hxxp://markerleery[.]com

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
22/04/2024, 08:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

http://markerleery.com

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133582493316746708"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1528	chrome.exe
1528	chrome.exe
2056	chrome.exe
2056	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1528 wrote to memory of 4864	1528	chrome.exe	86
PID 1528 wrote to memory of 4864	1528	chrome.exe	86
PID 1528 wrote to memory of 4860	1528	chrome.exe	87
PID 1528 wrote to memory of 4860	1528	chrome.exe	87
PID 1528 wrote to memory of 4860	1528	chrome.exe	87
PID 1528 wrote to memory of 4860	1528	chrome.exe	87
PID 1528 wrote to memory of 4860	1528	chrome.exe	87
PID 1528 wrote to memory of 4860	1528	chrome.exe	87
PID 1528 wrote to memory of 4860	1528	chrome.exe	87
PID 1528 wrote to memory of 4860	1528	chrome.exe	87
PID 1528 wrote to memory of 4860	1528	chrome.exe	87
PID 1528 wrote to memory of 4860	1528	chrome.exe	87
PID 1528 wrote to memory of 4860	1528	chrome.exe	87
PID 1528 wrote to memory of 4860	1528	chrome.exe	87
PID 1528 wrote to memory of 4860	1528	chrome.exe	87
PID 1528 wrote to memory of 4860	1528	chrome.exe	87
PID 1528 wrote to memory of 4860	1528	chrome.exe	87
PID 1528 wrote to memory of 4860	1528	chrome.exe	87
PID 1528 wrote to memory of 4860	1528	chrome.exe	87
PID 1528 wrote to memory of 4860	1528	chrome.exe	87
PID 1528 wrote to memory of 4860	1528	chrome.exe	87
PID 1528 wrote to memory of 4860	1528	chrome.exe	87
PID 1528 wrote to memory of 4860	1528	chrome.exe	87
PID 1528 wrote to memory of 4860	1528	chrome.exe	87
PID 1528 wrote to memory of 4860	1528	chrome.exe	87
PID 1528 wrote to memory of 4860	1528	chrome.exe	87
PID 1528 wrote to memory of 4860	1528	chrome.exe	87
PID 1528 wrote to memory of 4860	1528	chrome.exe	87
PID 1528 wrote to memory of 4860	1528	chrome.exe	87
PID 1528 wrote to memory of 4860	1528	chrome.exe	87
PID 1528 wrote to memory of 4860	1528	chrome.exe	87
PID 1528 wrote to memory of 4860	1528	chrome.exe	87
PID 1528 wrote to memory of 4860	1528	chrome.exe	87
PID 1528 wrote to memory of 3472	1528	chrome.exe	88
PID 1528 wrote to memory of 3472	1528	chrome.exe	88
PID 1528 wrote to memory of 4252	1528	chrome.exe	89
PID 1528 wrote to memory of 4252	1528	chrome.exe	89
PID 1528 wrote to memory of 4252	1528	chrome.exe	89
PID 1528 wrote to memory of 4252	1528	chrome.exe	89
PID 1528 wrote to memory of 4252	1528	chrome.exe	89
PID 1528 wrote to memory of 4252	1528	chrome.exe	89
PID 1528 wrote to memory of 4252	1528	chrome.exe	89
PID 1528 wrote to memory of 4252	1528	chrome.exe	89
PID 1528 wrote to memory of 4252	1528	chrome.exe	89
PID 1528 wrote to memory of 4252	1528	chrome.exe	89
PID 1528 wrote to memory of 4252	1528	chrome.exe	89
PID 1528 wrote to memory of 4252	1528	chrome.exe	89
PID 1528 wrote to memory of 4252	1528	chrome.exe	89
PID 1528 wrote to memory of 4252	1528	chrome.exe	89
PID 1528 wrote to memory of 4252	1528	chrome.exe	89
PID 1528 wrote to memory of 4252	1528	chrome.exe	89
PID 1528 wrote to memory of 4252	1528	chrome.exe	89
PID 1528 wrote to memory of 4252	1528	chrome.exe	89
PID 1528 wrote to memory of 4252	1528	chrome.exe	89
PID 1528 wrote to memory of 4252	1528	chrome.exe	89
PID 1528 wrote to memory of 4252	1528	chrome.exe	89
PID 1528 wrote to memory of 4252	1528	chrome.exe	89
PID 1528 wrote to memory of 4252	1528	chrome.exe	89
PID 1528 wrote to memory of 4252	1528	chrome.exe	89
PID 1528 wrote to memory of 4252	1528	chrome.exe	89
PID 1528 wrote to memory of 4252	1528	chrome.exe	89
PID 1528 wrote to memory of 4252	1528	chrome.exe	89
PID 1528 wrote to memory of 4252	1528	chrome.exe	89
PID 1528 wrote to memory of 4252	1528	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://markerleery.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb12bbab58,0x7ffb12bbab68,0x7ffb12bbab78
  2⤵
  PID:4864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1800 --field-trial-handle=1848,i,7601443810417765089,13027054392675403246,131072 /prefetch:2
  2⤵
  PID:4860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1848,i,7601443810417765089,13027054392675403246,131072 /prefetch:8
  2⤵
  PID:3472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2200 --field-trial-handle=1848,i,7601443810417765089,13027054392675403246,131072 /prefetch:8
  2⤵
  PID:4252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2872 --field-trial-handle=1848,i,7601443810417765089,13027054392675403246,131072 /prefetch:1
  2⤵
  PID:1424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2884 --field-trial-handle=1848,i,7601443810417765089,13027054392675403246,131072 /prefetch:1
  2⤵
  PID:3116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4004 --field-trial-handle=1848,i,7601443810417765089,13027054392675403246,131072 /prefetch:1
  2⤵
  PID:772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4492 --field-trial-handle=1848,i,7601443810417765089,13027054392675403246,131072 /prefetch:8
  2⤵
  PID:2804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4488 --field-trial-handle=1848,i,7601443810417765089,13027054392675403246,131072 /prefetch:8
  2⤵
  PID:3936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2656 --field-trial-handle=1848,i,7601443810417765089,13027054392675403246,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2056

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
48970bc9e01a647c27b24b606c483c12

SHA1
b3802b9ddf480442fc8cf8f9058d33759334f7fa

SHA256
157b4a25904b6b4d0b7cb3784888cc9f934849de7a26c91c2968794b98e6a6d2

SHA512
b8690c119aecd8c0ad23698b30ce1d32421d03197b1a64ced98c7c4058f10a16422e21e87768324b0c77159486f85c51f7441c1f62aa81b03b4d8cb5a7865499

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
fb98eecd9e60d59942aeba5fa4e88c9f

SHA1
3c3875a973313b306f75e249f2d92e209777867b

SHA256
aac7a661645d46131142dbd2cae419c68a9267b2666dc9eea3e652e83242a78c

SHA512
975d9fd1968d3f02c603a6b4eb401143eb008acb0242c581926da29e5d079c27be292cf828307c8521776924ef0cb75bbfd2f670b0ac05bc50409842d447f0d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
967369e5e16b6bb354ffc036a930d72d

SHA1
7c480849fdaa5932c65b0e712ae628e9860e7317

SHA256
a85d8a5bef278a2373aa7f0d6a8ae47743f93f6380892cc3880ae00132c94d45

SHA512
62282b2a1e6e9cd5e9205b3f39a33f78097a518375b07ac40638f346db1afd09895f4143a606d7b7955803d0fd96b2b5162fdbc2c081b675e30d00c1d3f9315c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
00850ec9106bef8a5f25a78e4d213f6f

SHA1
efc8af87f068f7e6ba7248293c3ce3beff3f6317

SHA256
cab5810f9ec915a17efa87616b7c44c6dd39cb943ef9aaf96532d4a00981b5b0

SHA512
76c07d8125e26a854fc017607224830cd9e7759a9e5bbb1487b0742d144ee67727eaa1e94e375218d36d47bea044ae00ec445022ff3f616b2b94a36a2f77fa96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
c1e27fdbe8e2f6d1b71b2a94a82fac48

SHA1
b6453bd3daa010a3e472b301497f69636daf783f

SHA256
42b4f2e134a64fa65f4b0b09a34884e4572f068d5572088d58b3e5c74557b750

SHA512
f4d818bf1ddcd97e607089cff4b75b5c0734f1184211fad21ac3310ea9d570d565991dc066bb21b09cb542e825eb07862ff8b0c73849e4e1ce89fa94c2521b4c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
250KB

MD5
ad1cf4ac9a8104fe339873ca8f45d1f6

SHA1
481d1e3f3457352eb91caa0d652fc79cf4242e0d

SHA256
cd08927c68e35a881279f8c782cd1a4f696a3e539a95d4bc31714dc1d5dd5779

SHA512
70739fd7363a625be973f3b5d59aff79f6781a3eca4b6195f63ae0100ffae81932aabdfda81c3e01e1a4112576b98d4b5af2602a9cf51c1261d02329cb1b540f

Download Submit