hxxps://securemail2[.]blueshieldca[.]com/securereader/help[.]jsf?lang=enus

Analysis

max time kernel
23s
max time network
25s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
09/03/2023, 16:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://securemail2.blueshieldca.com/securereader/help.jsf?lang=enus

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133228564175596343"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4668	chrome.exe
4668	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4668	chrome.exe
4668	chrome.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4668	chrome.exe
Token: SeCreatePagefilePrivilege	4668	chrome.exe
Token: SeShutdownPrivilege	4668	chrome.exe
Token: SeCreatePagefilePrivilege	4668	chrome.exe
Token: SeShutdownPrivilege	4668	chrome.exe
Token: SeCreatePagefilePrivilege	4668	chrome.exe
Token: SeShutdownPrivilege	4668	chrome.exe
Token: SeCreatePagefilePrivilege	4668	chrome.exe
Token: SeShutdownPrivilege	4668	chrome.exe
Token: SeCreatePagefilePrivilege	4668	chrome.exe
Token: SeShutdownPrivilege	4668	chrome.exe
Token: SeCreatePagefilePrivilege	4668	chrome.exe
Token: SeShutdownPrivilege	4668	chrome.exe
Token: SeCreatePagefilePrivilege	4668	chrome.exe
Token: SeShutdownPrivilege	4668	chrome.exe
Token: SeCreatePagefilePrivilege	4668	chrome.exe
Token: SeShutdownPrivilege	4668	chrome.exe
Token: SeCreatePagefilePrivilege	4668	chrome.exe
Token: SeShutdownPrivilege	4668	chrome.exe
Token: SeCreatePagefilePrivilege	4668	chrome.exe
Token: SeShutdownPrivilege	4668	chrome.exe
Token: SeCreatePagefilePrivilege	4668	chrome.exe
Token: SeShutdownPrivilege	4668	chrome.exe
Token: SeCreatePagefilePrivilege	4668	chrome.exe
Token: SeShutdownPrivilege	4668	chrome.exe
Token: SeCreatePagefilePrivilege	4668	chrome.exe
Token: SeShutdownPrivilege	4668	chrome.exe
Token: SeCreatePagefilePrivilege	4668	chrome.exe
Token: SeShutdownPrivilege	4668	chrome.exe
Token: SeCreatePagefilePrivilege	4668	chrome.exe
Token: SeShutdownPrivilege	4668	chrome.exe
Token: SeCreatePagefilePrivilege	4668	chrome.exe
Token: SeShutdownPrivilege	4668	chrome.exe
Token: SeCreatePagefilePrivilege	4668	chrome.exe
Token: SeShutdownPrivilege	4668	chrome.exe
Token: SeCreatePagefilePrivilege	4668	chrome.exe
Token: SeShutdownPrivilege	4668	chrome.exe
Token: SeCreatePagefilePrivilege	4668	chrome.exe
Token: SeShutdownPrivilege	4668	chrome.exe
Token: SeCreatePagefilePrivilege	4668	chrome.exe
Token: SeShutdownPrivilege	4668	chrome.exe
Token: SeCreatePagefilePrivilege	4668	chrome.exe
Token: SeShutdownPrivilege	4668	chrome.exe
Token: SeCreatePagefilePrivilege	4668	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4668 wrote to memory of 4124	4668	chrome.exe	81
PID 4668 wrote to memory of 4124	4668	chrome.exe	81
PID 4668 wrote to memory of 3208	4668	chrome.exe	85
PID 4668 wrote to memory of 3208	4668	chrome.exe	85
PID 4668 wrote to memory of 3208	4668	chrome.exe	85
PID 4668 wrote to memory of 3208	4668	chrome.exe	85
PID 4668 wrote to memory of 3208	4668	chrome.exe	85
PID 4668 wrote to memory of 3208	4668	chrome.exe	85
PID 4668 wrote to memory of 3208	4668	chrome.exe	85
PID 4668 wrote to memory of 3208	4668	chrome.exe	85
PID 4668 wrote to memory of 3208	4668	chrome.exe	85
PID 4668 wrote to memory of 3208	4668	chrome.exe	85
PID 4668 wrote to memory of 3208	4668	chrome.exe	85
PID 4668 wrote to memory of 3208	4668	chrome.exe	85
PID 4668 wrote to memory of 3208	4668	chrome.exe	85
PID 4668 wrote to memory of 3208	4668	chrome.exe	85
PID 4668 wrote to memory of 3208	4668	chrome.exe	85
PID 4668 wrote to memory of 3208	4668	chrome.exe	85
PID 4668 wrote to memory of 3208	4668	chrome.exe	85
PID 4668 wrote to memory of 3208	4668	chrome.exe	85
PID 4668 wrote to memory of 3208	4668	chrome.exe	85
PID 4668 wrote to memory of 3208	4668	chrome.exe	85
PID 4668 wrote to memory of 3208	4668	chrome.exe	85
PID 4668 wrote to memory of 3208	4668	chrome.exe	85
PID 4668 wrote to memory of 3208	4668	chrome.exe	85
PID 4668 wrote to memory of 3208	4668	chrome.exe	85
PID 4668 wrote to memory of 3208	4668	chrome.exe	85
PID 4668 wrote to memory of 3208	4668	chrome.exe	85
PID 4668 wrote to memory of 3208	4668	chrome.exe	85
PID 4668 wrote to memory of 3208	4668	chrome.exe	85
PID 4668 wrote to memory of 3208	4668	chrome.exe	85
PID 4668 wrote to memory of 3208	4668	chrome.exe	85
PID 4668 wrote to memory of 3208	4668	chrome.exe	85
PID 4668 wrote to memory of 3208	4668	chrome.exe	85
PID 4668 wrote to memory of 3208	4668	chrome.exe	85
PID 4668 wrote to memory of 3208	4668	chrome.exe	85
PID 4668 wrote to memory of 3208	4668	chrome.exe	85
PID 4668 wrote to memory of 3208	4668	chrome.exe	85
PID 4668 wrote to memory of 3208	4668	chrome.exe	85
PID 4668 wrote to memory of 3208	4668	chrome.exe	85
PID 4668 wrote to memory of 3200	4668	chrome.exe	86
PID 4668 wrote to memory of 3200	4668	chrome.exe	86
PID 4668 wrote to memory of 3844	4668	chrome.exe	87
PID 4668 wrote to memory of 3844	4668	chrome.exe	87
PID 4668 wrote to memory of 3844	4668	chrome.exe	87
PID 4668 wrote to memory of 3844	4668	chrome.exe	87
PID 4668 wrote to memory of 3844	4668	chrome.exe	87
PID 4668 wrote to memory of 3844	4668	chrome.exe	87
PID 4668 wrote to memory of 3844	4668	chrome.exe	87
PID 4668 wrote to memory of 3844	4668	chrome.exe	87
PID 4668 wrote to memory of 3844	4668	chrome.exe	87
PID 4668 wrote to memory of 3844	4668	chrome.exe	87
PID 4668 wrote to memory of 3844	4668	chrome.exe	87
PID 4668 wrote to memory of 3844	4668	chrome.exe	87
PID 4668 wrote to memory of 3844	4668	chrome.exe	87
PID 4668 wrote to memory of 3844	4668	chrome.exe	87
PID 4668 wrote to memory of 3844	4668	chrome.exe	87
PID 4668 wrote to memory of 3844	4668	chrome.exe	87
PID 4668 wrote to memory of 3844	4668	chrome.exe	87
PID 4668 wrote to memory of 3844	4668	chrome.exe	87
PID 4668 wrote to memory of 3844	4668	chrome.exe	87
PID 4668 wrote to memory of 3844	4668	chrome.exe	87
PID 4668 wrote to memory of 3844	4668	chrome.exe	87
PID 4668 wrote to memory of 3844	4668	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://securemail2.blueshieldca.com/securereader/help.jsf?lang=enus
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffded819758,0x7ffded819768,0x7ffded819778
  2⤵
  PID:4124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1788 --field-trial-handle=1792,i,12052034374814246632,2858219808820736033,131072 /prefetch:2
  2⤵
  PID:3208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1792,i,12052034374814246632,2858219808820736033,131072 /prefetch:8
  2⤵
  PID:3200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2216 --field-trial-handle=1792,i,12052034374814246632,2858219808820736033,131072 /prefetch:8
  2⤵
  PID:3844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3152 --field-trial-handle=1792,i,12052034374814246632,2858219808820736033,131072 /prefetch:1
  2⤵
  PID:2824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3176 --field-trial-handle=1792,i,12052034374814246632,2858219808820736033,131072 /prefetch:1
  2⤵
  PID:1540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4764 --field-trial-handle=1792,i,12052034374814246632,2858219808820736033,131072 /prefetch:8
  2⤵
  PID:4000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4872 --field-trial-handle=1792,i,12052034374814246632,2858219808820736033,131072 /prefetch:8
  2⤵
  PID:4036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4924 --field-trial-handle=1792,i,12052034374814246632,2858219808820736033,131072 /prefetch:8
  2⤵
  PID:1756

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\6a006222-5a3e-4991-ab81-efb46fe78bff.tmp

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
619625dcf8e7fd846c599078ce80d612

SHA1
2818f00984ce12eb75bdceabfc666c5f4b1c1d87

SHA256
31851029ead0f6d1879dd8e216c58de4e664b8205cdee04256f4d52e96340096

SHA512
63c562785382e52449954d3b4c1e72d3f372ab24658c8dfe607fb432517f2cec16b003c7640b11bb63c73c766092c48fa65365174f09c3c0271957b6463684fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b5cb28ce703b63297ec8765c4205bdc5

SHA1
2a1cde02bc789121b9817587e5278bb66417a265

SHA256
db8a6c7a761fe87f64aada4f9f7d6262d989915e2a55212385c11a0b6a4ef04f

SHA512
a9f0e0e73f4b28c0b537c415997e07e0d70da9f4da3a4759073a199611cb06d4d0a44c0b05832d36a1e1de6c4640e5358dcf1949883d7f198fed0a7a48bb5178

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
00ac113098270e5d211aa2aa47bfd783

SHA1
d471d54e0f7d5b2dda4a41ac357f049e64deb49c

SHA256
6f5449ae8a55c2eb263e4bcabc4fa9aeeee7f697d863a2cb6798a84afb64ef1e

SHA512
2826c5fcbc4b3d58fd29e9114dcecf618d028bdf32fa23c380ae684b47d51ed79f84bfe49e66ca655d3a80522fbdc73293ca431fdb73c5bae0b35e8fbbcc3027

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
143KB

MD5
5de6414c0b36c2c0054c58e4d7a5c5d7

SHA1
2394e5508c967fe3ae482335c3ec5c16eaf304c2

SHA256
f5ff7123396b0054c02fcdef43623fe28c6b9f063d561c2cc9be0df73ca80dc6

SHA512
3faaa34a489bea7ccecd4bee91c686626763113a10d71c661eb4e82d29a2a4c474ce7c216ac7ca61edf8f9edd7dbabea91652b1b53f66d9c69511b8110026aed

Download Submit
memory/1756-160-0x00007FFDFAA40000-0x00007FFDFAA41000-memory.dmp

Filesize
4KB

Download
memory/1756-162-0x00007FFDFAA50000-0x00007FFDFAA51000-memory.dmp

Filesize
4KB

Download
memory/3208-137-0x00007FFDFBC80000-0x00007FFDFBC81000-memory.dmp

Filesize
4KB

Download