hxxps://sanernow[.]com/spcampaigns/unsubscribe/XReKS5UwG1asLinrPiWXzvD83IBbaTelkpaTvuyxM3I/ySZBi16T9H7dVa8vGf1xow/jbiBgqGx6H6o8920763QTu51pA

General

Target

https://sanernow.com/spcampaigns/unsubscribe/XReKS5UwG1asLinrPiWXzvD83IBbaTelkpaTvuyxM3I/ySZBi16T9H7dVa8vGf1xow/jbiBgqGx6H6o8920763QTu51pA

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133609871622451772"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

1700 chrome.exe
1700 chrome.exe
3408 chrome.exe
3408 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

1700 chrome.exe
1700 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	1700	chrome.exe
Token: SeCreatePagefilePrivilege	1700	chrome.exe
Token: SeShutdownPrivilege	1700	chrome.exe
Token: SeCreatePagefilePrivilege	1700	chrome.exe
Token: SeShutdownPrivilege	1700	chrome.exe
Token: SeCreatePagefilePrivilege	1700	chrome.exe
Token: SeShutdownPrivilege	1700	chrome.exe
Token: SeCreatePagefilePrivilege	1700	chrome.exe
Token: SeShutdownPrivilege	1700	chrome.exe
Token: SeCreatePagefilePrivilege	1700	chrome.exe
Token: SeShutdownPrivilege	1700	chrome.exe
Token: SeCreatePagefilePrivilege	1700	chrome.exe
Token: SeShutdownPrivilege	1700	chrome.exe
Token: SeCreatePagefilePrivilege	1700	chrome.exe
Token: SeShutdownPrivilege	1700	chrome.exe
Token: SeCreatePagefilePrivilege	1700	chrome.exe
Token: SeShutdownPrivilege	1700	chrome.exe
Token: SeCreatePagefilePrivilege	1700	chrome.exe
Token: SeShutdownPrivilege	1700	chrome.exe
Token: SeCreatePagefilePrivilege	1700	chrome.exe
Token: SeShutdownPrivilege	1700	chrome.exe
Token: SeCreatePagefilePrivilege	1700	chrome.exe
Token: SeShutdownPrivilege	1700	chrome.exe
Token: SeCreatePagefilePrivilege	1700	chrome.exe
Token: SeShutdownPrivilege	1700	chrome.exe
Token: SeCreatePagefilePrivilege	1700	chrome.exe
Token: SeShutdownPrivilege	1700	chrome.exe
Token: SeCreatePagefilePrivilege	1700	chrome.exe
Token: SeShutdownPrivilege	1700	chrome.exe
Token: SeCreatePagefilePrivilege	1700	chrome.exe
Token: SeShutdownPrivilege	1700	chrome.exe
Token: SeCreatePagefilePrivilege	1700	chrome.exe
Token: SeShutdownPrivilege	1700	chrome.exe
Token: SeCreatePagefilePrivilege	1700	chrome.exe
Token: SeShutdownPrivilege	1700	chrome.exe
Token: SeCreatePagefilePrivilege	1700	chrome.exe
Token: SeShutdownPrivilege	1700	chrome.exe
Token: SeCreatePagefilePrivilege	1700	chrome.exe
Token: SeShutdownPrivilege	1700	chrome.exe
Token: SeCreatePagefilePrivilege	1700	chrome.exe
Token: SeShutdownPrivilege	1700	chrome.exe
Token: SeCreatePagefilePrivilege	1700	chrome.exe
Token: SeShutdownPrivilege	1700	chrome.exe
Token: SeCreatePagefilePrivilege	1700	chrome.exe
Token: SeShutdownPrivilege	1700	chrome.exe
Token: SeCreatePagefilePrivilege	1700	chrome.exe
Token: SeShutdownPrivilege	1700	chrome.exe
Token: SeCreatePagefilePrivilege	1700	chrome.exe
Token: SeShutdownPrivilege	1700	chrome.exe
Token: SeCreatePagefilePrivilege	1700	chrome.exe
Token: SeShutdownPrivilege	1700	chrome.exe
Token: SeCreatePagefilePrivilege	1700	chrome.exe
Token: SeShutdownPrivilege	1700	chrome.exe
Token: SeCreatePagefilePrivilege	1700	chrome.exe
Token: SeShutdownPrivilege	1700	chrome.exe
Token: SeCreatePagefilePrivilege	1700	chrome.exe
Token: SeShutdownPrivilege	1700	chrome.exe
Token: SeCreatePagefilePrivilege	1700	chrome.exe
Token: SeShutdownPrivilege	1700	chrome.exe
Token: SeCreatePagefilePrivilege	1700	chrome.exe
Token: SeShutdownPrivilege	1700	chrome.exe
Token: SeCreatePagefilePrivilege	1700	chrome.exe
Token: SeShutdownPrivilege	1700	chrome.exe
Token: SeCreatePagefilePrivilege	1700	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1700 wrote to memory of 2280	1700	chrome.exe	chrome.exe
PID 1700 wrote to memory of 2280	1700	chrome.exe	chrome.exe
PID 1700 wrote to memory of 3172	1700	chrome.exe	chrome.exe
PID 1700 wrote to memory of 3172	1700	chrome.exe	chrome.exe
PID 1700 wrote to memory of 3172	1700	chrome.exe	chrome.exe
PID 1700 wrote to memory of 3172	1700	chrome.exe	chrome.exe
PID 1700 wrote to memory of 3172	1700	chrome.exe	chrome.exe
PID 1700 wrote to memory of 3172	1700	chrome.exe	chrome.exe
PID 1700 wrote to memory of 3172	1700	chrome.exe	chrome.exe
PID 1700 wrote to memory of 3172	1700	chrome.exe	chrome.exe
PID 1700 wrote to memory of 3172	1700	chrome.exe	chrome.exe
PID 1700 wrote to memory of 3172	1700	chrome.exe	chrome.exe
PID 1700 wrote to memory of 3172	1700	chrome.exe	chrome.exe
PID 1700 wrote to memory of 3172	1700	chrome.exe	chrome.exe
PID 1700 wrote to memory of 3172	1700	chrome.exe	chrome.exe
PID 1700 wrote to memory of 3172	1700	chrome.exe	chrome.exe
PID 1700 wrote to memory of 3172	1700	chrome.exe	chrome.exe
PID 1700 wrote to memory of 3172	1700	chrome.exe	chrome.exe
PID 1700 wrote to memory of 3172	1700	chrome.exe	chrome.exe
PID 1700 wrote to memory of 3172	1700	chrome.exe	chrome.exe
PID 1700 wrote to memory of 3172	1700	chrome.exe	chrome.exe
PID 1700 wrote to memory of 3172	1700	chrome.exe	chrome.exe
PID 1700 wrote to memory of 3172	1700	chrome.exe	chrome.exe
PID 1700 wrote to memory of 3172	1700	chrome.exe	chrome.exe
PID 1700 wrote to memory of 3172	1700	chrome.exe	chrome.exe
PID 1700 wrote to memory of 3172	1700	chrome.exe	chrome.exe
PID 1700 wrote to memory of 3172	1700	chrome.exe	chrome.exe
PID 1700 wrote to memory of 3172	1700	chrome.exe	chrome.exe
PID 1700 wrote to memory of 3172	1700	chrome.exe	chrome.exe
PID 1700 wrote to memory of 3172	1700	chrome.exe	chrome.exe
PID 1700 wrote to memory of 3172	1700	chrome.exe	chrome.exe
PID 1700 wrote to memory of 3172	1700	chrome.exe	chrome.exe
PID 1700 wrote to memory of 3172	1700	chrome.exe	chrome.exe
PID 1700 wrote to memory of 1044	1700	chrome.exe	chrome.exe
PID 1700 wrote to memory of 1044	1700	chrome.exe	chrome.exe
PID 1700 wrote to memory of 1420	1700	chrome.exe	chrome.exe
PID 1700 wrote to memory of 1420	1700	chrome.exe	chrome.exe
PID 1700 wrote to memory of 1420	1700	chrome.exe	chrome.exe
PID 1700 wrote to memory of 1420	1700	chrome.exe	chrome.exe
PID 1700 wrote to memory of 1420	1700	chrome.exe	chrome.exe
PID 1700 wrote to memory of 1420	1700	chrome.exe	chrome.exe
PID 1700 wrote to memory of 1420	1700	chrome.exe	chrome.exe
PID 1700 wrote to memory of 1420	1700	chrome.exe	chrome.exe
PID 1700 wrote to memory of 1420	1700	chrome.exe	chrome.exe
PID 1700 wrote to memory of 1420	1700	chrome.exe	chrome.exe
PID 1700 wrote to memory of 1420	1700	chrome.exe	chrome.exe
PID 1700 wrote to memory of 1420	1700	chrome.exe	chrome.exe
PID 1700 wrote to memory of 1420	1700	chrome.exe	chrome.exe
PID 1700 wrote to memory of 1420	1700	chrome.exe	chrome.exe
PID 1700 wrote to memory of 1420	1700	chrome.exe	chrome.exe
PID 1700 wrote to memory of 1420	1700	chrome.exe	chrome.exe
PID 1700 wrote to memory of 1420	1700	chrome.exe	chrome.exe
PID 1700 wrote to memory of 1420	1700	chrome.exe	chrome.exe
PID 1700 wrote to memory of 1420	1700	chrome.exe	chrome.exe
PID 1700 wrote to memory of 1420	1700	chrome.exe	chrome.exe
PID 1700 wrote to memory of 1420	1700	chrome.exe	chrome.exe
PID 1700 wrote to memory of 1420	1700	chrome.exe	chrome.exe
PID 1700 wrote to memory of 1420	1700	chrome.exe	chrome.exe
PID 1700 wrote to memory of 1420	1700	chrome.exe	chrome.exe
PID 1700 wrote to memory of 1420	1700	chrome.exe	chrome.exe
PID 1700 wrote to memory of 1420	1700	chrome.exe	chrome.exe
PID 1700 wrote to memory of 1420	1700	chrome.exe	chrome.exe
PID 1700 wrote to memory of 1420	1700	chrome.exe	chrome.exe
PID 1700 wrote to memory of 1420	1700	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://sanernow.com/spcampaigns/unsubscribe/XReKS5UwG1asLinrPiWXzvD83IBbaTelkpaTvuyxM3I/ySZBi16T9H7dVa8vGf1xow/jbiBgqGx6H6o8920763QTu51pA
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffca11ab58,0x7fffca11ab68,0x7fffca11ab78
2⤵
PID:2280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1712 --field-trial-handle=1836,i,4632798550881202541,3584911463734993591,131072 /prefetch:2
2⤵
PID:3172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1836,i,4632798550881202541,3584911463734993591,131072 /prefetch:8
2⤵
PID:1044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2204 --field-trial-handle=1836,i,4632798550881202541,3584911463734993591,131072 /prefetch:8
2⤵
PID:1420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3044 --field-trial-handle=1836,i,4632798550881202541,3584911463734993591,131072 /prefetch:1
2⤵
PID:1672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3052 --field-trial-handle=1836,i,4632798550881202541,3584911463734993591,131072 /prefetch:1
2⤵
PID:5076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4444 --field-trial-handle=1836,i,4632798550881202541,3584911463734993591,131072 /prefetch:8
2⤵
PID:2060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4512 --field-trial-handle=1836,i,4632798550881202541,3584911463734993591,131072 /prefetch:8
2⤵
PID:4972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2768 --field-trial-handle=1836,i,4632798550881202541,3584911463734993591,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3408

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3396

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
c42fee20cf107a40890c6ce8b41669a1

SHA1
14fe3866fb0ff8aba6f3c862cd9ca75bb7d8b0a6

SHA256
6d43afff2a62e723db3e748f92dea8103a276c1bac04f6bdc7fce968e9ca8f3f

SHA512
b5ad5f8db9bc84d4708d6ab7b435ac92e39556f5abc584127dfe26b8b09d5fbddf6843c979d9ddd8aa1e4130f3203149a03cd1983e191a9888a4ca44357977f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
523B

MD5
8c0b7353cd16e6a8f600f61af3666c0c

SHA1
24e8337b73307594ae624a9c196f0c4b54e0fdf6

SHA256
891a89948fe4733391498c86afc30a007bc7eb00bdecdf8b648835ca95742738

SHA512
1a27e837a2028bcc33b83b1882c7f75cf56816f242526f0d5dd6c602f63f8381e6521ff49ed27a2d7134e3b063295c8267e8d1646a202515714ddc0d618b87b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
397c32625ad06374b9eaf3e1f0ebdf6b

SHA1
a50632687f8cc177ee96cc2e2f0ab1b7b6180891

SHA256
2450bf7426199d52e73d6685cddad831f20315ed7f1b88b2e1f00d0b7d23dbdb

SHA512
a682fa50841329cbab50de63ba115b9215be0a88f6f3acdc21c9cfa5271ba2405739725141456b038d351af37c9944e76ccd53cca93618fbd4e22697682ecfa4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
255KB

MD5
d3fb806e48f5f6531410973a3d018d14

SHA1
cd920eb2659323f528acdcbb58ab46b51516b72e

SHA256
e96ffb63d8d429500c4636c2d84b96173913649a2a348dc81b1cbd1f3b64fe1f

SHA512
bc68b8c472c9bf28de615ea84f39208b6dfe31be882337506257c921876f248ff7ca0af8ab25423fd1037d620eebb72f324a6d3393495e65279c9a561d7608c2

Download Submit
\??\pipe\crashpad_1700_WKSAKBQMAHYFEJQP
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads