hxxp://safrareal[.]com[.]br/yoya/2zca30veb673pzznkniq6ghbif5qmyrpnkfp8/bGV3aXMubWFydGluQGlvbmdyb3VwLmNvbQ==$?

Analysis

max time kernel
20s
max time network
21s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-11-2024 09:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://safrareal.com.br/yoya/2zca30veb673pzznkniq6ghbif5qmyrpnkfp8/bGV3aXMubWFydGluQGlvbmdyb3VwLmNvbQ==$?

Score

5^/10

microsoft discovery phishing

Malware Config

Signatures

Detected potential entity reuse from brand MICROSOFT.
phishing microsoft
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133763949400617177"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1328	chrome.exe
1328	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1328	chrome.exe
Token: SeCreatePagefilePrivilege	1328	chrome.exe
Token: SeShutdownPrivilege	1328	chrome.exe
Token: SeCreatePagefilePrivilege	1328	chrome.exe
Token: SeShutdownPrivilege	1328	chrome.exe
Token: SeCreatePagefilePrivilege	1328	chrome.exe
Token: SeShutdownPrivilege	1328	chrome.exe
Token: SeCreatePagefilePrivilege	1328	chrome.exe
Token: SeShutdownPrivilege	1328	chrome.exe
Token: SeCreatePagefilePrivilege	1328	chrome.exe
Token: SeShutdownPrivilege	1328	chrome.exe
Token: SeCreatePagefilePrivilege	1328	chrome.exe
Token: SeShutdownPrivilege	1328	chrome.exe
Token: SeCreatePagefilePrivilege	1328	chrome.exe
Token: SeShutdownPrivilege	1328	chrome.exe
Token: SeCreatePagefilePrivilege	1328	chrome.exe
Token: SeShutdownPrivilege	1328	chrome.exe
Token: SeCreatePagefilePrivilege	1328	chrome.exe
Token: SeShutdownPrivilege	1328	chrome.exe
Token: SeCreatePagefilePrivilege	1328	chrome.exe
Token: SeShutdownPrivilege	1328	chrome.exe
Token: SeCreatePagefilePrivilege	1328	chrome.exe
Token: SeShutdownPrivilege	1328	chrome.exe
Token: SeCreatePagefilePrivilege	1328	chrome.exe
Token: SeShutdownPrivilege	1328	chrome.exe
Token: SeCreatePagefilePrivilege	1328	chrome.exe
Token: SeShutdownPrivilege	1328	chrome.exe
Token: SeCreatePagefilePrivilege	1328	chrome.exe
Token: SeShutdownPrivilege	1328	chrome.exe
Token: SeCreatePagefilePrivilege	1328	chrome.exe
Token: SeShutdownPrivilege	1328	chrome.exe
Token: SeCreatePagefilePrivilege	1328	chrome.exe
Token: SeShutdownPrivilege	1328	chrome.exe
Token: SeCreatePagefilePrivilege	1328	chrome.exe
Token: SeShutdownPrivilege	1328	chrome.exe
Token: SeCreatePagefilePrivilege	1328	chrome.exe
Token: SeShutdownPrivilege	1328	chrome.exe
Token: SeCreatePagefilePrivilege	1328	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1328 wrote to memory of 1556	1328	chrome.exe	84
PID 1328 wrote to memory of 1556	1328	chrome.exe	84
PID 1328 wrote to memory of 4388	1328	chrome.exe	85
PID 1328 wrote to memory of 4388	1328	chrome.exe	85
PID 1328 wrote to memory of 4388	1328	chrome.exe	85
PID 1328 wrote to memory of 4388	1328	chrome.exe	85
PID 1328 wrote to memory of 4388	1328	chrome.exe	85
PID 1328 wrote to memory of 4388	1328	chrome.exe	85
PID 1328 wrote to memory of 4388	1328	chrome.exe	85
PID 1328 wrote to memory of 4388	1328	chrome.exe	85
PID 1328 wrote to memory of 4388	1328	chrome.exe	85
PID 1328 wrote to memory of 4388	1328	chrome.exe	85
PID 1328 wrote to memory of 4388	1328	chrome.exe	85
PID 1328 wrote to memory of 4388	1328	chrome.exe	85
PID 1328 wrote to memory of 4388	1328	chrome.exe	85
PID 1328 wrote to memory of 4388	1328	chrome.exe	85
PID 1328 wrote to memory of 4388	1328	chrome.exe	85
PID 1328 wrote to memory of 4388	1328	chrome.exe	85
PID 1328 wrote to memory of 4388	1328	chrome.exe	85
PID 1328 wrote to memory of 4388	1328	chrome.exe	85
PID 1328 wrote to memory of 4388	1328	chrome.exe	85
PID 1328 wrote to memory of 4388	1328	chrome.exe	85
PID 1328 wrote to memory of 4388	1328	chrome.exe	85
PID 1328 wrote to memory of 4388	1328	chrome.exe	85
PID 1328 wrote to memory of 4388	1328	chrome.exe	85
PID 1328 wrote to memory of 4388	1328	chrome.exe	85
PID 1328 wrote to memory of 4388	1328	chrome.exe	85
PID 1328 wrote to memory of 4388	1328	chrome.exe	85
PID 1328 wrote to memory of 4388	1328	chrome.exe	85
PID 1328 wrote to memory of 4388	1328	chrome.exe	85
PID 1328 wrote to memory of 4388	1328	chrome.exe	85
PID 1328 wrote to memory of 4388	1328	chrome.exe	85
PID 1328 wrote to memory of 5096	1328	chrome.exe	86
PID 1328 wrote to memory of 5096	1328	chrome.exe	86
PID 1328 wrote to memory of 1988	1328	chrome.exe	87
PID 1328 wrote to memory of 1988	1328	chrome.exe	87
PID 1328 wrote to memory of 1988	1328	chrome.exe	87
PID 1328 wrote to memory of 1988	1328	chrome.exe	87
PID 1328 wrote to memory of 1988	1328	chrome.exe	87
PID 1328 wrote to memory of 1988	1328	chrome.exe	87
PID 1328 wrote to memory of 1988	1328	chrome.exe	87
PID 1328 wrote to memory of 1988	1328	chrome.exe	87
PID 1328 wrote to memory of 1988	1328	chrome.exe	87
PID 1328 wrote to memory of 1988	1328	chrome.exe	87
PID 1328 wrote to memory of 1988	1328	chrome.exe	87
PID 1328 wrote to memory of 1988	1328	chrome.exe	87
PID 1328 wrote to memory of 1988	1328	chrome.exe	87
PID 1328 wrote to memory of 1988	1328	chrome.exe	87
PID 1328 wrote to memory of 1988	1328	chrome.exe	87
PID 1328 wrote to memory of 1988	1328	chrome.exe	87
PID 1328 wrote to memory of 1988	1328	chrome.exe	87
PID 1328 wrote to memory of 1988	1328	chrome.exe	87
PID 1328 wrote to memory of 1988	1328	chrome.exe	87
PID 1328 wrote to memory of 1988	1328	chrome.exe	87
PID 1328 wrote to memory of 1988	1328	chrome.exe	87
PID 1328 wrote to memory of 1988	1328	chrome.exe	87
PID 1328 wrote to memory of 1988	1328	chrome.exe	87
PID 1328 wrote to memory of 1988	1328	chrome.exe	87
PID 1328 wrote to memory of 1988	1328	chrome.exe	87
PID 1328 wrote to memory of 1988	1328	chrome.exe	87
PID 1328 wrote to memory of 1988	1328	chrome.exe	87
PID 1328 wrote to memory of 1988	1328	chrome.exe	87
PID 1328 wrote to memory of 1988	1328	chrome.exe	87
PID 1328 wrote to memory of 1988	1328	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://safrareal.com.br/yoya/2zca30veb673pzznkniq6ghbif5qmyrpnkfp8/bGV3aXMubWFydGluQGlvbmdyb3VwLmNvbQ==$?
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd4072cc40,0x7ffd4072cc4c,0x7ffd4072cc58
  2⤵
  PID:1556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2060,i,16278944499153934363,9786683044534193183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2076 /prefetch:2
  2⤵
  PID:4388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2024,i,16278944499153934363,9786683044534193183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2456 /prefetch:3
  2⤵
  PID:5096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1828,i,16278944499153934363,9786683044534193183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2568 /prefetch:8
  2⤵
  PID:1988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3020,i,16278944499153934363,9786683044534193183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3064 /prefetch:1
  2⤵
  PID:372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3024,i,16278944499153934363,9786683044534193183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:1960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3028,i,16278944499153934363,9786683044534193183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4488 /prefetch:1
  2⤵
  PID:3252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4444,i,16278944499153934363,9786683044534193183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4608 /prefetch:1
  2⤵
  PID:2152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4884,i,16278944499153934363,9786683044534193183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4900 /prefetch:8
  2⤵
  PID:388

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
b22f7d0fec270bf6556048723e0f1023

SHA1
d727712d5a97084857fbba3cfcd2604528403999

SHA256
3a809b9c694471da0b7bf968c72f532b2460897be22e616d7f3c8ca05c937d57

SHA512
10d9c13053e9bb76e5ba3cc10d463a10430842646dd55a20c85e5bcf5d17b2bd497a979cbcd6400667133666a30ba637391d21872b1182015c07ecc9d705b504

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\58f0d2d3-65da-4d33-8aed-50c5464706e8.tmp

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
ae0a3916b5fda07335a5155fd1770bee

SHA1
ead12677f68819e6d623df4dd252e01ce76e5648

SHA256
f2773b105450df71b772652557bdc132240b4ff5426097fb29837b088d026c6a

SHA512
be3b178f172579f388f1a6b0678757f45a1e55548a7645130c72ffd27e0628c5fe0a2c2aaa9912bba4b214fe6287361ccb0f4560c002eb2e420e930fe24398cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3d489cb4be0648596ba68c2c1b91e91c

SHA1
6ae3455accbceeefb34a7899804707c96f80847d

SHA256
3a377aa718e355eb46162d5f7cac91b2e1dc9b2ee37023f1fb57f06946888ed2

SHA512
df5ae5c59c4e8db4104f0ece579d6fb81a276cf5603c118bd815f4e92869f24cff6733a51a2b23094b344869ced8b0586f11996837647eb1bdc54f6073c682fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
590d7c4d27f3a1968c29f518b238511b

SHA1
1ea957308dd7f32a6bc86ce45bd0638677178399

SHA256
21141ecbc380fe3b00d26d12ba85f70592e864bae8f1683a7b98764a324cda58

SHA512
003f6ddc7bca7940e01444130ae6bd0913a5f215f3faaf7760fc667f7f177bc3eddfeba43f05452fec4f54e5bf916411753451f9d20b9d554bf4eab625f10fac

Download Submit