hxxp://email[.]btobtrnds[.]com/c/1Nd0XTMCTl6eycd9NUr9eLsy87rQo

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
27/05/2024, 17:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://email.btobtrnds.com/c/1Nd0XTMCTl6eycd9NUr9eLsy87rQo

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133613029492065308"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2416	chrome.exe
2416	chrome.exe
2572	chrome.exe
2572	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 2964	2416	chrome.exe	85
PID 2416 wrote to memory of 2964	2416	chrome.exe	85
PID 2416 wrote to memory of 2788	2416	chrome.exe	86
PID 2416 wrote to memory of 2788	2416	chrome.exe	86
PID 2416 wrote to memory of 2788	2416	chrome.exe	86
PID 2416 wrote to memory of 2788	2416	chrome.exe	86
PID 2416 wrote to memory of 2788	2416	chrome.exe	86
PID 2416 wrote to memory of 2788	2416	chrome.exe	86
PID 2416 wrote to memory of 2788	2416	chrome.exe	86
PID 2416 wrote to memory of 2788	2416	chrome.exe	86
PID 2416 wrote to memory of 2788	2416	chrome.exe	86
PID 2416 wrote to memory of 2788	2416	chrome.exe	86
PID 2416 wrote to memory of 2788	2416	chrome.exe	86
PID 2416 wrote to memory of 2788	2416	chrome.exe	86
PID 2416 wrote to memory of 2788	2416	chrome.exe	86
PID 2416 wrote to memory of 2788	2416	chrome.exe	86
PID 2416 wrote to memory of 2788	2416	chrome.exe	86
PID 2416 wrote to memory of 2788	2416	chrome.exe	86
PID 2416 wrote to memory of 2788	2416	chrome.exe	86
PID 2416 wrote to memory of 2788	2416	chrome.exe	86
PID 2416 wrote to memory of 2788	2416	chrome.exe	86
PID 2416 wrote to memory of 2788	2416	chrome.exe	86
PID 2416 wrote to memory of 2788	2416	chrome.exe	86
PID 2416 wrote to memory of 2788	2416	chrome.exe	86
PID 2416 wrote to memory of 2788	2416	chrome.exe	86
PID 2416 wrote to memory of 2788	2416	chrome.exe	86
PID 2416 wrote to memory of 2788	2416	chrome.exe	86
PID 2416 wrote to memory of 2788	2416	chrome.exe	86
PID 2416 wrote to memory of 2788	2416	chrome.exe	86
PID 2416 wrote to memory of 2788	2416	chrome.exe	86
PID 2416 wrote to memory of 2788	2416	chrome.exe	86
PID 2416 wrote to memory of 2788	2416	chrome.exe	86
PID 2416 wrote to memory of 2788	2416	chrome.exe	86
PID 2416 wrote to memory of 4796	2416	chrome.exe	87
PID 2416 wrote to memory of 4796	2416	chrome.exe	87
PID 2416 wrote to memory of 1176	2416	chrome.exe	88
PID 2416 wrote to memory of 1176	2416	chrome.exe	88
PID 2416 wrote to memory of 1176	2416	chrome.exe	88
PID 2416 wrote to memory of 1176	2416	chrome.exe	88
PID 2416 wrote to memory of 1176	2416	chrome.exe	88
PID 2416 wrote to memory of 1176	2416	chrome.exe	88
PID 2416 wrote to memory of 1176	2416	chrome.exe	88
PID 2416 wrote to memory of 1176	2416	chrome.exe	88
PID 2416 wrote to memory of 1176	2416	chrome.exe	88
PID 2416 wrote to memory of 1176	2416	chrome.exe	88
PID 2416 wrote to memory of 1176	2416	chrome.exe	88
PID 2416 wrote to memory of 1176	2416	chrome.exe	88
PID 2416 wrote to memory of 1176	2416	chrome.exe	88
PID 2416 wrote to memory of 1176	2416	chrome.exe	88
PID 2416 wrote to memory of 1176	2416	chrome.exe	88
PID 2416 wrote to memory of 1176	2416	chrome.exe	88
PID 2416 wrote to memory of 1176	2416	chrome.exe	88
PID 2416 wrote to memory of 1176	2416	chrome.exe	88
PID 2416 wrote to memory of 1176	2416	chrome.exe	88
PID 2416 wrote to memory of 1176	2416	chrome.exe	88
PID 2416 wrote to memory of 1176	2416	chrome.exe	88
PID 2416 wrote to memory of 1176	2416	chrome.exe	88
PID 2416 wrote to memory of 1176	2416	chrome.exe	88
PID 2416 wrote to memory of 1176	2416	chrome.exe	88
PID 2416 wrote to memory of 1176	2416	chrome.exe	88
PID 2416 wrote to memory of 1176	2416	chrome.exe	88
PID 2416 wrote to memory of 1176	2416	chrome.exe	88
PID 2416 wrote to memory of 1176	2416	chrome.exe	88
PID 2416 wrote to memory of 1176	2416	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://email.btobtrnds.com/c/1Nd0XTMCTl6eycd9NUr9eLsy87rQo
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa1e7eab58,0x7ffa1e7eab68,0x7ffa1e7eab78
  2⤵
  PID:2964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1676 --field-trial-handle=1896,i,16515579254505940634,9591175399302388286,131072 /prefetch:2
  2⤵
  PID:2788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1896,i,16515579254505940634,9591175399302388286,131072 /prefetch:8
  2⤵
  PID:4796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2224 --field-trial-handle=1896,i,16515579254505940634,9591175399302388286,131072 /prefetch:8
  2⤵
  PID:1176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2904 --field-trial-handle=1896,i,16515579254505940634,9591175399302388286,131072 /prefetch:1
  2⤵
  PID:4232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2732 --field-trial-handle=1896,i,16515579254505940634,9591175399302388286,131072 /prefetch:1
  2⤵
  PID:3252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4468 --field-trial-handle=1896,i,16515579254505940634,9591175399302388286,131072 /prefetch:1
  2⤵
  PID:1768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3136 --field-trial-handle=1896,i,16515579254505940634,9591175399302388286,131072 /prefetch:1
  2⤵
  PID:3944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4808 --field-trial-handle=1896,i,16515579254505940634,9591175399302388286,131072 /prefetch:1
  2⤵
  PID:4040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3240 --field-trial-handle=1896,i,16515579254505940634,9591175399302388286,131072 /prefetch:8
  2⤵
  PID:1428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5016 --field-trial-handle=1896,i,16515579254505940634,9591175399302388286,131072 /prefetch:8
  2⤵
  PID:456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=992 --field-trial-handle=1896,i,16515579254505940634,9591175399302388286,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2572

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
2bc0e8b80b4d3795b24f200837afb85c

SHA1
d505ef74de6d7baf29bddc9372412122fbde4afe

SHA256
40b47021a87e0fa8b39db94a84166008d07ab8301a6139804752a0f0456c4ca4

SHA512
fdbdddb1f6ca3cf872ee1e267c797f67ea0da220efbb36da4a28652a394c27f3df9a37c46293fafa84adc708c8bf25cc93e5cfc6a958eb0fc7796a50e4ba9444

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
7KB

MD5
dbcfd7846cc92015dd8402822666a3db

SHA1
9d13095ba462cccc95d6fd4d75593d4c35c4d2c0

SHA256
d722d3554a3891261ae02d4db31ef00a3bc962ee594c8caa574f65646d38ca71

SHA512
82700ff818aebe0034513ab7319a7a62cf7b20f2161f5270336a10a02bf140210bbeba7c8e06461a8a62fb4de168f76d96921680028f8c7e097f894d4009efef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
394d63b2574de313b424158126545a78

SHA1
0d570e5e605760f822e57addd72430e38d712f32

SHA256
3769ca3f22986fa472f463a9e5e53851fe710e78e12d38c93f347d5f50c40f70

SHA512
44f003c9c3d87ae43c8467b02905c253c96f26bdfd3ea08ea7ac4b643d12c737b008114109ced01244c97c397f037e2836eb81efbbf90422611c769d882b77bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\ad52cf3a-0ef5-4b59-841d-18350e379889.tmp

Filesize
7KB

MD5
f919f928f521e16aef9ce8c3b60b2f04

SHA1
ff431cd8d6b6361ccd7c6eee747c083cc27aeaec

SHA256
b1ca7998c1c0a9a0af81cdd326d797207e36e9658743f837d5a31434550d114c

SHA512
a349383c9e3e9996b051a52001f768b5f1f63fa9bedb9d317f1410b11b505dceb70e86c087f8ee79f1877a8a6d66f3bf9c8d779178772c65683363634a230901

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
9cfb4d6359bb398d359a0dd6e9bf64a3

SHA1
4c213eda389156e8b4e20d514a3fcdbf778f921c

SHA256
e8b48177a83c7745bf33656f19c3adc94fce4775a98c05b6b8e452517259d9b9

SHA512
61adad2cd7c87082c0b26b2e66ee1a677f663cbf5e5283807307186e62db2a5eb4bcaf7feda17c49074cbaf9f1e9436b0e04184863e3ef4ebf74641fb1018b93

Download Submit