hxxps://2qy5s[.]r[.]ag[.]d[.]sendibm3[.]com/mk/cl/f/sh/7nVU1aA2nfwFRTo9TlOfqGr0whvSJXN/aQhIP5iEb0_d

Analysis

max time kernel
149s
max time network
155s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
15-05-2024 11:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://2qy5s.r.ag.d.sendibm3.com/mk/cl/f/sh/7nVU1aA2nfwFRTo9TlOfqGr0whvSJXN/aQhIP5iEb0_d

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133602470986372473"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4232	chrome.exe
4232	chrome.exe
3572	chrome.exe
3572	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4232 wrote to memory of 3928	4232	chrome.exe	81
PID 4232 wrote to memory of 3928	4232	chrome.exe	81
PID 4232 wrote to memory of 4260	4232	chrome.exe	82
PID 4232 wrote to memory of 4260	4232	chrome.exe	82
PID 4232 wrote to memory of 4260	4232	chrome.exe	82
PID 4232 wrote to memory of 4260	4232	chrome.exe	82
PID 4232 wrote to memory of 4260	4232	chrome.exe	82
PID 4232 wrote to memory of 4260	4232	chrome.exe	82
PID 4232 wrote to memory of 4260	4232	chrome.exe	82
PID 4232 wrote to memory of 4260	4232	chrome.exe	82
PID 4232 wrote to memory of 4260	4232	chrome.exe	82
PID 4232 wrote to memory of 4260	4232	chrome.exe	82
PID 4232 wrote to memory of 4260	4232	chrome.exe	82
PID 4232 wrote to memory of 4260	4232	chrome.exe	82
PID 4232 wrote to memory of 4260	4232	chrome.exe	82
PID 4232 wrote to memory of 4260	4232	chrome.exe	82
PID 4232 wrote to memory of 4260	4232	chrome.exe	82
PID 4232 wrote to memory of 4260	4232	chrome.exe	82
PID 4232 wrote to memory of 4260	4232	chrome.exe	82
PID 4232 wrote to memory of 4260	4232	chrome.exe	82
PID 4232 wrote to memory of 4260	4232	chrome.exe	82
PID 4232 wrote to memory of 4260	4232	chrome.exe	82
PID 4232 wrote to memory of 4260	4232	chrome.exe	82
PID 4232 wrote to memory of 4260	4232	chrome.exe	82
PID 4232 wrote to memory of 4260	4232	chrome.exe	82
PID 4232 wrote to memory of 4260	4232	chrome.exe	82
PID 4232 wrote to memory of 4260	4232	chrome.exe	82
PID 4232 wrote to memory of 4260	4232	chrome.exe	82
PID 4232 wrote to memory of 4260	4232	chrome.exe	82
PID 4232 wrote to memory of 4260	4232	chrome.exe	82
PID 4232 wrote to memory of 4260	4232	chrome.exe	82
PID 4232 wrote to memory of 4260	4232	chrome.exe	82
PID 4232 wrote to memory of 4260	4232	chrome.exe	82
PID 4232 wrote to memory of 2480	4232	chrome.exe	83
PID 4232 wrote to memory of 2480	4232	chrome.exe	83
PID 4232 wrote to memory of 4968	4232	chrome.exe	84
PID 4232 wrote to memory of 4968	4232	chrome.exe	84
PID 4232 wrote to memory of 4968	4232	chrome.exe	84
PID 4232 wrote to memory of 4968	4232	chrome.exe	84
PID 4232 wrote to memory of 4968	4232	chrome.exe	84
PID 4232 wrote to memory of 4968	4232	chrome.exe	84
PID 4232 wrote to memory of 4968	4232	chrome.exe	84
PID 4232 wrote to memory of 4968	4232	chrome.exe	84
PID 4232 wrote to memory of 4968	4232	chrome.exe	84
PID 4232 wrote to memory of 4968	4232	chrome.exe	84
PID 4232 wrote to memory of 4968	4232	chrome.exe	84
PID 4232 wrote to memory of 4968	4232	chrome.exe	84
PID 4232 wrote to memory of 4968	4232	chrome.exe	84
PID 4232 wrote to memory of 4968	4232	chrome.exe	84
PID 4232 wrote to memory of 4968	4232	chrome.exe	84
PID 4232 wrote to memory of 4968	4232	chrome.exe	84
PID 4232 wrote to memory of 4968	4232	chrome.exe	84
PID 4232 wrote to memory of 4968	4232	chrome.exe	84
PID 4232 wrote to memory of 4968	4232	chrome.exe	84
PID 4232 wrote to memory of 4968	4232	chrome.exe	84
PID 4232 wrote to memory of 4968	4232	chrome.exe	84
PID 4232 wrote to memory of 4968	4232	chrome.exe	84
PID 4232 wrote to memory of 4968	4232	chrome.exe	84
PID 4232 wrote to memory of 4968	4232	chrome.exe	84
PID 4232 wrote to memory of 4968	4232	chrome.exe	84
PID 4232 wrote to memory of 4968	4232	chrome.exe	84
PID 4232 wrote to memory of 4968	4232	chrome.exe	84
PID 4232 wrote to memory of 4968	4232	chrome.exe	84
PID 4232 wrote to memory of 4968	4232	chrome.exe	84

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://2qy5s.r.ag.d.sendibm3.com/mk/cl/f/sh/7nVU1aA2nfwFRTo9TlOfqGr0whvSJXN/aQhIP5iEb0_d
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8c103ab58,0x7ff8c103ab68,0x7ff8c103ab78
  2⤵
  PID:3928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1608 --field-trial-handle=1836,i,4760512590849626406,17553094596345490268,131072 /prefetch:2
  2⤵
  PID:4260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1836,i,4760512590849626406,17553094596345490268,131072 /prefetch:8
  2⤵
  PID:2480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2068 --field-trial-handle=1836,i,4760512590849626406,17553094596345490268,131072 /prefetch:8
  2⤵
  PID:4968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3020 --field-trial-handle=1836,i,4760512590849626406,17553094596345490268,131072 /prefetch:1
  2⤵
  PID:4652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3032 --field-trial-handle=1836,i,4760512590849626406,17553094596345490268,131072 /prefetch:1
  2⤵
  PID:3676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3476 --field-trial-handle=1836,i,4760512590849626406,17553094596345490268,131072 /prefetch:1
  2⤵
  PID:3316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4340 --field-trial-handle=1836,i,4760512590849626406,17553094596345490268,131072 /prefetch:1
  2⤵
  PID:3356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3260 --field-trial-handle=1836,i,4760512590849626406,17553094596345490268,131072 /prefetch:1
  2⤵
  PID:4988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3960 --field-trial-handle=1836,i,4760512590849626406,17553094596345490268,131072 /prefetch:8
  2⤵
  PID:3720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4640 --field-trial-handle=1836,i,4760512590849626406,17553094596345490268,131072 /prefetch:8
  2⤵
  PID:1628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1752 --field-trial-handle=1836,i,4760512590849626406,17553094596345490268,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3572

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
0b870abb68e127c8552b829e16bc2d4f

SHA1
94d0bf5f50073e5054a20022bed4e863c8b2cf3b

SHA256
5b7f22628be8e1944ae471da2f230b026a1989cde03ab067cd470091fce7bcdf

SHA512
4e1447d488528c915b3603b9e78df102f45890c5c115617b44707810ae16665ac93b0872c4143bee4cba9e2f75c4763be8b97a59bf8e150ea7640f2d81d5a770

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
87a2121d49b5f8d92bac261db2798267

SHA1
8919de252d2e37f8cf4d27896b93e83418b9f606

SHA256
0df9941280bdeec75a97ce43a56242f055b8df04430a92fb621c6aa61e777bf5

SHA512
51ff69d1f843a9053baaa6978133da7e6de2a143b2c27d0f6932b85d5130fd4fae10ea83844621a28111656bb4519a342938c58fa356210fd1a52a1735836282

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
858B

MD5
509670c64760d3b108be228a6abf0063

SHA1
3aad3ae388571d6decb66ad4dbcf9439aca01f78

SHA256
2da09c5e3549115de524af45f50225d167df3724cf2626e659d6c62c167a65f0

SHA512
1683499a84f78be07e2149f54279ca53e455ef391e9f80c3e0e23b081771d93aa8d3ad68c84086e71a353b6245fa6d2ecf6b52313683c53f4200fb753b774d2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\cd925076-3aaf-466d-992a-dfc862cfad0d.tmp

Filesize
7KB

MD5
5fd85d8ec62d85cc2b490097eeb4d03e

SHA1
5a4eb52921e6ee6e9d61cc3a38e8d5bf87cbb73b

SHA256
c301ad20bef8d3c214d4c610d0a25675f03addb78050055443a3608de88c73a0

SHA512
1a1ddabfd07311136b4a1fd86f96c35d108a2111d6f1544f60557573838305c745a5bf23f497663dc89e3469016535cebc274f6ec0d28d69a74b31bbb9824d84

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
01438057ff77ce551c24419565ed763d

SHA1
987f2b889344e4acc57691db5bcc228c59624b1a

SHA256
3310905b3443016c1cf52690b80e70d37ab644d9b017131c7819a60e68698fa1

SHA512
3fe27963a9e91666c71a0e16df48d96fcb5b8ae246e60392983c7b69daea752ac35692e1809866f7f4b9afeeb43fae415db899bf4b18cee524e3c4772083799d

Download Submit