hxxps://okqmllp9swjmrl54gfapp[.]ecwcloud[.]com/mobiledoc/jsp/webemr/login/newLogin[.]jsp

Analysis

max time kernel
300s
max time network
301s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01-03-2023 16:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://okqmllp9swjmrl54gfapp.ecwcloud.com/mobiledoc/jsp/webemr/login/newLogin.jsp

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133221651832708592"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2104	chrome.exe
2104	chrome.exe
2436	chrome.exe
2436	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2104	chrome.exe
2104	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 4420	2104	chrome.exe	86
PID 2104 wrote to memory of 4420	2104	chrome.exe	86
PID 2104 wrote to memory of 3128	2104	chrome.exe	87
PID 2104 wrote to memory of 3128	2104	chrome.exe	87
PID 2104 wrote to memory of 3128	2104	chrome.exe	87
PID 2104 wrote to memory of 3128	2104	chrome.exe	87
PID 2104 wrote to memory of 3128	2104	chrome.exe	87
PID 2104 wrote to memory of 3128	2104	chrome.exe	87
PID 2104 wrote to memory of 3128	2104	chrome.exe	87
PID 2104 wrote to memory of 3128	2104	chrome.exe	87
PID 2104 wrote to memory of 3128	2104	chrome.exe	87
PID 2104 wrote to memory of 3128	2104	chrome.exe	87
PID 2104 wrote to memory of 3128	2104	chrome.exe	87
PID 2104 wrote to memory of 3128	2104	chrome.exe	87
PID 2104 wrote to memory of 3128	2104	chrome.exe	87
PID 2104 wrote to memory of 3128	2104	chrome.exe	87
PID 2104 wrote to memory of 3128	2104	chrome.exe	87
PID 2104 wrote to memory of 3128	2104	chrome.exe	87
PID 2104 wrote to memory of 3128	2104	chrome.exe	87
PID 2104 wrote to memory of 3128	2104	chrome.exe	87
PID 2104 wrote to memory of 3128	2104	chrome.exe	87
PID 2104 wrote to memory of 3128	2104	chrome.exe	87
PID 2104 wrote to memory of 3128	2104	chrome.exe	87
PID 2104 wrote to memory of 3128	2104	chrome.exe	87
PID 2104 wrote to memory of 3128	2104	chrome.exe	87
PID 2104 wrote to memory of 3128	2104	chrome.exe	87
PID 2104 wrote to memory of 3128	2104	chrome.exe	87
PID 2104 wrote to memory of 3128	2104	chrome.exe	87
PID 2104 wrote to memory of 3128	2104	chrome.exe	87
PID 2104 wrote to memory of 3128	2104	chrome.exe	87
PID 2104 wrote to memory of 3128	2104	chrome.exe	87
PID 2104 wrote to memory of 3128	2104	chrome.exe	87
PID 2104 wrote to memory of 3128	2104	chrome.exe	87
PID 2104 wrote to memory of 3128	2104	chrome.exe	87
PID 2104 wrote to memory of 3128	2104	chrome.exe	87
PID 2104 wrote to memory of 3128	2104	chrome.exe	87
PID 2104 wrote to memory of 3128	2104	chrome.exe	87
PID 2104 wrote to memory of 3128	2104	chrome.exe	87
PID 2104 wrote to memory of 3128	2104	chrome.exe	87
PID 2104 wrote to memory of 3128	2104	chrome.exe	87
PID 2104 wrote to memory of 4400	2104	chrome.exe	88
PID 2104 wrote to memory of 4400	2104	chrome.exe	88
PID 2104 wrote to memory of 3064	2104	chrome.exe	89
PID 2104 wrote to memory of 3064	2104	chrome.exe	89
PID 2104 wrote to memory of 3064	2104	chrome.exe	89
PID 2104 wrote to memory of 3064	2104	chrome.exe	89
PID 2104 wrote to memory of 3064	2104	chrome.exe	89
PID 2104 wrote to memory of 3064	2104	chrome.exe	89
PID 2104 wrote to memory of 3064	2104	chrome.exe	89
PID 2104 wrote to memory of 3064	2104	chrome.exe	89
PID 2104 wrote to memory of 3064	2104	chrome.exe	89
PID 2104 wrote to memory of 3064	2104	chrome.exe	89
PID 2104 wrote to memory of 3064	2104	chrome.exe	89
PID 2104 wrote to memory of 3064	2104	chrome.exe	89
PID 2104 wrote to memory of 3064	2104	chrome.exe	89
PID 2104 wrote to memory of 3064	2104	chrome.exe	89
PID 2104 wrote to memory of 3064	2104	chrome.exe	89
PID 2104 wrote to memory of 3064	2104	chrome.exe	89
PID 2104 wrote to memory of 3064	2104	chrome.exe	89
PID 2104 wrote to memory of 3064	2104	chrome.exe	89
PID 2104 wrote to memory of 3064	2104	chrome.exe	89
PID 2104 wrote to memory of 3064	2104	chrome.exe	89
PID 2104 wrote to memory of 3064	2104	chrome.exe	89
PID 2104 wrote to memory of 3064	2104	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://okqmllp9swjmrl54gfapp.ecwcloud.com/mobiledoc/jsp/webemr/login/newLogin.jsp
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd7c079758,0x7ffd7c079768,0x7ffd7c079778
  2⤵
  PID:4420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1788 --field-trial-handle=1756,i,305039622997496982,14572374386643520826,131072 /prefetch:2
  2⤵
  PID:3128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1756,i,305039622997496982,14572374386643520826,131072 /prefetch:8
  2⤵
  PID:4400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2132 --field-trial-handle=1756,i,305039622997496982,14572374386643520826,131072 /prefetch:8
  2⤵
  PID:3064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3160 --field-trial-handle=1756,i,305039622997496982,14572374386643520826,131072 /prefetch:1
  2⤵
  PID:4444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3168 --field-trial-handle=1756,i,305039622997496982,14572374386643520826,131072 /prefetch:1
  2⤵
  PID:4628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4768 --field-trial-handle=1756,i,305039622997496982,14572374386643520826,131072 /prefetch:8
  2⤵
  PID:1956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4952 --field-trial-handle=1756,i,305039622997496982,14572374386643520826,131072 /prefetch:8
  2⤵
  PID:2304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4868 --field-trial-handle=1756,i,305039622997496982,14572374386643520826,131072 /prefetch:8
  2⤵
  PID:2172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3648 --field-trial-handle=1756,i,305039622997496982,14572374386643520826,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2436

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3188

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
57e00c3026682dc5733de8a9054c8d7f

SHA1
e33daa891fa1cbb3e8a0b7a7063957f68acbee6e

SHA256
a8914596d3572165bba4b0bb2b8c1bbbc8d61a85a436e899d92bbe6bf1387629

SHA512
1d22e7dc00134b909f67394c71c3ee4c99a1f2a4b77c4767f25ea090b6490dd736449484d6d24bd13a1d4c3370cc6262a5d0827b9329df17982e2490d1127e54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
2935c7bd18dceae4ccecabe534ace6db

SHA1
70ed01a265040d57efe07bd003a2f66956565a3e

SHA256
f1c1f40203956bd8337aa004296f0baf010c4fae07f9f9fde358f066ea43a2c1

SHA512
0da8219f4266b7061f5dba97c8c66877fa1b18464a32fdc1125de2cac91756aa500f50e831c9037a7af474c052245e91abef1274aee6363f39f795881009e20c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
4755d1fab958a878869276705765e32f

SHA1
55cac2666133ad1260b893c4cfca73f5f9d374e1

SHA256
84a3ef4bc203b5f8937d59f138548895f8acda56d216cc8860ad999ccbdcb3ae

SHA512
dd0ceaac96219eae92ef0a2b5710f78a56cc73939feadd7a8e9a490537d1adb93eef9946486ef55320f791fd072be68710ab3947a5749612118849039b75ccde

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
c1145e99d9bf4c471c72a95715eac2bc

SHA1
a370bc245d5f83b326d4dde847570616370a1e17

SHA256
f6a55d9a53cf309365d174408dd4a60f5b160aa6ebdb9193eb64c0902d92c430

SHA512
e2b53da0c96af62a0fb72f67a6f2080c3c8fac96206b0b19f9bc613b8a1bfcb8e9a175736d3d7617c298f8eef62d865d6833e73376081276a7a99f70d831b1c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
141KB

MD5
1247910c5730ca577a42621d045fbfef

SHA1
97aed144be952b6d5c5a6e13a7554a8fa04a2bb7

SHA256
1feea4d7f23a29eb18bc440958dffb6213fbf2d1d479eff8f0aa2065e3de39a5

SHA512
a09b6407bafe826170dba1960038be59bf606585156579bd2bdf0285d6ef6e54cad5b1bf595ca0dde958454b6c90ef1714224d028020c72f3c28f727d26d0f93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
memory/1956-155-0x00007FFD9A2D0000-0x00007FFD9A2D1000-memory.dmp

Filesize
4KB

Download
memory/1956-156-0x00007FFD9A390000-0x00007FFD9A391000-memory.dmp

Filesize
4KB

Download
memory/2436-211-0x0000016C2F7B0000-0x0000016C2F7B1000-memory.dmp

Filesize
4KB

Download
memory/2436-210-0x0000016C2F7B0000-0x0000016C2F7B1000-memory.dmp

Filesize
4KB

Download
memory/2436-216-0x0000016C2F7B0000-0x0000016C2F7B1000-memory.dmp

Filesize
4KB

Download
memory/2436-215-0x0000016C2F7B0000-0x0000016C2F7B1000-memory.dmp

Filesize
4KB

Download
memory/2436-218-0x0000016C2F7B0000-0x0000016C2F7B1000-memory.dmp

Filesize
4KB

Download
memory/2436-217-0x0000016C2F7B0000-0x0000016C2F7B1000-memory.dmp

Filesize
4KB

Download
memory/2436-220-0x0000016C2F7B0000-0x0000016C2F7B1000-memory.dmp

Filesize
4KB

Download
memory/2436-219-0x0000016C2F7B0000-0x0000016C2F7B1000-memory.dmp

Filesize
4KB

Download
memory/2436-221-0x0000016C2F7B0000-0x0000016C2F7B1000-memory.dmp

Filesize
4KB

Download
memory/2436-209-0x0000016C2F7B0000-0x0000016C2F7B1000-memory.dmp

Filesize
4KB

Download
memory/3128-137-0x00007FFD99B80000-0x00007FFD99B81000-memory.dmp

Filesize
4KB

Download