	91
PID 2524 wrote to memory of 972	2524	chrome.exe	91
PID 2524 wrote to memory of 972	2524	chrome.exe	91
PID 2524 wrote to memory of 972	2524	chrome.exe	91
PID 2524 wrote to memory of 972	2524	chrome.exe	91
PID 2524 wrote to memory of 972	2524	chrome.exe	91
PID 2524 wrote to memory of 972	2524	chrome.exe	91
PID 2524 wrote to memory of 972	2524	chrome.exe	91
PID 2524 wrote to memory of 972	2524	chrome.exe	91
PID 2524 wrote to memory of 972	2524	chrome.exe	91
PID 2524 wrote to memory of 972	2524	chrome.exe	91
PID 2524 wrote to memory of 972	2524	chrome.exe	91
PID 2524 wrote to memory of 972	2524	chrome.exe	91
PID 2524 wrote to memory of 972	2524	chrome.exe	91
PID 2524 wrote to memory of 972	2524	chrome.exe	91

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://ibit.ly/2B-pi
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd3a0d9758,0x7ffd3a0d9768,0x7ffd3a0d9778
  2⤵
  PID:3692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1556 --field-trial-handle=1804,i,14415869554290707775,6247827714694391889,131072 /prefetch:2
  2⤵
  PID:1848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1804,i,14415869554290707775,6247827714694391889,131072 /prefetch:8
  2⤵
  PID:116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2208 --field-trial-handle=1804,i,14415869554290707775,6247827714694391889,131072 /prefetch:8
  2⤵
  PID:972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3100 --field-trial-handle=1804,i,14415869554290707775,6247827714694391889,131072 /prefetch:1
  2⤵
  PID:2664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2468 --field-trial-handle=1804,i,14415869554290707775,6247827714694391889,131072 /prefetch:1
  2⤵
  PID:3040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4740 --field-trial-handle=1804,i,14415869554290707775,6247827714694391889,131072 /prefetch:8
  2⤵
  PID:4752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 --field-trial-handle=1804,i,14415869554290707775,6247827714694391889,131072 /prefetch:8
  2⤵
  PID:916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6140 --field-trial-handle=1804,i,14415869554290707775,6247827714694391889,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4980

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
743B

MD5
1a25d2a65088ba5354be3e33eb013c42

SHA1
b37f6a85b091ebdc8a16b4bdf848214623237087

SHA256
03bdef8a7e0d1b55980fcba6ee33cf3b50e0939488c2f32bd6b3351f5f2a85eb

SHA512
d271a05adab7eff0828d9e2b8c32582668da0f44a236bf0144370bd35addea85a22571c07736931f91b4909364fae2808d6b151d5363691ffaef7e8c9ad08072

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
bcbc4684baefdddc14564039fd9bdd34

SHA1
84832c15b6d60d7eaca192684f11d10e5ce37a79

SHA256
bd011e251e596c0c249edf5785b5df708044463dadd493d28960dc6e3d316a23

SHA512
d73b0f21c2f00aa9c83cfdfaa662366504bf8b6f279ff971e535bed14bc7271c23157faa5bdba824bb5f2be95223c17741a7a1194079277621671f2558d89bc6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
1097ed4820af94085cb352ec34b439ce

SHA1
84a77dc9b0ab7e79b471580f5a28f420d7cd358a

SHA256
cd70c5f6450b070970f4ffc27bca5015b1094d43e0f46c899063e7e9ea524f0c

SHA512
721de1b5bd1bb7976567fa2a413d16eda3ae3235de8703febb0dbf18a11fc1f8dbb884c1526519976b5f591ad1e8bfa39258fd41e28b369905b9bb3be46fd6f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
0db6063b28175617f0fa50a2c3233bb1

SHA1
23afb22f2beeec1e0818c649b620c08ec4408873

SHA256
49e10a2a65863171f3cd7c5a7d0c6760e7a98e95fcdc352508d71719d81e44ad

SHA512
9f9b485d668da3cd028f37e4afb4a28a10e6f0bb46a047bcce65d246da867bf285e2c635d6f55ddcf1c075feed1eeecbc658e1ecbd28d1e38c78fc6f21b6f043

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d6f5e3bd75671fa31c5d7fa313dc75ef

SHA1
84394c7f7fc7333d6394bac1328ae9345f6a2081

SHA256
3e372cf0a36021f706002381b4ad77446edbafb6df7568c84c60e294dfb86c28

SHA512
aa635663b106212057b0ded3174dc4c2632a47237f6bb8602dc251a75dcab20fa65d61f1206dbfdde9663499c1f6bc43e6aace8bb1b897993dd3b604578f6ad9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
922bda1596670e1e5960eaf8c59185b3

SHA1
3c8fa35ddd422e81f11a8ba0350184b8adcfcc70

SHA256
56f022351a0ebd07e2c3fbd42891fe5289acc5aab18b5d6256ac1949ceb431a4

SHA512
a2ae09d63e853f3f8b5807affff535354787edfdf08f836d848cbee880509aa59f75c8f5977dc18814cd22ef9ca10798bdf54be076e7e9a94e0dd6dfbb6a42e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit