hxxps://pub-4766015fdf5b413d866c3bdd90c68b40[.]r2[.]dev/randdannu[.]htm

General

Target

https://pub-4766015fdf5b413d866c3bdd90c68b40.r2.dev/randdannu.htm

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133589096129346795"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

1508 chrome.exe
1508 chrome.exe
3908 chrome.exe
3908 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

1508 chrome.exe
1508 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1508 wrote to memory of 2196	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 2196	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1220	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1220	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1220	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1220	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1220	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1220	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1220	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1220	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1220	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1220	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1220	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1220	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1220	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1220	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1220	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1220	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1220	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1220	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1220	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1220	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1220	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1220	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1220	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1220	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1220	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1220	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1220	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1220	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1220	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1220	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1220	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 4648	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 4648	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1616	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1616	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1616	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1616	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1616	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1616	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1616	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1616	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1616	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1616	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1616	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1616	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1616	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1616	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1616	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1616	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1616	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1616	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1616	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1616	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1616	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1616	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1616	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1616	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1616	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1616	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1616	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1616	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1616	1508	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://pub-4766015fdf5b413d866c3bdd90c68b40.r2.dev/randdannu.htm
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc6431ab58,0x7ffc6431ab68,0x7ffc6431ab78
2⤵
PID:2196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1696 --field-trial-handle=1880,i,7321590678219701605,1431457557324787580,131072 /prefetch:2
2⤵
PID:1220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1880,i,7321590678219701605,1431457557324787580,131072 /prefetch:8
2⤵
PID:4648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2212 --field-trial-handle=1880,i,7321590678219701605,1431457557324787580,131072 /prefetch:8
2⤵
PID:1616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3056 --field-trial-handle=1880,i,7321590678219701605,1431457557324787580,131072 /prefetch:1
2⤵
PID:2032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3064 --field-trial-handle=1880,i,7321590678219701605,1431457557324787580,131072 /prefetch:1
2⤵
PID:2272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4428 --field-trial-handle=1880,i,7321590678219701605,1431457557324787580,131072 /prefetch:8
2⤵
PID:4636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4392 --field-trial-handle=1880,i,7321590678219701605,1431457557324787580,131072 /prefetch:8
2⤵
PID:1208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1880,i,7321590678219701605,1431457557324787580,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3908

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3248

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\1342f676-984a-43cf-b5f2-47d01f1712b0.tmp
Filesize
7KB

MD5
043ef969a91acb314b55586372f12110

SHA1
cc4bc4eed180dbc8a98001628b48187bab8af7d1

SHA256
e1f417ecd6bc8818e2bc4080d5ced7d925cc6dc5e0241c3b7c0537d5480805cd

SHA512
675473df605c949b6fcd89c52a5febddb47ebee385abe77d8a6204f4095ad833d720bf7ca8a3a69a7f2429de96590d48e8be465755fd199d7b7b2377bf6ce127

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000009
Filesize
26KB

MD5
df3d48946e8d3f5a83608308edbb4b86

SHA1
47b9c40c97abf2658df96b1c06109324e15e1a00

SHA256
570a6631252b8a52df4de0e953ae77dbdf524dfc3637cda2840494a0d2b49499

SHA512
36ec1cec72dc3245730c813277c645525473cc5232e85cd23503b8593d90264f335e61a16d364a1e6c41922820b40ba7c0f46b19f4b91db6a0cf5e31e778ddea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
72B

MD5
16c32cf098c381e393fecb090fedb12b

SHA1
9c9958a9e045839b852a575c026a237e4e5ffe21

SHA256
51a087dcc5510cbbf1228cfd7be94a14dab08675409eb8e8b7dc2bc288087d41

SHA512
8ad3ecb4ffb4c5c060a718688659cde831a1321b221adc96bd92ea1f0d81ca2cec12d359502f275e27572f2ae4216739c28eb9d5d9d396116b357b09228cfbfd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
3bc73a1b4aea0694ba5a067077a3c76a

SHA1
2843aabd07dafa21e460255dee8560e031338667

SHA256
8d5668a851c9d4cc195d2d04129d4377d2d286ab379edd8db6c388400f88e7d6

SHA512
b1c0141a0c5cb3aecba75150b934cf4446793a0756f4fa687e3674ba44ffe0e83ed2d41db4d7ad5f85148d7859a78a3168a752f47d8812bcaf359c2a7d3b627b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
522B

MD5
ffe8e963b728d72eec70dddf7193df94

SHA1
5830781c96c7e973fab7a59d3968ef64407aee2a

SHA256
aee890a35e97d0ffd1114a1501c1e564ce943f882953c254680d2a83d6475d8f

SHA512
2c145fae929e9597b234b3011b2c98c70573ba618139495c221bf5eab7fbe4ba48df047e5426b5593ad2649ff5b5c26b42bf8744b20aac248cac07250ee917b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
130KB

MD5
af7406f62491264fc1707420c56f9095

SHA1
ee12cda1d77cbfa58a75d20b2f1c4cee1a658721

SHA256
1d5258934f0834039191f2798e93b372a51a726b180aa04d1d32d44128da4ead

SHA512
224f3cbdcd477a465aa1a8c1bb4d6fbf82162f6a28fcdd987b243344df70a2e121534e2952a77e879fc4d7d08669855ad9dc54ec6c77ed1b2d9500f7602d22c2

Download Submit
\??\pipe\crashpad_1508_FQZCQXIQDZSLDNIU
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads