hxxps://pub-0e4505be7d794945973c446c339fefc2[.]r2[.]dev/INBOX-Logins[.]html

General

Target

https://pub-0e4505be7d794945973c446c339fefc2.r2.dev/INBOX-Logins.html

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133619484342967823"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

3724 chrome.exe
3724 chrome.exe
4036 chrome.exe
4036 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

3724 chrome.exe
3724 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3724 wrote to memory of 2004	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 2004	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 3212	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 3212	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 3212	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 3212	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 3212	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 3212	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 3212	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 3212	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 3212	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 3212	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 3212	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 3212	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 3212	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 3212	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 3212	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 3212	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 3212	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 3212	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 3212	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 3212	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 3212	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 3212	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 3212	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 3212	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 3212	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 3212	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 3212	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 3212	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 3212	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 3212	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 3212	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 3752	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 3752	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 3444	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 3444	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 3444	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 3444	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 3444	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 3444	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 3444	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 3444	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 3444	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 3444	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 3444	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 3444	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 3444	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 3444	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 3444	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 3444	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 3444	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 3444	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 3444	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 3444	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 3444	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 3444	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 3444	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 3444	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 3444	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 3444	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 3444	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 3444	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 3444	3724	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://pub-0e4505be7d794945973c446c339fefc2.r2.dev/INBOX-Logins.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xfc,0xd8,0x7ffe8b1fab58,0x7ffe8b1fab68,0x7ffe8b1fab78
2⤵
PID:2004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1584 --field-trial-handle=1912,i,6123021019766209377,11458890389354591394,131072 /prefetch:2
2⤵
PID:3212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1912,i,6123021019766209377,11458890389354591394,131072 /prefetch:8
2⤵
PID:3752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2224 --field-trial-handle=1912,i,6123021019766209377,11458890389354591394,131072 /prefetch:8
2⤵
PID:3444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3020 --field-trial-handle=1912,i,6123021019766209377,11458890389354591394,131072 /prefetch:1
2⤵
PID:2572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3040 --field-trial-handle=1912,i,6123021019766209377,11458890389354591394,131072 /prefetch:1
2⤵
PID:4364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3996 --field-trial-handle=1912,i,6123021019766209377,11458890389354591394,131072 /prefetch:8
2⤵
PID:1284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4348 --field-trial-handle=1912,i,6123021019766209377,11458890389354591394,131072 /prefetch:8
2⤵
PID:4136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1540 --field-trial-handle=1912,i,6123021019766209377,11458890389354591394,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4036

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2088

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
168B

MD5
d503e1ccac33012e0719de4943fe65fd

SHA1
9d6fa7247a74c251b7b3d49ebc88fdee9f486f54

SHA256
f52bd1529dc3774530a925d0c3daa4fd244680c88bd650cb9d88524c307914cd

SHA512
a1fe21e898c370b86f7e92512dc6fa670e9e7c2e05176e156e3c40864b6142803e93424ec3d034528e7afd7489aa518cc8b21dcb3987e4310ba22e17d5f6cd95

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
3KB

MD5
d7f702004cd8474d844fb1e0a0e1e02f

SHA1
39266229b22a227113dff30214b5486cf65f3211

SHA256
ae3ef4766ba80b615d0a9fbc95a36570049a8d53d2345afa7b09824be518f623

SHA512
25cced374a4cb79d74ef3a4071d5c5f1faaaeaf45b73af181e97442dcca04c5436cb34806bdcbc4545adfa55ea1d2b3b134fd032f1b858c33e7ccc6b75065aa7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
858B

MD5
e152f6b4b400016ef58b5d41b522f21d

SHA1
7182582e484097ce636753afff5062813b3ae942

SHA256
115cd34ee9af60761e497763c49a91d278979e5428a0a5d341ff6545c7665bbe

SHA512
80f01c1f33eb683b6f7ce450a54fc0bc91f5f1d400120dab60035cb4edc25a787fdad4717685f74c8583a514f0683da79c7f8cfa6975e850ef5f9ec0480bbb3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
d709c0233f6cd9de189691bb93f6db5a

SHA1
3f531626f8babc1f7a285d62d279dc77d66c999e

SHA256
f4d26e90e3af4b290e8e864f648a103e6505d1e39d8c3ce3ac168dc29e3c1d1e

SHA512
f5d21c94b915388430d794fda8b99a91a6740ba140000374e0de8fb9e24550a24d0f4fd51c944c538274c481c067ede028085426ca5fdb3ad33fce319fdc19ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
129KB

MD5
6a336642a477785551ac4bc4a7a5f759

SHA1
cee96c232d06781a697e6137c3f159a439ad0a2b

SHA256
5cea4f9ab3038808909ad64691200732e39775200f144fc67482a5535687fbce

SHA512
be14a4ac4c87ec3908a5d18213488ff2bce9ea1c389dc46de1feac1eb8e78c9b7f776f55990710b4e367bdec0a0ff9dfab0795f52194a5168849b3612660fc7c

Download Submit
\??\pipe\crashpad_3724_WNBAZINULVIKUOVT
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads