hxxps://cloudflare-ipfs[.]com/ipfs/bafybeiebetkb2fo4goy4i6d7bd6trv4rvyo5guudow5alnzf6hzx5i3ywu/marrrudeee[.]html#john[.]doe@hobbit[.]com

Analysis

max time kernel
73s
max time network
73s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
16-04-2024 07:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cloudflare-ipfs.com/ipfs/bafybeiebetkb2fo4goy4i6d7bd6trv4rvyo5guudow5alnzf6hzx5i3ywu/marrrudeee.html#john.doe@hobbit.com

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

7 cloudflare-ipfs.com
10 cloudflare-ipfs.com

flow	ioc
7	cloudflare-ipfs.com
10	cloudflare-ipfs.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133577266450275851"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

4452 chrome.exe
4452 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

4452 chrome.exe
4452 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4452 wrote to memory of 1592	4452	chrome.exe	chrome.exe
PID 4452 wrote to memory of 1592	4452	chrome.exe	chrome.exe
PID 4452 wrote to memory of 4772	4452	chrome.exe	chrome.exe
PID 4452 wrote to memory of 4772	4452	chrome.exe	chrome.exe
PID 4452 wrote to memory of 4772	4452	chrome.exe	chrome.exe
PID 4452 wrote to memory of 4772	4452	chrome.exe	chrome.exe
PID 4452 wrote to memory of 4772	4452	chrome.exe	chrome.exe
PID 4452 wrote to memory of 4772	4452	chrome.exe	chrome.exe
PID 4452 wrote to memory of 4772	4452	chrome.exe	chrome.exe
PID 4452 wrote to memory of 4772	4452	chrome.exe	chrome.exe
PID 4452 wrote to memory of 4772	4452	chrome.exe	chrome.exe
PID 4452 wrote to memory of 4772	4452	chrome.exe	chrome.exe
PID 4452 wrote to memory of 4772	4452	chrome.exe	chrome.exe
PID 4452 wrote to memory of 4772	4452	chrome.exe	chrome.exe
PID 4452 wrote to memory of 4772	4452	chrome.exe	chrome.exe
PID 4452 wrote to memory of 4772	4452	chrome.exe	chrome.exe
PID 4452 wrote to memory of 4772	4452	chrome.exe	chrome.exe
PID 4452 wrote to memory of 4772	4452	chrome.exe	chrome.exe
PID 4452 wrote to memory of 4772	4452	chrome.exe	chrome.exe
PID 4452 wrote to memory of 4772	4452	chrome.exe	chrome.exe
PID 4452 wrote to memory of 4772	4452	chrome.exe	chrome.exe
PID 4452 wrote to memory of 4772	4452	chrome.exe	chrome.exe
PID 4452 wrote to memory of 4772	4452	chrome.exe	chrome.exe
PID 4452 wrote to memory of 4772	4452	chrome.exe	chrome.exe
PID 4452 wrote to memory of 4772	4452	chrome.exe	chrome.exe
PID 4452 wrote to memory of 4772	4452	chrome.exe	chrome.exe
PID 4452 wrote to memory of 4772	4452	chrome.exe	chrome.exe
PID 4452 wrote to memory of 4772	4452	chrome.exe	chrome.exe
PID 4452 wrote to memory of 4772	4452	chrome.exe	chrome.exe
PID 4452 wrote to memory of 4772	4452	chrome.exe	chrome.exe
PID 4452 wrote to memory of 4772	4452	chrome.exe	chrome.exe
PID 4452 wrote to memory of 4772	4452	chrome.exe	chrome.exe
PID 4452 wrote to memory of 4772	4452	chrome.exe	chrome.exe
PID 4452 wrote to memory of 4996	4452	chrome.exe	chrome.exe
PID 4452 wrote to memory of 4996	4452	chrome.exe	chrome.exe
PID 4452 wrote to memory of 3988	4452	chrome.exe	chrome.exe
PID 4452 wrote to memory of 3988	4452	chrome.exe	chrome.exe
PID 4452 wrote to memory of 3988	4452	chrome.exe	chrome.exe
PID 4452 wrote to memory of 3988	4452	chrome.exe	chrome.exe
PID 4452 wrote to memory of 3988	4452	chrome.exe	chrome.exe
PID 4452 wrote to memory of 3988	4452	chrome.exe	chrome.exe
PID 4452 wrote to memory of 3988	4452	chrome.exe	chrome.exe
PID 4452 wrote to memory of 3988	4452	chrome.exe	chrome.exe
PID 4452 wrote to memory of 3988	4452	chrome.exe	chrome.exe
PID 4452 wrote to memory of 3988	4452	chrome.exe	chrome.exe
PID 4452 wrote to memory of 3988	4452	chrome.exe	chrome.exe
PID 4452 wrote to memory of 3988	4452	chrome.exe	chrome.exe
PID 4452 wrote to memory of 3988	4452	chrome.exe	chrome.exe
PID 4452 wrote to memory of 3988	4452	chrome.exe	chrome.exe
PID 4452 wrote to memory of 3988	4452	chrome.exe	chrome.exe
PID 4452 wrote to memory of 3988	4452	chrome.exe	chrome.exe
PID 4452 wrote to memory of 3988	4452	chrome.exe	chrome.exe
PID 4452 wrote to memory of 3988	4452	chrome.exe	chrome.exe
PID 4452 wrote to memory of 3988	4452	chrome.exe	chrome.exe
PID 4452 wrote to memory of 3988	4452	chrome.exe	chrome.exe
PID 4452 wrote to memory of 3988	4452	chrome.exe	chrome.exe
PID 4452 wrote to memory of 3988	4452	chrome.exe	chrome.exe
PID 4452 wrote to memory of 3988	4452	chrome.exe	chrome.exe
PID 4452 wrote to memory of 3988	4452	chrome.exe	chrome.exe
PID 4452 wrote to memory of 3988	4452	chrome.exe	chrome.exe
PID 4452 wrote to memory of 3988	4452	chrome.exe	chrome.exe
PID 4452 wrote to memory of 3988	4452	chrome.exe	chrome.exe
PID 4452 wrote to memory of 3988	4452	chrome.exe	chrome.exe
PID 4452 wrote to memory of 3988	4452	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://cloudflare-ipfs.com/ipfs/bafybeiebetkb2fo4goy4i6d7bd6trv4rvyo5guudow5alnzf6hzx5i3ywu/marrrudeee.html#john.doe@hobbit.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe9015ab58,0x7ffe9015ab68,0x7ffe9015ab78
2⤵
PID:1592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1676 --field-trial-handle=1908,i,13210433505701736593,6135757848369637725,131072 /prefetch:2
2⤵
PID:4772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1908,i,13210433505701736593,6135757848369637725,131072 /prefetch:8
2⤵
PID:4996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2200 --field-trial-handle=1908,i,13210433505701736593,6135757848369637725,131072 /prefetch:8
2⤵
PID:3988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3044 --field-trial-handle=1908,i,13210433505701736593,6135757848369637725,131072 /prefetch:1
2⤵
PID:4752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3052 --field-trial-handle=1908,i,13210433505701736593,6135757848369637725,131072 /prefetch:1
2⤵
PID:2640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4368 --field-trial-handle=1908,i,13210433505701736593,6135757848369637725,131072 /prefetch:8
2⤵
PID:928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4544 --field-trial-handle=1908,i,13210433505701736593,6135757848369637725,131072 /prefetch:8
2⤵
PID:4460

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2908

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
144B

MD5
290d19c2a8f1cf9bdb34b0a69ca2abd0

SHA1
63233883113e36985c3388b4e35b0b29dd6b3e83

SHA256
37e66a5c385f1b9a50ca3d9cb40f11cf5debd69d85e5b2f390381d56667d774f

SHA512
665190fd29c998d726c389e0aa6b8cb7ff34983d36f7396132c80d23157aed9b0897c5677fe4d1405acc8c0a027a9432bbb693f3f249f8945a428fdf32309c4d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
2617b5df0a197a794b1729f6f234217b

SHA1
3cb1d298b34c8c3d1f2a5a0a618160a7aefa13b1

SHA256
821013c56d036c119c3498436ede943f67cba3e4bc5831313aaabe32958fc79e

SHA512
7e96a5c44a3e7e9be6a02739b52c4aeef1a52c919914f049187a1e2820f2e9424f438e1f9b197e967a9b75fa6b462a71af7ae02202f8b428af80047f2515ab6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
523B

MD5
549e4931db6a97155c5881eb48e3c251

SHA1
5b0e0ffddfa5bc72d923b10b07f633649cc48658

SHA256
40e4e51193f6efd17b6ea09d4748da41229016e4929851524067bee4b64ae3fe

SHA512
7eefb2d1d3e250d88d49edea62904d39526b9a30f7d14e0d443b49e1237f38d63e0b7f954c6c0f651f4cfb218aadca70a52afe52814fc181ef63eda7a44be39f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
ca59fab0006a815940402966bb74d9a6

SHA1
3b1386fe0bce9f990b306a5af1809e7be3cd0708

SHA256
befaa585ebdc85726ae6515b1b2e31c7eb455a64e66f33f4d7f0a4956a09f1fc

SHA512
5711633e7c596fc16119fed4c66bdab4564b7f96daf4fafd0e6e6b94b2071e6f215c62eb0c95d39c257750d0378518d27c42a733748c80d87b2361d021f32f63

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
1cf6444219a3897ff0ee3748c2690611

SHA1
d4e407a44751d2d5f2e2b60d01c3431bda4d9d8e

SHA256
3de565a7e1dcf4c0d4bbe117f1af23878897535ffab2ce8630bc115d95a37bbb

SHA512
9bb61ecb5e80f960a041f38b3121d0c3b8003887f4d76834aa176b47e78f9857c7b565573163c2d0574c8d5eff60eedac5b2514fa22a88764a5eb9a5170bb714

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
efbb9975a346d97fcbb26e3d538d1a1b

SHA1
dba35b95533d1e11b71ca2a51dd77fcf41e14e38

SHA256
338401d51f59d62a706087e8f82d084b920bcc80f33ae1f74065f4707cf575da

SHA512
5906d2696ca6c614a3ef51550ce4f56c59f9401e152dfffc7c5eb0c32c7443436874c19d678fd150db37653f8ba0729b54ef588c53718e3ecb88ff9d1ed849a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
127KB

MD5
77fcdfb4ca28f5091e5d2f4949f465bd

SHA1
4d32b4a645b5fe9cd816641dfb11097f2fb1184b

SHA256
1c30f2fc75faa35d6d707a64936ed62acafc5f6e0de3c7b22bee234b01c5616e

SHA512
05cf4082591d233207c7eaad549f14ba3d9aaeedae8b7bbd52ef3c1c46d3e5343b822d71bd25ce101baa0fa8ccb82539f5e40346a826a8f79511c591f612f166

Download Submit
\??\pipe\crashpad_4452_JGRJFLBUOCYAOMTE
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit