hxxps://onepiecered[.]co/s?q5Gf

Analysis

max time kernel
1799s
max time network
1685s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17-04-2024 16:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://onepiecered.co/s?q5Gf

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133578439081135925"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4992	chrome.exe
4992	chrome.exe
4576	chrome.exe
4576	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4992 wrote to memory of 2612	4992	chrome.exe	86
PID 4992 wrote to memory of 2612	4992	chrome.exe	86
PID 4992 wrote to memory of 4104	4992	chrome.exe	87
PID 4992 wrote to memory of 4104	4992	chrome.exe	87
PID 4992 wrote to memory of 4104	4992	chrome.exe	87
PID 4992 wrote to memory of 4104	4992	chrome.exe	87
PID 4992 wrote to memory of 4104	4992	chrome.exe	87
PID 4992 wrote to memory of 4104	4992	chrome.exe	87
PID 4992 wrote to memory of 4104	4992	chrome.exe	87
PID 4992 wrote to memory of 4104	4992	chrome.exe	87
PID 4992 wrote to memory of 4104	4992	chrome.exe	87
PID 4992 wrote to memory of 4104	4992	chrome.exe	87
PID 4992 wrote to memory of 4104	4992	chrome.exe	87
PID 4992 wrote to memory of 4104	4992	chrome.exe	87
PID 4992 wrote to memory of 4104	4992	chrome.exe	87
PID 4992 wrote to memory of 4104	4992	chrome.exe	87
PID 4992 wrote to memory of 4104	4992	chrome.exe	87
PID 4992 wrote to memory of 4104	4992	chrome.exe	87
PID 4992 wrote to memory of 4104	4992	chrome.exe	87
PID 4992 wrote to memory of 4104	4992	chrome.exe	87
PID 4992 wrote to memory of 4104	4992	chrome.exe	87
PID 4992 wrote to memory of 4104	4992	chrome.exe	87
PID 4992 wrote to memory of 4104	4992	chrome.exe	87
PID 4992 wrote to memory of 4104	4992	chrome.exe	87
PID 4992 wrote to memory of 4104	4992	chrome.exe	87
PID 4992 wrote to memory of 4104	4992	chrome.exe	87
PID 4992 wrote to memory of 4104	4992	chrome.exe	87
PID 4992 wrote to memory of 4104	4992	chrome.exe	87
PID 4992 wrote to memory of 4104	4992	chrome.exe	87
PID 4992 wrote to memory of 4104	4992	chrome.exe	87
PID 4992 wrote to memory of 4104	4992	chrome.exe	87
PID 4992 wrote to memory of 4104	4992	chrome.exe	87
PID 4992 wrote to memory of 4104	4992	chrome.exe	87
PID 4992 wrote to memory of 3640	4992	chrome.exe	88
PID 4992 wrote to memory of 3640	4992	chrome.exe	88
PID 4992 wrote to memory of 3600	4992	chrome.exe	89
PID 4992 wrote to memory of 3600	4992	chrome.exe	89
PID 4992 wrote to memory of 3600	4992	chrome.exe	89
PID 4992 wrote to memory of 3600	4992	chrome.exe	89
PID 4992 wrote to memory of 3600	4992	chrome.exe	89
PID 4992 wrote to memory of 3600	4992	chrome.exe	89
PID 4992 wrote to memory of 3600	4992	chrome.exe	89
PID 4992 wrote to memory of 3600	4992	chrome.exe	89
PID 4992 wrote to memory of 3600	4992	chrome.exe	89
PID 4992 wrote to memory of 3600	4992	chrome.exe	89
PID 4992 wrote to memory of 3600	4992	chrome.exe	89
PID 4992 wrote to memory of 3600	4992	chrome.exe	89
PID 4992 wrote to memory of 3600	4992	chrome.exe	89
PID 4992 wrote to memory of 3600	4992	chrome.exe	89
PID 4992 wrote to memory of 3600	4992	chrome.exe	89
PID 4992 wrote to memory of 3600	4992	chrome.exe	89
PID 4992 wrote to memory of 3600	4992	chrome.exe	89
PID 4992 wrote to memory of 3600	4992	chrome.exe	89
PID 4992 wrote to memory of 3600	4992	chrome.exe	89
PID 4992 wrote to memory of 3600	4992	chrome.exe	89
PID 4992 wrote to memory of 3600	4992	chrome.exe	89
PID 4992 wrote to memory of 3600	4992	chrome.exe	89
PID 4992 wrote to memory of 3600	4992	chrome.exe	89
PID 4992 wrote to memory of 3600	4992	chrome.exe	89
PID 4992 wrote to memory of 3600	4992	chrome.exe	89
PID 4992 wrote to memory of 3600	4992	chrome.exe	89
PID 4992 wrote to memory of 3600	4992	chrome.exe	89
PID 4992 wrote to memory of 3600	4992	chrome.exe	89
PID 4992 wrote to memory of 3600	4992	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://onepiecered.co/s?q5Gf
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa1e66ab58,0x7ffa1e66ab68,0x7ffa1e66ab78
  2⤵
  PID:2612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1704 --field-trial-handle=1960,i,7251566021886127360,2708057062848031710,131072 /prefetch:2
  2⤵
  PID:4104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1920 --field-trial-handle=1960,i,7251566021886127360,2708057062848031710,131072 /prefetch:8
  2⤵
  PID:3640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2200 --field-trial-handle=1960,i,7251566021886127360,2708057062848031710,131072 /prefetch:8
  2⤵
  PID:3600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2972 --field-trial-handle=1960,i,7251566021886127360,2708057062848031710,131072 /prefetch:1
  2⤵
  PID:4892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2980 --field-trial-handle=1960,i,7251566021886127360,2708057062848031710,131072 /prefetch:1
  2⤵
  PID:3856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3860 --field-trial-handle=1960,i,7251566021886127360,2708057062848031710,131072 /prefetch:1
  2⤵
  PID:5008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4328 --field-trial-handle=1960,i,7251566021886127360,2708057062848031710,131072 /prefetch:1
  2⤵
  PID:1644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4500 --field-trial-handle=1960,i,7251566021886127360,2708057062848031710,131072 /prefetch:8
  2⤵
  PID:3352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4648 --field-trial-handle=1960,i,7251566021886127360,2708057062848031710,131072 /prefetch:8
  2⤵
  PID:2792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2708 --field-trial-handle=1960,i,7251566021886127360,2708057062848031710,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4576

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
60cffedff2f66b36d9904aba07b06eb4

SHA1
5beba8a400358c3ee9b90cdf5a6bcb5333352603

SHA256
6e25cb2ef4963dff0fac691d10edb1b9664023be7d8fb77cde5f92403b0c6355

SHA512
abfed478b258e0e942b02b1334a443b826ece19dbeb30241f5d9ab13711a91ac390385afc8c6d8ea983bd1df39e36ac1e519c6fbf2287a1e85f50dabd6d3cf1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
0fd59b162df1d9606006808e9c159e1d

SHA1
e65401ad898f2565ecae1295dedd38dbae4cfe54

SHA256
8420d6666bcf8083bc761b4dcfd259db7bb0079dca3f8fcf8a62dbe270a1b8ca

SHA512
74caec73c6108fed0ecce0bc80446989d489e3635da0365fff1d4a24bfc015e79ba110bd10e519dc1b76c34a165714e058cff32a995ebe82a5b94fe72f8b967e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
662afff83d8d5ee0a0eb27e06e1d4364

SHA1
694cb6802dbff8197c9f716f9d3058955e29cd42

SHA256
7aa0b697dcd38d82aab03dc7227a9d4b98ea252168d500f15181a1689af862f9

SHA512
39b632c80a17c02a3e3a7cde1ead483b283054dc277023a2a5932d552764f6faa63da73a5ec55df50ba2a6d732744f3b86b0177d3850be19bbb70a8e8e8ccdb6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
2d6f3c2a816429e7453b3fa812006799

SHA1
54d00afbaf63b65236271c4444edcaf77b057811

SHA256
964b684345b33f79d805f69064760fc4a498de8b8788dd41b8a7a29fb9e4840a

SHA512
50caaf86c17072305d4d323fa4c776ba1f64b1cadbd0d8acde36f1ffece7f9620898ad34f5ee063fecc2ce8312fe96571a671d9c9a36b3975d044e839bb6cc88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
7eaee99d0f0855ad6cc5fb8b568b940b

SHA1
a7b6bed9c6a66570b8ada0c9351b7f9631acd3b0

SHA256
53401f5c64c51c9c93a2dd8c110732134b0c4cbe8e17af9ac28874e1c029723e

SHA512
a78ab739e607ef9d66ccc5708bd8c5a2e7cccf2fcc8e2ee80e9cf4480628aa49af2a82c69c429bb348ee981d49e8c35f585d37267c402c10efc791a0b7f8370c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
4da8993eee06b5a438f27bf3f154b57e

SHA1
2f3aa5a9ca4122816e338496f94648b62ce0ac30

SHA256
e7fa96a9b20743959dd5263f3a967a1a604cc1268be2a3c873b2747471642436

SHA512
972c39a1712319b003a97ee34577c5cb629d9dc5907bc67a6a651c1b721c021de906054b2021f2c989dd25ce19538b152820c51476a56b37f93c10ae6562a3b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
250KB

MD5
3c7aa74848d587555119c6c23084d7f2

SHA1
7c9b6ec8968107a8582408155566573c3b9dcc0f

SHA256
011645dff5b7560467a07f3152f58728214e5f47cbbd5a03a2ffecef3ea63298

SHA512
78edd0531a6343909e710b6591ba653e2b41e4f2e25e680a4e1181fababfda0ce17253ce20ffe42dcdf23ce85a250e38fa2127546500f843236d1f22ec73fe46

Download Submit