hxxp://rtbbpowaq[.]com/script/s2iurl[.]php

Analysis

max time kernel
110s
max time network
111s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
24-04-2024 12:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://rtbbpowaq.com/script/s2iurl.php

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133584345583460755"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4304	chrome.exe
4304	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4304	chrome.exe
Token: SeCreatePagefilePrivilege	4304	chrome.exe
Token: SeShutdownPrivilege	4304	chrome.exe
Token: SeCreatePagefilePrivilege	4304	chrome.exe
Token: SeShutdownPrivilege	4304	chrome.exe
Token: SeCreatePagefilePrivilege	4304	chrome.exe
Token: SeShutdownPrivilege	4304	chrome.exe
Token: SeCreatePagefilePrivilege	4304	chrome.exe
Token: SeShutdownPrivilege	4304	chrome.exe
Token: SeCreatePagefilePrivilege	4304	chrome.exe
Token: SeShutdownPrivilege	4304	chrome.exe
Token: SeCreatePagefilePrivilege	4304	chrome.exe
Token: SeShutdownPrivilege	4304	chrome.exe
Token: SeCreatePagefilePrivilege	4304	chrome.exe
Token: SeShutdownPrivilege	4304	chrome.exe
Token: SeCreatePagefilePrivilege	4304	chrome.exe
Token: SeShutdownPrivilege	4304	chrome.exe
Token: SeCreatePagefilePrivilege	4304	chrome.exe
Token: SeShutdownPrivilege	4304	chrome.exe
Token: SeCreatePagefilePrivilege	4304	chrome.exe
Token: SeShutdownPrivilege	4304	chrome.exe
Token: SeCreatePagefilePrivilege	4304	chrome.exe
Token: SeShutdownPrivilege	4304	chrome.exe
Token: SeCreatePagefilePrivilege	4304	chrome.exe
Token: SeShutdownPrivilege	4304	chrome.exe
Token: SeCreatePagefilePrivilege	4304	chrome.exe
Token: SeShutdownPrivilege	4304	chrome.exe
Token: SeCreatePagefilePrivilege	4304	chrome.exe
Token: SeShutdownPrivilege	4304	chrome.exe
Token: SeCreatePagefilePrivilege	4304	chrome.exe
Token: SeShutdownPrivilege	4304	chrome.exe
Token: SeCreatePagefilePrivilege	4304	chrome.exe
Token: SeShutdownPrivilege	4304	chrome.exe
Token: SeCreatePagefilePrivilege	4304	chrome.exe
Token: SeShutdownPrivilege	4304	chrome.exe
Token: SeCreatePagefilePrivilege	4304	chrome.exe
Token: SeShutdownPrivilege	4304	chrome.exe
Token: SeCreatePagefilePrivilege	4304	chrome.exe
Token: SeShutdownPrivilege	4304	chrome.exe
Token: SeCreatePagefilePrivilege	4304	chrome.exe
Token: SeShutdownPrivilege	4304	chrome.exe
Token: SeCreatePagefilePrivilege	4304	chrome.exe
Token: SeShutdownPrivilege	4304	chrome.exe
Token: SeCreatePagefilePrivilege	4304	chrome.exe
Token: SeShutdownPrivilege	4304	chrome.exe
Token: SeCreatePagefilePrivilege	4304	chrome.exe
Token: SeShutdownPrivilege	4304	chrome.exe
Token: SeCreatePagefilePrivilege	4304	chrome.exe
Token: SeShutdownPrivilege	4304	chrome.exe
Token: SeCreatePagefilePrivilege	4304	chrome.exe
Token: SeShutdownPrivilege	4304	chrome.exe
Token: SeCreatePagefilePrivilege	4304	chrome.exe
Token: SeShutdownPrivilege	4304	chrome.exe
Token: SeCreatePagefilePrivilege	4304	chrome.exe
Token: SeShutdownPrivilege	4304	chrome.exe
Token: SeCreatePagefilePrivilege	4304	chrome.exe
Token: SeShutdownPrivilege	4304	chrome.exe
Token: SeCreatePagefilePrivilege	4304	chrome.exe
Token: SeShutdownPrivilege	4304	chrome.exe
Token: SeCreatePagefilePrivilege	4304	chrome.exe
Token: SeShutdownPrivilege	4304	chrome.exe
Token: SeCreatePagefilePrivilege	4304	chrome.exe
Token: SeShutdownPrivilege	4304	chrome.exe
Token: SeCreatePagefilePrivilege	4304	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4304 wrote to memory of 1140	4304	chrome.exe	86
PID 4304 wrote to memory of 1140	4304	chrome.exe	86
PID 4304 wrote to memory of 2496	4304	chrome.exe	87
PID 4304 wrote to memory of 2496	4304	chrome.exe	87
PID 4304 wrote to memory of 2496	4304	chrome.exe	87
PID 4304 wrote to memory of 2496	4304	chrome.exe	87
PID 4304 wrote to memory of 2496	4304	chrome.exe	87
PID 4304 wrote to memory of 2496	4304	chrome.exe	87
PID 4304 wrote to memory of 2496	4304	chrome.exe	87
PID 4304 wrote to memory of 2496	4304	chrome.exe	87
PID 4304 wrote to memory of 2496	4304	chrome.exe	87
PID 4304 wrote to memory of 2496	4304	chrome.exe	87
PID 4304 wrote to memory of 2496	4304	chrome.exe	87
PID 4304 wrote to memory of 2496	4304	chrome.exe	87
PID 4304 wrote to memory of 2496	4304	chrome.exe	87
PID 4304 wrote to memory of 2496	4304	chrome.exe	87
PID 4304 wrote to memory of 2496	4304	chrome.exe	87
PID 4304 wrote to memory of 2496	4304	chrome.exe	87
PID 4304 wrote to memory of 2496	4304	chrome.exe	87
PID 4304 wrote to memory of 2496	4304	chrome.exe	87
PID 4304 wrote to memory of 2496	4304	chrome.exe	87
PID 4304 wrote to memory of 2496	4304	chrome.exe	87
PID 4304 wrote to memory of 2496	4304	chrome.exe	87
PID 4304 wrote to memory of 2496	4304	chrome.exe	87
PID 4304 wrote to memory of 2496	4304	chrome.exe	87
PID 4304 wrote to memory of 2496	4304	chrome.exe	87
PID 4304 wrote to memory of 2496	4304	chrome.exe	87
PID 4304 wrote to memory of 2496	4304	chrome.exe	87
PID 4304 wrote to memory of 2496	4304	chrome.exe	87
PID 4304 wrote to memory of 2496	4304	chrome.exe	87
PID 4304 wrote to memory of 2496	4304	chrome.exe	87
PID 4304 wrote to memory of 2496	4304	chrome.exe	87
PID 4304 wrote to memory of 2496	4304	chrome.exe	87
PID 4304 wrote to memory of 2600	4304	chrome.exe	88
PID 4304 wrote to memory of 2600	4304	chrome.exe	88
PID 4304 wrote to memory of 4160	4304	chrome.exe	89
PID 4304 wrote to memory of 4160	4304	chrome.exe	89
PID 4304 wrote to memory of 4160	4304	chrome.exe	89
PID 4304 wrote to memory of 4160	4304	chrome.exe	89
PID 4304 wrote to memory of 4160	4304	chrome.exe	89
PID 4304 wrote to memory of 4160	4304	chrome.exe	89
PID 4304 wrote to memory of 4160	4304	chrome.exe	89
PID 4304 wrote to memory of 4160	4304	chrome.exe	89
PID 4304 wrote to memory of 4160	4304	chrome.exe	89
PID 4304 wrote to memory of 4160	4304	chrome.exe	89
PID 4304 wrote to memory of 4160	4304	chrome.exe	89
PID 4304 wrote to memory of 4160	4304	chrome.exe	89
PID 4304 wrote to memory of 4160	4304	chrome.exe	89
PID 4304 wrote to memory of 4160	4304	chrome.exe	89
PID 4304 wrote to memory of 4160	4304	chrome.exe	89
PID 4304 wrote to memory of 4160	4304	chrome.exe	89
PID 4304 wrote to memory of 4160	4304	chrome.exe	89
PID 4304 wrote to memory of 4160	4304	chrome.exe	89
PID 4304 wrote to memory of 4160	4304	chrome.exe	89
PID 4304 wrote to memory of 4160	4304	chrome.exe	89
PID 4304 wrote to memory of 4160	4304	chrome.exe	89
PID 4304 wrote to memory of 4160	4304	chrome.exe	89
PID 4304 wrote to memory of 4160	4304	chrome.exe	89
PID 4304 wrote to memory of 4160	4304	chrome.exe	89
PID 4304 wrote to memory of 4160	4304	chrome.exe	89
PID 4304 wrote to memory of 4160	4304	chrome.exe	89
PID 4304 wrote to memory of 4160	4304	chrome.exe	89
PID 4304 wrote to memory of 4160	4304	chrome.exe	89
PID 4304 wrote to memory of 4160	4304	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://rtbbpowaq.com/script/s2iurl.php
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9c266ab58,0x7ff9c266ab68,0x7ff9c266ab78
  2⤵
  PID:1140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1668 --field-trial-handle=1824,i,13058719290356093201,1658150421094230074,131072 /prefetch:2
  2⤵
  PID:2496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 --field-trial-handle=1824,i,13058719290356093201,1658150421094230074,131072 /prefetch:8
  2⤵
  PID:2600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2128 --field-trial-handle=1824,i,13058719290356093201,1658150421094230074,131072 /prefetch:8
  2⤵
  PID:4160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2984 --field-trial-handle=1824,i,13058719290356093201,1658150421094230074,131072 /prefetch:1
  2⤵
  PID:2960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3024 --field-trial-handle=1824,i,13058719290356093201,1658150421094230074,131072 /prefetch:1
  2⤵
  PID:4196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3580 --field-trial-handle=1824,i,13058719290356093201,1658150421094230074,131072 /prefetch:8
  2⤵
  PID:816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4540 --field-trial-handle=1824,i,13058719290356093201,1658150421094230074,131072 /prefetch:8
  2⤵
  PID:4664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=2216 --field-trial-handle=1824,i,13058719290356093201,1658150421094230074,131072 /prefetch:1
  2⤵
  PID:4428

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
633be215e73ba51f1a424de4eee2a2ee

SHA1
7316ebaf5403de082ceef8d9d4a639a7a4fea0ec

SHA256
f9029f32db63bbe6d6a1e26a222d1b6ddc0d48df1fde57a55378154c872b1df2

SHA512
3487fae7951a29cb3b2b4209df4ce7eb43493d8b4cee23d36f4bf6fefd757726d5022570be3d4b1b9a9b3b53e89627970b07fca9f76d8815470cd5b7a2a0d3ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
4e21a873a84e0867f114ef35aea3856e

SHA1
2a6a18876055adb80a103242ab5ac5f5b7a09f8c

SHA256
9564b33c319dc00ab58f44c224474e41ba5c61778c9467ed9399420ac5ed28db

SHA512
526fd52c9b03281a7832b9cb584be0565e95caa84ed3fa39d3a1be16a710dc10ee3d78e92d4e93e298e6beea21aab464500c870a61b0d795a4eb0a4326319095

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
1daf4146c1d4bcdd4f4333d2cece623c

SHA1
6ab8a0e00f47b5c279996b7636cff71010a06693

SHA256
29adf62bfa14b9b6efe08058e441d7a4a77336b0763b9f4dbba6adcae9233b72

SHA512
fb9bca72c3d685ec318e6924a60ac1ccef8358781630df2a36a1062b18290ff271ed2e7cf0dddfd57af5e98febbecd15cbcac9a914ccfc8ee721e21b35189177

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
b8457c9c2b4e796d852d0bda77cd0355

SHA1
b13756acab62838350e2a7c6b9589ab4cbeb2b8a

SHA256
e4ac7bcd86820fa22f9b7a3511474bfdd6e0301234b2ae7099e7a75fd0e3fcc6

SHA512
457d46d4b9eacacb184644302a74651a278ce050ceda029af8012b9bdbf5f654cb076f16794c74822efa834fc62bda6041cf08b8c3a2ed187a7728d05434ed1e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
250KB

MD5
f039fd9426238c13e34c0014ebbcbec8

SHA1
e189527f3047f8f3aa953b4af3c064f1b74fed95

SHA256
45f40063040e659e23e08d89c556c9109ff599b1a5d68acd6dd378c5c63ad16e

SHA512
ee1c56e374bf350724fc6a442c3a36f3fcdf066f23b235d5f1cb335f7e04faf0a9f41f8293fd2ac21b5bfc516d82d0bb879d3cd12092ca9c4e66472807817363

Download Submit