hxxps://mayfrey[.]github[.]io/refimautomatic-bassoonproved-nigmareadventureactored-couscousstudious-sni/

General

Target

https://mayfrey.github.io/refimautomatic-bassoonproved-nigmareadventureactored-couscousstudious-sni/

Score

10^/10

microsoft phishing product:outlook

Malware Config

Signatures

Detected microsoft outlook phishing page
phishing microsoft product:outlook

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133577875871646883"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

1596 chrome.exe
1596 chrome.exe
3164 chrome.exe
3164 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

1596 chrome.exe
1596 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1596 wrote to memory of 872	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 872	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2880	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2880	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2880	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2880	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2880	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2880	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2880	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2880	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2880	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2880	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2880	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2880	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2880	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2880	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2880	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2880	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2880	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2880	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2880	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2880	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2880	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2880	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2880	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2880	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2880	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2880	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2880	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2880	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2880	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2880	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2880	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 3488	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 3488	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 4252	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 4252	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 4252	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 4252	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 4252	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 4252	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 4252	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 4252	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 4252	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 4252	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 4252	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 4252	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 4252	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 4252	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 4252	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 4252	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 4252	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 4252	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 4252	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 4252	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 4252	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 4252	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 4252	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 4252	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 4252	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 4252	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 4252	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 4252	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 4252	1596	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://mayfrey.github.io/refimautomatic-bassoonproved-nigmareadventureactored-couscousstudious-sni/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff82646ab58,0x7ff82646ab68,0x7ff82646ab78
2⤵
PID:872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1676 --field-trial-handle=1832,i,9909678400195942184,10763826995105804941,131072 /prefetch:2
2⤵
PID:2880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1832,i,9909678400195942184,10763826995105804941,131072 /prefetch:8
2⤵
PID:3488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2168 --field-trial-handle=1832,i,9909678400195942184,10763826995105804941,131072 /prefetch:8
2⤵
PID:4252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3000 --field-trial-handle=1832,i,9909678400195942184,10763826995105804941,131072 /prefetch:1
2⤵
PID:1916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3036 --field-trial-handle=1832,i,9909678400195942184,10763826995105804941,131072 /prefetch:1
2⤵
PID:1736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4156 --field-trial-handle=1832,i,9909678400195942184,10763826995105804941,131072 /prefetch:8
2⤵
PID:2180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4476 --field-trial-handle=1832,i,9909678400195942184,10763826995105804941,131072 /prefetch:8
2⤵
PID:408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2328 --field-trial-handle=1832,i,9909678400195942184,10763826995105804941,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3164

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1068

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
72B

MD5
eafdda0935bbde87032e62c289822a3e

SHA1
e9ba2181efbd65ff8865a49e161e2ce768463919

SHA256
d8a84278666670410bb53b1c9bbebdfa2b4d9a84709afdfccfb082ca1fe2b7db

SHA512
c83938c5607889326eb6e98c82b7a2ff3d2241ace60caabd56790868e85193dad5e14475f37fcd0b6e1f8d5397eed0dcdc257586c57d2c61860164e39a45ef81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
5b928af8415a6f3377635c83a46fae24

SHA1
eb2f08c725284956b0b6f3d805bb881c5b0db55d

SHA256
e274915fe02f5182cddd4e8b4195e1b238ac46a2d65f6e4c781b5b3c5363f39b

SHA512
c59a917ada54d70947fac049e80ae9b3b94e9e4c24450e3839897ca3e26a9c7482081c7e14ed5714c5b1a51215722f6cc163e42605912232a123b610c6d0a512

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
524B

MD5
b7d491195cc23bf23ec0c77ce9c6cba5

SHA1
f7c2874b12c56e3f1bf32f500c2667e49c0066e4

SHA256
780b0c81fd4a47c24b4f22e860d5441620c294bc92785ab32149cb4f4f4f9f85

SHA512
a8c85f13f0b3a4e0bae185fc73b6573369a1b9fe1e8ecdf304a62b9f44ca269900ede506f1309e4c0c1c10ec9f413c5119ccb271581079013345fcabc5a8992b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
c27982df1fc102689915408afb45ccee

SHA1
e0b5d5445c2bc23f80492a18374b59da70a97e38

SHA256
9273dc2c156920d1d84a57c9a500bb4270a8defc3270e832e30b3e430ffff22a

SHA512
963b6d5cb6ce983e1f4973ff8260cc72dbb44f2d742f55f807fec09a81d4a0250f8ddd3ffc1a2368b11f7ea840f156253c1da30433ba2b0bc5bbcb8f5f5900c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
250KB

MD5
d760f3f32f14cba7ac582a2e290504e9

SHA1
53c146a1931624140b5a6d270b703f8780cef8f2

SHA256
0646355fb20064b9d7abb2d2bd78768ff227c9b866eaad0d2e049364306e58c9

SHA512
53431f655f0fd674ab96d1922181d97562809739e03ad77d05fb789726200175173c1ce70472a3051ea0013cdf3acefdd5ec7b899c5c9186e496cc8c37db6453

Download Submit
\??\pipe\crashpad_1596_LSRUIDUSPABWIPHM
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads