hxxps://9b65397b-7f3e-488b-bb20-6a851ac58044-00-2yrur6tlyhlms[.]janeway[.]replit[.]dev/qbo-s[.]html

Analysis

max time kernel
149s
max time network
140s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
01-10-2024 21:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://9b65397b-7f3e-488b-bb20-6a851ac58044-00-2yrur6tlyhlms.janeway.replit.dev/qbo-s.html

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133722911274640164"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4892	chrome.exe
4892	chrome.exe
2984	chrome.exe
2984	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4892	chrome.exe
4892	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4892 wrote to memory of 2420	4892	chrome.exe	73
PID 4892 wrote to memory of 2420	4892	chrome.exe	73
PID 4892 wrote to memory of 3884	4892	chrome.exe	75
PID 4892 wrote to memory of 3884	4892	chrome.exe	75
PID 4892 wrote to memory of 3884	4892	chrome.exe	75
PID 4892 wrote to memory of 3884	4892	chrome.exe	75
PID 4892 wrote to memory of 3884	4892	chrome.exe	75
PID 4892 wrote to memory of 3884	4892	chrome.exe	75
PID 4892 wrote to memory of 3884	4892	chrome.exe	75
PID 4892 wrote to memory of 3884	4892	chrome.exe	75
PID 4892 wrote to memory of 3884	4892	chrome.exe	75
PID 4892 wrote to memory of 3884	4892	chrome.exe	75
PID 4892 wrote to memory of 3884	4892	chrome.exe	75
PID 4892 wrote to memory of 3884	4892	chrome.exe	75
PID 4892 wrote to memory of 3884	4892	chrome.exe	75
PID 4892 wrote to memory of 3884	4892	chrome.exe	75
PID 4892 wrote to memory of 3884	4892	chrome.exe	75
PID 4892 wrote to memory of 3884	4892	chrome.exe	75
PID 4892 wrote to memory of 3884	4892	chrome.exe	75
PID 4892 wrote to memory of 3884	4892	chrome.exe	75
PID 4892 wrote to memory of 3884	4892	chrome.exe	75
PID 4892 wrote to memory of 3884	4892	chrome.exe	75
PID 4892 wrote to memory of 3884	4892	chrome.exe	75
PID 4892 wrote to memory of 3884	4892	chrome.exe	75
PID 4892 wrote to memory of 3884	4892	chrome.exe	75
PID 4892 wrote to memory of 3884	4892	chrome.exe	75
PID 4892 wrote to memory of 3884	4892	chrome.exe	75
PID 4892 wrote to memory of 3884	4892	chrome.exe	75
PID 4892 wrote to memory of 3884	4892	chrome.exe	75
PID 4892 wrote to memory of 3884	4892	chrome.exe	75
PID 4892 wrote to memory of 3884	4892	chrome.exe	75
PID 4892 wrote to memory of 3884	4892	chrome.exe	75
PID 4892 wrote to memory of 3884	4892	chrome.exe	75
PID 4892 wrote to memory of 3884	4892	chrome.exe	75
PID 4892 wrote to memory of 3884	4892	chrome.exe	75
PID 4892 wrote to memory of 3884	4892	chrome.exe	75
PID 4892 wrote to memory of 3884	4892	chrome.exe	75
PID 4892 wrote to memory of 3884	4892	chrome.exe	75
PID 4892 wrote to memory of 3884	4892	chrome.exe	75
PID 4892 wrote to memory of 3884	4892	chrome.exe	75
PID 4892 wrote to memory of 4648	4892	chrome.exe	76
PID 4892 wrote to memory of 4648	4892	chrome.exe	76
PID 4892 wrote to memory of 1688	4892	chrome.exe	77
PID 4892 wrote to memory of 1688	4892	chrome.exe	77
PID 4892 wrote to memory of 1688	4892	chrome.exe	77
PID 4892 wrote to memory of 1688	4892	chrome.exe	77
PID 4892 wrote to memory of 1688	4892	chrome.exe	77
PID 4892 wrote to memory of 1688	4892	chrome.exe	77
PID 4892 wrote to memory of 1688	4892	chrome.exe	77
PID 4892 wrote to memory of 1688	4892	chrome.exe	77
PID 4892 wrote to memory of 1688	4892	chrome.exe	77
PID 4892 wrote to memory of 1688	4892	chrome.exe	77
PID 4892 wrote to memory of 1688	4892	chrome.exe	77
PID 4892 wrote to memory of 1688	4892	chrome.exe	77
PID 4892 wrote to memory of 1688	4892	chrome.exe	77
PID 4892 wrote to memory of 1688	4892	chrome.exe	77
PID 4892 wrote to memory of 1688	4892	chrome.exe	77
PID 4892 wrote to memory of 1688	4892	chrome.exe	77
PID 4892 wrote to memory of 1688	4892	chrome.exe	77
PID 4892 wrote to memory of 1688	4892	chrome.exe	77
PID 4892 wrote to memory of 1688	4892	chrome.exe	77
PID 4892 wrote to memory of 1688	4892	chrome.exe	77
PID 4892 wrote to memory of 1688	4892	chrome.exe	77
PID 4892 wrote to memory of 1688	4892	chrome.exe	77

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://9b65397b-7f3e-488b-bb20-6a851ac58044-00-2yrur6tlyhlms.janeway.replit.dev/qbo-s.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff87d0c9758,0x7ff87d0c9768,0x7ff87d0c9778
  2⤵
  PID:2420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1520 --field-trial-handle=1836,i,6422286783103216340,11051110329708718527,131072 /prefetch:2
  2⤵
  PID:3884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1768 --field-trial-handle=1836,i,6422286783103216340,11051110329708718527,131072 /prefetch:8
  2⤵
  PID:4648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1852 --field-trial-handle=1836,i,6422286783103216340,11051110329708718527,131072 /prefetch:8
  2⤵
  PID:1688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2780 --field-trial-handle=1836,i,6422286783103216340,11051110329708718527,131072 /prefetch:1
  2⤵
  PID:4556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2788 --field-trial-handle=1836,i,6422286783103216340,11051110329708718527,131072 /prefetch:1
  2⤵
  PID:5064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4560 --field-trial-handle=1836,i,6422286783103216340,11051110329708718527,131072 /prefetch:8
  2⤵
  PID:2080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4672 --field-trial-handle=1836,i,6422286783103216340,11051110329708718527,131072 /prefetch:8
  2⤵
  PID:3400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2308 --field-trial-handle=1836,i,6422286783103216340,11051110329708718527,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2984

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
873B

MD5
cfd3d717b42f92ec8676b5c882f8d48c

SHA1
c5b88f60b8006c037a5b6d4e2865aa6fdf26a046

SHA256
23cc4e12e55109537011c3328fd4eeb79e04696398e904a4cdb8ee15ce690598

SHA512
f10bfcefaf968a5616112806afc1a62b75cb6cf8a3782938cf237772779b4702edf773dbddefc8631c592ddc5d8ded366515e390bc09668f6a072efedad143c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
904B

MD5
ae6a14ad83fab962bf2be16399e0d32d

SHA1
3aa5a0199438028c7d7f228ec92d67cb81cad747

SHA256
f2c5d8fccadfd4e0a21a06738fc9e18e2495d0697f0b293c8f95d92524e7ee75

SHA512
f8cab477597e61acf6dc46572d83cdcfb05fc6888c7380ab456a6c9b8dadf91011915ae4c194b43b0f0d3ea9b2c9284fcbcb56074828440b9ecc78df07040ce3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
535B

MD5
abaeb791945a7c9ff87f9ba69e4eb7d4

SHA1
7946e323542863d6bda7fc1b094be5db673f845b

SHA256
937b35a212f358ab7dd905f4116feb56d31ea0c127781fea0ec1fb1f005ba1c4

SHA512
6411778c46d8ddaf958dd6c575ee2039fe7c5b8cdab4c5281ee59dc8af698c34c6bb6779c84f73f5a5590676bf7521236955420f3c35816582648e7d6d07e541

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
c0283032471ef52e4e794e2a626f5165

SHA1
1cca199ca7bfd37d452c5db994a31e2d58aadb31

SHA256
480049361471146fa279be5624f5e334234ab3288cf271a71e33613fc9e22ac9

SHA512
418ced6d16a468cb4f2f17e039b56935d5ad7d48dc4d9aec5ccb705c990033d623173598d848f473a62095d2bec70928279e3b805c1b18e7df20cac054d04359

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
5db9c037b5226c91045edd5895c99997

SHA1
eaf07862c0148d48bc9d976b56c207e958877354

SHA256
ec9f7b7627d05c13fd0a525e5b18ab0a848f77e59355d912828ccef760a5e86d

SHA512
6930d57524d6cc1e5db5433a224e4b7b77759db2d00877c8b1648da60efd15f5e9a9f33d94ada5c142ee094d4bf0e3878fa36b2ad419d6a8346ad6f7316532e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
671e9f3dd6c2ee3ac082782cc45f8e9c

SHA1
6a971a18b641b946d0733351978e24e01c28ebae

SHA256
b85ae280535b637e6ad8ce4d7d585adfffb511ae93a4f269a636ef81e9fa0f55

SHA512
846ff9d07ec1fc7ebc1680d8274260940263ff787b9b16963e5befe7d09660b14905a932ecda2e73cfed5c6ca55b10e7f1ef5467c6f207b06368b7d2c83363e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
1f9447abe7555e0cfb3a58a794fc180f

SHA1
07463483203aa89d1906fbf009bf55beb9bdc47f

SHA256
6933e1811442d4fcdeb61b7b0d4a7e066468ac0d4bc06af3fbb7a3c73377b6d6

SHA512
734c6170cd2ccdf2fa014e26ba7d063b5a8c6697f768907232edf426da265b66406a7680d715fb3aef3d3080d17c0fa94079bd125bd90e8484948c638de78918

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit