hxxps://pub-85d7e54e225f40cab7906dbba472f63b[.]r2[.]dev/avatar[.]html?elections

Analysis

max time kernel
299s
max time network
273s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
04/06/2024, 22:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://pub-85d7e54e225f40cab7906dbba472f63b.r2.dev/avatar.html?elections

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133620149447951052"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3004	chrome.exe
3004	chrome.exe
2652	chrome.exe
2652	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3004	chrome.exe
3004	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeCreatePagefilePrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeCreatePagefilePrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeCreatePagefilePrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeCreatePagefilePrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeCreatePagefilePrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeCreatePagefilePrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeCreatePagefilePrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeCreatePagefilePrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeCreatePagefilePrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeCreatePagefilePrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeCreatePagefilePrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeCreatePagefilePrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeCreatePagefilePrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeCreatePagefilePrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeCreatePagefilePrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeCreatePagefilePrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeCreatePagefilePrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeCreatePagefilePrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeCreatePagefilePrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeCreatePagefilePrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeCreatePagefilePrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeCreatePagefilePrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeCreatePagefilePrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeCreatePagefilePrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeCreatePagefilePrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeCreatePagefilePrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeCreatePagefilePrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeCreatePagefilePrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeCreatePagefilePrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeCreatePagefilePrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeCreatePagefilePrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeCreatePagefilePrivilege	3004	chrome.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe

Suspicious use of SendNotifyMessage 14 IoCs

pid	Process
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 1424	3004	chrome.exe	77
PID 3004 wrote to memory of 1424	3004	chrome.exe	77
PID 3004 wrote to memory of 912	3004	chrome.exe	78
PID 3004 wrote to memory of 912	3004	chrome.exe	78
PID 3004 wrote to memory of 912	3004	chrome.exe	78
PID 3004 wrote to memory of 912	3004	chrome.exe	78
PID 3004 wrote to memory of 912	3004	chrome.exe	78
PID 3004 wrote to memory of 912	3004	chrome.exe	78
PID 3004 wrote to memory of 912	3004	chrome.exe	78
PID 3004 wrote to memory of 912	3004	chrome.exe	78
PID 3004 wrote to memory of 912	3004	chrome.exe	78
PID 3004 wrote to memory of 912	3004	chrome.exe	78
PID 3004 wrote to memory of 912	3004	chrome.exe	78
PID 3004 wrote to memory of 912	3004	chrome.exe	78
PID 3004 wrote to memory of 912	3004	chrome.exe	78
PID 3004 wrote to memory of 912	3004	chrome.exe	78
PID 3004 wrote to memory of 912	3004	chrome.exe	78
PID 3004 wrote to memory of 912	3004	chrome.exe	78
PID 3004 wrote to memory of 912	3004	chrome.exe	78
PID 3004 wrote to memory of 912	3004	chrome.exe	78
PID 3004 wrote to memory of 912	3004	chrome.exe	78
PID 3004 wrote to memory of 912	3004	chrome.exe	78
PID 3004 wrote to memory of 912	3004	chrome.exe	78
PID 3004 wrote to memory of 912	3004	chrome.exe	78
PID 3004 wrote to memory of 912	3004	chrome.exe	78
PID 3004 wrote to memory of 912	3004	chrome.exe	78
PID 3004 wrote to memory of 912	3004	chrome.exe	78
PID 3004 wrote to memory of 912	3004	chrome.exe	78
PID 3004 wrote to memory of 912	3004	chrome.exe	78
PID 3004 wrote to memory of 912	3004	chrome.exe	78
PID 3004 wrote to memory of 912	3004	chrome.exe	78
PID 3004 wrote to memory of 912	3004	chrome.exe	78
PID 3004 wrote to memory of 912	3004	chrome.exe	78
PID 3004 wrote to memory of 2656	3004	chrome.exe	79
PID 3004 wrote to memory of 2656	3004	chrome.exe	79
PID 3004 wrote to memory of 1180	3004	chrome.exe	80
PID 3004 wrote to memory of 1180	3004	chrome.exe	80
PID 3004 wrote to memory of 1180	3004	chrome.exe	80
PID 3004 wrote to memory of 1180	3004	chrome.exe	80
PID 3004 wrote to memory of 1180	3004	chrome.exe	80
PID 3004 wrote to memory of 1180	3004	chrome.exe	80
PID 3004 wrote to memory of 1180	3004	chrome.exe	80
PID 3004 wrote to memory of 1180	3004	chrome.exe	80
PID 3004 wrote to memory of 1180	3004	chrome.exe	80
PID 3004 wrote to memory of 1180	3004	chrome.exe	80
PID 3004 wrote to memory of 1180	3004	chrome.exe	80
PID 3004 wrote to memory of 1180	3004	chrome.exe	80
PID 3004 wrote to memory of 1180	3004	chrome.exe	80
PID 3004 wrote to memory of 1180	3004	chrome.exe	80
PID 3004 wrote to memory of 1180	3004	chrome.exe	80
PID 3004 wrote to memory of 1180	3004	chrome.exe	80
PID 3004 wrote to memory of 1180	3004	chrome.exe	80
PID 3004 wrote to memory of 1180	3004	chrome.exe	80
PID 3004 wrote to memory of 1180	3004	chrome.exe	80
PID 3004 wrote to memory of 1180	3004	chrome.exe	80
PID 3004 wrote to memory of 1180	3004	chrome.exe	80
PID 3004 wrote to memory of 1180	3004	chrome.exe	80
PID 3004 wrote to memory of 1180	3004	chrome.exe	80
PID 3004 wrote to memory of 1180	3004	chrome.exe	80
PID 3004 wrote to memory of 1180	3004	chrome.exe	80
PID 3004 wrote to memory of 1180	3004	chrome.exe	80
PID 3004 wrote to memory of 1180	3004	chrome.exe	80
PID 3004 wrote to memory of 1180	3004	chrome.exe	80
PID 3004 wrote to memory of 1180	3004	chrome.exe	80

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://pub-85d7e54e225f40cab7906dbba472f63b.r2.dev/avatar.html?elections
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x104,0x108,0x10c,0x100,0xdc,0x7ffbae5eab58,0x7ffbae5eab68,0x7ffbae5eab78
  2⤵
  PID:1424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1628 --field-trial-handle=1812,i,17117659577025909073,15432031618525212823,131072 /prefetch:2
  2⤵
  PID:912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 --field-trial-handle=1812,i,17117659577025909073,15432031618525212823,131072 /prefetch:8
  2⤵
  PID:2656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2204 --field-trial-handle=1812,i,17117659577025909073,15432031618525212823,131072 /prefetch:8
  2⤵
  PID:1180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3040 --field-trial-handle=1812,i,17117659577025909073,15432031618525212823,131072 /prefetch:1
  2⤵
  PID:1380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3052 --field-trial-handle=1812,i,17117659577025909073,15432031618525212823,131072 /prefetch:1
  2⤵
  PID:4964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4276 --field-trial-handle=1812,i,17117659577025909073,15432031618525212823,131072 /prefetch:8
  2⤵
  PID:3132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4452 --field-trial-handle=1812,i,17117659577025909073,15432031618525212823,131072 /prefetch:8
  2⤵
  PID:3348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4668 --field-trial-handle=1812,i,17117659577025909073,15432031618525212823,131072 /prefetch:8
  2⤵
  PID:2844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4016 --field-trial-handle=1812,i,17117659577025909073,15432031618525212823,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2652

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
062530d96c7f80310fbf040eb09dc381

SHA1
a0a7ca43ae4fcedec40b84bf810840e8d768dfa5

SHA256
13be7cf4f4ed865579585f99e53f97546485cc9638e51d1de7853d5207c000c6

SHA512
2a1568d66e2136a0da51efbfc2134d317bcccf138d87ea5010c51852f31a0b9485b861d1b6ce88b1a45fed192e5836eab700cba77d64ca15946ffbaa1b23ad65

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
b9bd76c41221928ed3f0e6a6868b6a4e

SHA1
871f5dfc4427adda1c984c06e7e842f500689dbc

SHA256
77b8efbcea14f02b11b48248b02c15496dc4606975b55ea2fa313473a5494b3d

SHA512
9fbfb5d20f71042848f08268e3cfcf4294287c12397dd4ca800c7b5d57e8787df15fc7728fb20039332beece872613bb120990c978c32ac0f70ce302ac7bb17c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
7ea2321692e003e5451182fafc1ac2bd

SHA1
24f1c529cf4053dae9522d79ce7abf7515e8321a

SHA256
e2f575ae56b9357b2bb100c0938fea7192445099d507c624db3622e0cc3f7ffb

SHA512
601d2b99570fb111e538818198089de7bb82f18164045a021d8e1c2aeab881ca1c28c6f13aa392dc7fc0fe5f790b90f4f172efbe05a69dc06e3a0fc6a637ced9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
7e549fd283f7babccaafe9b6d7be5875

SHA1
33ffec4012ec9a62bb930a7a55a0fdcee8530699

SHA256
0a52f8b0e7921ce10e268bceee91272d39016f0814d98544cbde5788de6180e7

SHA512
e8c135630181cf70d4f33ee77872f7c4991d915c17c90f66dd9e88c46d9e51286b2e0c936eab3d8a9bfb942d059da361252a5f2b3bc51c11eb7ee0855c076f4f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
129KB

MD5
47e78d3f4b5beefa6dc43ebf11b3bd6b

SHA1
8adfc882d46adc07c7e8b5193f709c39c74284c4

SHA256
04c2bc193dbb15f9cbc0061a415f13bee1747587a16c65a2a23b34df233c2245

SHA512
b23cc446f24d33f2fac3707bfba7ac282a0b5874a16a842ab3a711517fe05b238bdd953ca2a91679d4d7b0d44982a8a3ba5768b05c08b0b90f0dbbb0fcf4f60d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
84KB

MD5
6b70ce7470bdaa4b584fcb1b16941da9

SHA1
2736ed1eb4d7a590bf863fed20c609944479cc5d

SHA256
259e30103a16a14309311a726c05f4d689e369445ead5d99d81f79f47e12f6ca

SHA512
9ebb8c68f0900ba15b3c18c815c4f5289057b5937d8d69a130f57682803e71156b4d5106ed9b70305fd0fd7b1602d3d55d814e52f9a43f9940534949eab0c0ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57f230.TMP

Filesize
82KB

MD5
7d81ad5cdf47c9855b11ad7baa94344e

SHA1
088bd1a064143e0913e301ea826f802826d0ab74

SHA256
d23ac078ed6c3b40e030e101b3d42e390250a1e02f499e0f715ab636352dec3e

SHA512
601e2a9945fa11bc7d737ac1f04fa398d7d2d17c2d02998e85d00e8e3f144b80decc588445b29615ca145feb4b58da1ebc10cd38a7e2e150261d8b9e1ace1bb9

Download Submit