hxxps://qrco[.]de/bfCK3T

Analysis

max time kernel
299s
max time network
288s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 04:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://qrco.de/bfCK3T

Score

6^/10

Malware Config

Signatures

Legitimate website abused for phishing 1 TTPs 2 IoCs

Phishing

T1566

flow	ioc
5	qrco.de
9	qrco.de

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133642820362626987"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1204	chrome.exe
1204	chrome.exe
640	chrome.exe
640	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 2672	1204	chrome.exe	85
PID 1204 wrote to memory of 2672	1204	chrome.exe	85
PID 1204 wrote to memory of 712	1204	chrome.exe	86
PID 1204 wrote to memory of 712	1204	chrome.exe	86
PID 1204 wrote to memory of 712	1204	chrome.exe	86
PID 1204 wrote to memory of 712	1204	chrome.exe	86
PID 1204 wrote to memory of 712	1204	chrome.exe	86
PID 1204 wrote to memory of 712	1204	chrome.exe	86
PID 1204 wrote to memory of 712	1204	chrome.exe	86
PID 1204 wrote to memory of 712	1204	chrome.exe	86
PID 1204 wrote to memory of 712	1204	chrome.exe	86
PID 1204 wrote to memory of 712	1204	chrome.exe	86
PID 1204 wrote to memory of 712	1204	chrome.exe	86
PID 1204 wrote to memory of 712	1204	chrome.exe	86
PID 1204 wrote to memory of 712	1204	chrome.exe	86
PID 1204 wrote to memory of 712	1204	chrome.exe	86
PID 1204 wrote to memory of 712	1204	chrome.exe	86
PID 1204 wrote to memory of 712	1204	chrome.exe	86
PID 1204 wrote to memory of 712	1204	chrome.exe	86
PID 1204 wrote to memory of 712	1204	chrome.exe	86
PID 1204 wrote to memory of 712	1204	chrome.exe	86
PID 1204 wrote to memory of 712	1204	chrome.exe	86
PID 1204 wrote to memory of 712	1204	chrome.exe	86
PID 1204 wrote to memory of 712	1204	chrome.exe	86
PID 1204 wrote to memory of 712	1204	chrome.exe	86
PID 1204 wrote to memory of 712	1204	chrome.exe	86
PID 1204 wrote to memory of 712	1204	chrome.exe	86
PID 1204 wrote to memory of 712	1204	chrome.exe	86
PID 1204 wrote to memory of 712	1204	chrome.exe	86
PID 1204 wrote to memory of 712	1204	chrome.exe	86
PID 1204 wrote to memory of 712	1204	chrome.exe	86
PID 1204 wrote to memory of 712	1204	chrome.exe	86
PID 1204 wrote to memory of 712	1204	chrome.exe	86
PID 1204 wrote to memory of 4800	1204	chrome.exe	87
PID 1204 wrote to memory of 4800	1204	chrome.exe	87
PID 1204 wrote to memory of 1492	1204	chrome.exe	88
PID 1204 wrote to memory of 1492	1204	chrome.exe	88
PID 1204 wrote to memory of 1492	1204	chrome.exe	88
PID 1204 wrote to memory of 1492	1204	chrome.exe	88
PID 1204 wrote to memory of 1492	1204	chrome.exe	88
PID 1204 wrote to memory of 1492	1204	chrome.exe	88
PID 1204 wrote to memory of 1492	1204	chrome.exe	88
PID 1204 wrote to memory of 1492	1204	chrome.exe	88
PID 1204 wrote to memory of 1492	1204	chrome.exe	88
PID 1204 wrote to memory of 1492	1204	chrome.exe	88
PID 1204 wrote to memory of 1492	1204	chrome.exe	88
PID 1204 wrote to memory of 1492	1204	chrome.exe	88
PID 1204 wrote to memory of 1492	1204	chrome.exe	88
PID 1204 wrote to memory of 1492	1204	chrome.exe	88
PID 1204 wrote to memory of 1492	1204	chrome.exe	88
PID 1204 wrote to memory of 1492	1204	chrome.exe	88
PID 1204 wrote to memory of 1492	1204	chrome.exe	88
PID 1204 wrote to memory of 1492	1204	chrome.exe	88
PID 1204 wrote to memory of 1492	1204	chrome.exe	88
PID 1204 wrote to memory of 1492	1204	chrome.exe	88
PID 1204 wrote to memory of 1492	1204	chrome.exe	88
PID 1204 wrote to memory of 1492	1204	chrome.exe	88
PID 1204 wrote to memory of 1492	1204	chrome.exe	88
PID 1204 wrote to memory of 1492	1204	chrome.exe	88
PID 1204 wrote to memory of 1492	1204	chrome.exe	88
PID 1204 wrote to memory of 1492	1204	chrome.exe	88
PID 1204 wrote to memory of 1492	1204	chrome.exe	88
PID 1204 wrote to memory of 1492	1204	chrome.exe	88
PID 1204 wrote to memory of 1492	1204	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://qrco.de/bfCK3T
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0x40,0x108,0x7ffc0d74ab58,0x7ffc0d74ab68,0x7ffc0d74ab78
  2⤵
  PID:2672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1904,i,6268896944850761357,15143205745008157501,131072 /prefetch:2
  2⤵
  PID:712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1904,i,6268896944850761357,15143205745008157501,131072 /prefetch:8
  2⤵
  PID:4800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2212 --field-trial-handle=1904,i,6268896944850761357,15143205745008157501,131072 /prefetch:8
  2⤵
  PID:1492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3052 --field-trial-handle=1904,i,6268896944850761357,15143205745008157501,131072 /prefetch:1
  2⤵
  PID:3944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3060 --field-trial-handle=1904,i,6268896944850761357,15143205745008157501,131072 /prefetch:1
  2⤵
  PID:2204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4112 --field-trial-handle=1904,i,6268896944850761357,15143205745008157501,131072 /prefetch:1
  2⤵
  PID:1068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4536 --field-trial-handle=1904,i,6268896944850761357,15143205745008157501,131072 /prefetch:8
  2⤵
  PID:548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4692 --field-trial-handle=1904,i,6268896944850761357,15143205745008157501,131072 /prefetch:8
  2⤵
  PID:4176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4676 --field-trial-handle=1904,i,6268896944850761357,15143205745008157501,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:640

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Phishing

T1566

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
988160d8bd82e141d428f10d7c246294

SHA1
01bdc408b93d3b237d70f5973a2396e497798235

SHA256
a905b45dff65cca20a1e74f565ddcb12f7f58eb137b5cd32ff8d345eca92e3e7

SHA512
6114217d334d2389605b171b2e4f54f19beea585047ecac42205c96a4a052c18ef30299d8ff9915d96c902b3b57645db10fa34055ce7be836f51c8bfe0c49f5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
e891716ef5a44b27f6c5bf87a977a57d

SHA1
00d54453457438447d9e0fdc5d782a4276c0f513

SHA256
4ee466cb8217c286ceb5fc32b40c4713c3fa429eea62edf21a27ef752d86870a

SHA512
5d02106fe12d9fe1ec430fc866e921b7560d584ef2ad63d26ae2b9803cfbc328bcce37e02987d03e31b4614b5f1dfed0328f69598871ef4ed9e0633cc26b46c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
13bde9cf94a626770906657d4708cdbc

SHA1
fff83f24fc0e1baf36b24fa53a440f79f127a9ac

SHA256
45363542e14f08f88a715f1076df675aee3c9331dc52098cacc96a7ec9bf6d8d

SHA512
26cd29ab0bdc119443ad9c6b3313e61ac2245e7783ef3c2b4bc84db7c6b678ce0f0776dd5ccddba31e245df0591b6df7c209ce9d556a4097429f739559f477c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
3caafb818b81cd34a2ea8f6809673dfb

SHA1
5b562878300c44db976d17ddfbe4670b66eb319d

SHA256
53840a91fef0935983d48f1fcf9f19c6f490092a81d87821ad9bd890609f33de

SHA512
ac43f1323462e031e97ffd790805f9ab9a66200bcb9dd15a665a3c6f79fb59759c85259eb33912ad0e4aa5eaa05120577e254e58363964936f31f1884e61a127

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
912c6388d2250df20c81dc414233fa22

SHA1
8ade8ff6b8057db83cc2eafdce9bffe721c50cd8

SHA256
e86faf5d578f7aa2fb6a624507d640fa6e7d26b013dc61aa79745c7eaf663a48

SHA512
4d5afd170de98a6f0279be83ebaa14d490cedeae2498c15c4cafb8e5a6d8eeb7a4bc87d4cdcd4b1c301ea93396b962794d1f5304955affe283b713b07d4b64f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
dd7e8760f83690c83b0e7b0ab95a1d21

SHA1
df7b8d03caea4ec198828d03680123158e3ee7b1

SHA256
274fb3b34c926c57b7180533ce442bf9fd1ca4c5f5e50ceeda2c07fa0c5cc9f9

SHA512
b50946e825eb52ef2b01258df21eea21ceee32f5bb707dbe5784edf4b9a36b47dda3b5fd075c8de5b34efd7a6731a9ca4af57853487e7c005cbf7166058e1df5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
a3a00e896650eacb7fb2b41fb67d8d3c

SHA1
87baf1cff6bdc8986dd244f4011eb878da44f1c2

SHA256
a726aa6c9eb35b816276304dbf83d74db5a8c1798a1fcd4c38f6915a4e4a0dcb

SHA512
5d4a5226536103d291a6d64b75820ca662b4930f1edf65939a5062894ef0164529f78bf0f90e946c75d51e654c47eebbfd4c8370cb5cc958a2ef080c1b66a0bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
138KB

MD5
0b2f5fe07e497a477670db59b58877da

SHA1
736ff70a1c4d84b6f66ae02eaa2f14d17ec945c9

SHA256
e0fcdf490125007eee360ac958168f1619414bd4616176d46427e742a181f007

SHA512
b8d2d9e618a4c4064d7f5616dbf0a979fca904e8b95fe04c67a18c0311147bf585691f49e3c4d29a0b14446115aea4263612b37a66f70beecd57724ccce1846d

Download Submit