hxxps://ystepanova[.]dmesp[.]ru/clicks[.]php?hex&m=340f&c=376b24&i=16dd&u=1f122&l=aHR0cHM6Ly9uYXVtZW4uem9vbS51cy93ZWJpbmFyL3JlZ2lzdGVyLzEwMTcxNjE5NzQ1NDcvV05fUUZkY0FJZjRTdi1KZFlqbXVQcFZjUQ--

Analysis

max time kernel
129s
max time network
136s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
22-05-2024 23:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://ystepanova.dmesp.ru/clicks.php?hex&m=340f&c=376b24&i=16dd&u=1f122&l=aHR0cHM6Ly9uYXVtZW4uem9vbS51cy93ZWJpbmFyL3JlZ2lzdGVyLzEwMTcxNjE5NzQ1NDcvV05fUUZkY0FJZjRTdi1KZFlqbXVQcFZjUQ--

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

4540 chrome.exe
4540 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

4540 chrome.exe
4540 chrome.exe
4540 chrome.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	4540	chrome.exe
Token: SeCreatePagefilePrivilege	4540	chrome.exe
Token: SeShutdownPrivilege	4540	chrome.exe
Token: SeCreatePagefilePrivilege	4540	chrome.exe
Token: SeShutdownPrivilege	4540	chrome.exe
Token: SeCreatePagefilePrivilege	4540	chrome.exe
Token: SeShutdownPrivilege	4540	chrome.exe
Token: SeCreatePagefilePrivilege	4540	chrome.exe
Token: SeShutdownPrivilege	4540	chrome.exe
Token: SeCreatePagefilePrivilege	4540	chrome.exe
Token: SeShutdownPrivilege	4540	chrome.exe
Token: SeCreatePagefilePrivilege	4540	chrome.exe
Token: SeShutdownPrivilege	4540	chrome.exe
Token: SeCreatePagefilePrivilege	4540	chrome.exe
Token: SeShutdownPrivilege	4540	chrome.exe
Token: SeCreatePagefilePrivilege	4540	chrome.exe
Token: SeShutdownPrivilege	4540	chrome.exe
Token: SeCreatePagefilePrivilege	4540	chrome.exe
Token: SeShutdownPrivilege	4540	chrome.exe
Token: SeCreatePagefilePrivilege	4540	chrome.exe
Token: SeShutdownPrivilege	4540	chrome.exe
Token: SeCreatePagefilePrivilege	4540	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

Processes:

chrome.exe

pid	process
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4540 wrote to memory of 4256	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 4256	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1360	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1360	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1360	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1360	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1360	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1360	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1360	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1360	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1360	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1360	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1360	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1360	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1360	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1360	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1360	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1360	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1360	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1360	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1360	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1360	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1360	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1360	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1360	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1360	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1360	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1360	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1360	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1360	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1360	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1360	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1360	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1360	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1360	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1360	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1360	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1360	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1360	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1360	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 2052	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 2052	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1540	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1540	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1540	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1540	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1540	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1540	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1540	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1540	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1540	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1540	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1540	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1540	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1540	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1540	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1540	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1540	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1540	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1540	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1540	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1540	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1540	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1540	4540	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://ystepanova.dmesp.ru/clicks.php?hex&m=340f&c=376b24&i=16dd&u=1f122&l=aHR0cHM6Ly9uYXVtZW4uem9vbS51cy93ZWJpbmFyL3JlZ2lzdGVyLzEwMTcxNjE5NzQ1NDcvV05fUUZkY0FJZjRTdi1KZFlqbXVQcFZjUQ--
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffea7b39758,0x7ffea7b39768,0x7ffea7b39778
2⤵
PID:4256

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1620 --field-trial-handle=1784,i,128513488704032173,7195453523035226281,131072 /prefetch:2
2⤵
PID:1360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1836 --field-trial-handle=1784,i,128513488704032173,7195453523035226281,131072 /prefetch:8
2⤵
PID:2052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2096 --field-trial-handle=1784,i,128513488704032173,7195453523035226281,131072 /prefetch:8
2⤵
PID:1540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2920 --field-trial-handle=1784,i,128513488704032173,7195453523035226281,131072 /prefetch:1
2⤵
PID:2460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2944 --field-trial-handle=1784,i,128513488704032173,7195453523035226281,131072 /prefetch:1
2⤵
PID:2832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4384 --field-trial-handle=1784,i,128513488704032173,7195453523035226281,131072 /prefetch:1
2⤵
PID:5000

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
bde46af10c2946387d88499dcf7b183e

SHA1
f0d0147c47f6e7fed526eb5da9f70f978726817f

SHA256
7e1bab3b5c119c7840e4518aca6b5a2466609e63eb55c318047766488478ca0f

SHA512
589051aebff7a42b4dae1ebd207b3600695ffed4ce070f956b44a0291b6303343889f43e6c0dce8b742a90d996587970b4cb0348a6dea2302e3756bc8a2dd9ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
098836f83179cefa71561f000ff092ff

SHA1
27991c7f5e4f82bb293a4d93a8b850cafcac421c

SHA256
e6f9441cf05bad0fb5827a4a4de27e95c6169b96b8062ddf705b1f27d162be18

SHA512
53e740af2e94c87352861ba1d27d59610f1144ab7ba97e2114a2d4d2f4cfc972cc71df02aaf0e0b2ae79541aa85e1df074bde7ddea1aaad775ccc1c7cf94a759

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
af57f6f2beb7d14aca7df367519b0868

SHA1
135987fad97ea2c69b66de50c037ec38befe505a

SHA256
0bed89ba265113eb2f355287195c4896e58c9a80392bbbd9a68fcca1bfea57fa

SHA512
43394b2e8c6a8c5f3b712298622fa8454d999f885da2e64c6d3f4265959bf3de71cd1b57c054d40799a3872ff811ea8485c6f6802f6bb6a204fd590cff83f076

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
6ff5442f67f7a827eee477343fe10a38

SHA1
b197ebb68e88c6897f9548a82b5b796a02e71073

SHA256
5521b03eb62d8b324cfa6588f62f1dc205472e01f5551ce4b28a80dfa3c2f7cd

SHA512
79f7a2fcd2a18541b7144ead81992de7b4df6951b2a0039387192f10cc00e64c685ebdf543a8301059464691ff55a29037abeb6f68ec8486c685a1972fe386de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
5ee3b1fd17e3c05b00b2100fab9fdf1b

SHA1
ae1b6f40bcd7ef53c5c99bfed9ecb7faa9232769

SHA256
8c8cf28d6093dcc481a75d85788c487d085c843fff9792a460335d90b71d7ef8

SHA512
2bd67c95f61957e155ef4ef91421c2c857a48dcc0204d92607ff5aa55979bd7524fe3840232fe135726f8a2aafeaf12cef1a59c42b1ccc39c120685f2c526631

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
49cbe1323a460e651a46fa2336578fc7

SHA1
124273ebac1c09745fc4a036ab5842fc832fcd50

SHA256
f0b301129825efcf1e77ff589d2ccc7e8acdcc7276e709f23b343bbef9ec6cf6

SHA512
1e0555f31e9a76327e03ae06221b21aff5c9cff85c82c89ee0e24dd3dd0d18cba7fc0f1f03008b114332588ae60b64ef90a8d9f78357e008c2e51b44c7430686

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
bf5928e034eab1723189110ddb75aef4

SHA1
78f70dd3e88d7af3902c36fa55a1125e93e7bc56

SHA256
68ba29474a06305ca28bd53d0aa59047ae9ac547d1d87b1b913b3ae8346799e1

SHA512
74a4e942b7d8b1450a387e94d01562a5585a139ebabd82945b570475712b013c6099fb3f3921498446910d34c8e3c42b1d9b9530507e85de17becd6fb23d6a8c

Download Submit
\??\pipe\crashpad_4540_BUCIANLJOEAURONQ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit