hxxps://pub-e81df47df65b43e98ff96542b71519ef[.]r2[.]dev/index[.]html

Analysis

max time kernel
59s
max time network
49s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
27-06-2024 10:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://pub-e81df47df65b43e98ff96542b71519ef.r2.dev/index.html

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133639563476116367"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

3900 chrome.exe
3900 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

3900 chrome.exe
3900 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3900 wrote to memory of 4440	3900	chrome.exe	chrome.exe
PID 3900 wrote to memory of 4440	3900	chrome.exe	chrome.exe
PID 3900 wrote to memory of 4276	3900	chrome.exe	chrome.exe
PID 3900 wrote to memory of 4276	3900	chrome.exe	chrome.exe
PID 3900 wrote to memory of 4276	3900	chrome.exe	chrome.exe
PID 3900 wrote to memory of 4276	3900	chrome.exe	chrome.exe
PID 3900 wrote to memory of 4276	3900	chrome.exe	chrome.exe
PID 3900 wrote to memory of 4276	3900	chrome.exe	chrome.exe
PID 3900 wrote to memory of 4276	3900	chrome.exe	chrome.exe
PID 3900 wrote to memory of 4276	3900	chrome.exe	chrome.exe
PID 3900 wrote to memory of 4276	3900	chrome.exe	chrome.exe
PID 3900 wrote to memory of 4276	3900	chrome.exe	chrome.exe
PID 3900 wrote to memory of 4276	3900	chrome.exe	chrome.exe
PID 3900 wrote to memory of 4276	3900	chrome.exe	chrome.exe
PID 3900 wrote to memory of 4276	3900	chrome.exe	chrome.exe
PID 3900 wrote to memory of 4276	3900	chrome.exe	chrome.exe
PID 3900 wrote to memory of 4276	3900	chrome.exe	chrome.exe
PID 3900 wrote to memory of 4276	3900	chrome.exe	chrome.exe
PID 3900 wrote to memory of 4276	3900	chrome.exe	chrome.exe
PID 3900 wrote to memory of 4276	3900	chrome.exe	chrome.exe
PID 3900 wrote to memory of 4276	3900	chrome.exe	chrome.exe
PID 3900 wrote to memory of 4276	3900	chrome.exe	chrome.exe
PID 3900 wrote to memory of 4276	3900	chrome.exe	chrome.exe
PID 3900 wrote to memory of 4276	3900	chrome.exe	chrome.exe
PID 3900 wrote to memory of 4276	3900	chrome.exe	chrome.exe
PID 3900 wrote to memory of 4276	3900	chrome.exe	chrome.exe
PID 3900 wrote to memory of 4276	3900	chrome.exe	chrome.exe
PID 3900 wrote to memory of 4276	3900	chrome.exe	chrome.exe
PID 3900 wrote to memory of 4276	3900	chrome.exe	chrome.exe
PID 3900 wrote to memory of 4276	3900	chrome.exe	chrome.exe
PID 3900 wrote to memory of 4276	3900	chrome.exe	chrome.exe
PID 3900 wrote to memory of 4276	3900	chrome.exe	chrome.exe
PID 3900 wrote to memory of 4276	3900	chrome.exe	chrome.exe
PID 3900 wrote to memory of 4276	3900	chrome.exe	chrome.exe
PID 3900 wrote to memory of 4276	3900	chrome.exe	chrome.exe
PID 3900 wrote to memory of 4276	3900	chrome.exe	chrome.exe
PID 3900 wrote to memory of 4276	3900	chrome.exe	chrome.exe
PID 3900 wrote to memory of 4276	3900	chrome.exe	chrome.exe
PID 3900 wrote to memory of 4276	3900	chrome.exe	chrome.exe
PID 3900 wrote to memory of 4276	3900	chrome.exe	chrome.exe
PID 3900 wrote to memory of 3576	3900	chrome.exe	chrome.exe
PID 3900 wrote to memory of 3576	3900	chrome.exe	chrome.exe
PID 3900 wrote to memory of 4424	3900	chrome.exe	chrome.exe
PID 3900 wrote to memory of 4424	3900	chrome.exe	chrome.exe
PID 3900 wrote to memory of 4424	3900	chrome.exe	chrome.exe
PID 3900 wrote to memory of 4424	3900	chrome.exe	chrome.exe
PID 3900 wrote to memory of 4424	3900	chrome.exe	chrome.exe
PID 3900 wrote to memory of 4424	3900	chrome.exe	chrome.exe
PID 3900 wrote to memory of 4424	3900	chrome.exe	chrome.exe
PID 3900 wrote to memory of 4424	3900	chrome.exe	chrome.exe
PID 3900 wrote to memory of 4424	3900	chrome.exe	chrome.exe
PID 3900 wrote to memory of 4424	3900	chrome.exe	chrome.exe
PID 3900 wrote to memory of 4424	3900	chrome.exe	chrome.exe
PID 3900 wrote to memory of 4424	3900	chrome.exe	chrome.exe
PID 3900 wrote to memory of 4424	3900	chrome.exe	chrome.exe
PID 3900 wrote to memory of 4424	3900	chrome.exe	chrome.exe
PID 3900 wrote to memory of 4424	3900	chrome.exe	chrome.exe
PID 3900 wrote to memory of 4424	3900	chrome.exe	chrome.exe
PID 3900 wrote to memory of 4424	3900	chrome.exe	chrome.exe
PID 3900 wrote to memory of 4424	3900	chrome.exe	chrome.exe
PID 3900 wrote to memory of 4424	3900	chrome.exe	chrome.exe
PID 3900 wrote to memory of 4424	3900	chrome.exe	chrome.exe
PID 3900 wrote to memory of 4424	3900	chrome.exe	chrome.exe
PID 3900 wrote to memory of 4424	3900	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://pub-e81df47df65b43e98ff96542b71519ef.r2.dev/index.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffc8b519758,0x7ffc8b519768,0x7ffc8b519778
2⤵
PID:4440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1504 --field-trial-handle=1680,i,8455976534808113059,2119397584879497700,131072 /prefetch:2
2⤵
PID:4276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2008 --field-trial-handle=1680,i,8455976534808113059,2119397584879497700,131072 /prefetch:8
2⤵
PID:3576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2064 --field-trial-handle=1680,i,8455976534808113059,2119397584879497700,131072 /prefetch:8
2⤵
PID:4424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2928 --field-trial-handle=1680,i,8455976534808113059,2119397584879497700,131072 /prefetch:1
2⤵
PID:1176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2936 --field-trial-handle=1680,i,8455976534808113059,2119397584879497700,131072 /prefetch:1
2⤵
PID:5000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3700 --field-trial-handle=1680,i,8455976534808113059,2119397584879497700,131072 /prefetch:8
2⤵
PID:4676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5004 --field-trial-handle=1680,i,8455976534808113059,2119397584879497700,131072 /prefetch:8
2⤵
PID:2056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5024 --field-trial-handle=1680,i,8455976534808113059,2119397584879497700,131072 /prefetch:8
2⤵
PID:5004

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4588

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
216B

MD5
e32c03d2472a5d13b62ffb471c27fb19

SHA1
bcc5c0245c7ab8d4217175e85e315e9e36383c1c

SHA256
55a8cf1527080516d356b4368419305b757e238c4494cb5300115c7fb16f9300

SHA512
7150e4b9da975f38d3b38216aa1b3bf1be167855e28ff61ca24060ebfd94fe044ecf677dc4b92e1f053544a936215656186e4fe528dffd4d1072c8177f42cd96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
873B

MD5
d1097e906491c0d3031eea4e4f3171ca

SHA1
725eaa61fdda184a5a6b873167793098a570fd61

SHA256
0f36eecf2131f173543f09aefe661e2d0e8ddb954e4044428114560466e6de66

SHA512
028c3c6877090ac5e3165af64660fe1db1162a032909c0f816a48017803e11f7467402c928c1374908c291b467671167af58c6be08fa05a256a9eeeb815c3c0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
a7dfe6f10b069bc728030aaf892ef71c

SHA1
5872e0d3c8ed2e8f0c8f00873343b0d36fa51122

SHA256
5df4c47203583c13ccf4aed19619a7f27d42aa8d4f5d9b990ce2dfb5c98babbd

SHA512
022a5a66b1213b1d6523163b56ed1674a87614d5a814eac94655b5f047fb7977d29310f78cd55425791657c211bdc8e0a720eff0cc175e56a7dc1a2a574d4976

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
5d0bf46bf732e32cee7516f6420d80f1

SHA1
1e736d020484042e7d9ab48098d5b5234df5dd5a

SHA256
d6b449438a0c28652b3f39a7f0ca2253001df1cd5bdfd7a48c7cea85c03c702d

SHA512
388db8a81eb8a8fe35748eb95ae3bc0164491876882e2dd1383556270a2e6174dca792b9a9ec9508bd26e7e4ec50c70237a443a4b0c1ce224462e0d871f41997

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
136KB

MD5
bb2a21c3c309cd8212c7fed4c010a1c1

SHA1
30270f49b945968064a8bc3423cc50b87d10957e

SHA256
ad931a0bcb6230f1bde043cb2127d7a848f55798f97aa6d5bb70744a1c56577a

SHA512
5254badd46027eca2a6699866956768d782ed83ac35c4757d3e8cfc958850289f8ac1227d4b8404b3bf684a52fbb9d00ed0f7a2421bd213588e97dbb0c95411f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
99KB

MD5
4606312832bd88ac25b5b21d552466af

SHA1
1c5075a8b27c8781f493ae3abbf48815ecb56da2

SHA256
4c9c6f5daad9b564bc872c0f7b3b686f729ff1df1e161273f66aad33757320a4

SHA512
726f08aabea1923ddda884237fc4408db05756386644aba91422573794cdc6c195c03a60227051cb8c6c7c8ccdc4ac59ebd3243d032f8f5f767b7be01c753aa9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57e510.TMP
Filesize
98KB

MD5
0315a55b400c5b0b3786b98fb90a9f9b

SHA1
a9abf793d753e628137f7445a9d72ca25829eb63

SHA256
457db77312460859bde87e2514d446eaab484451f379f2d757c5d323a724fc26

SHA512
1d9ab7373ab65a1d5759293fe4837fca27e2dae9c596b5dbd976fa60a1bffbc8e56ca7334f74fe23ee4609b51f0b5b267d2503fbb3f3aab84f89ceaa12de9aa6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
\??\pipe\crashpad_3900_UGLGITWGNQHQURQC
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit