hxxps://files[.]vmtsi[.]com/awa/#himcommunications@providencehealth[.]bc[.]ca

Analysis

max time kernel
54s
max time network
55s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
14-03-2023 14:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://files.vmtsi.com/awa/#[email protected]

Score

5^/10

microsoft phishing

Malware Config

Signatures

Detected potential entity reuse from brand microsoft.
phishing microsoft

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133232819404356476"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
884	chrome.exe
884	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 884 wrote to memory of 1524	884	chrome.exe	86
PID 884 wrote to memory of 1524	884	chrome.exe	86
PID 884 wrote to memory of 1964	884	chrome.exe	88
PID 884 wrote to memory of 1964	884	chrome.exe	88
PID 884 wrote to memory of 1964	884	chrome.exe	88
PID 884 wrote to memory of 1964	884	chrome.exe	88
PID 884 wrote to memory of 1964	884	chrome.exe	88
PID 884 wrote to memory of 1964	884	chrome.exe	88
PID 884 wrote to memory of 1964	884	chrome.exe	88
PID 884 wrote to memory of 1964	884	chrome.exe	88
PID 884 wrote to memory of 1964	884	chrome.exe	88
PID 884 wrote to memory of 1964	884	chrome.exe	88
PID 884 wrote to memory of 1964	884	chrome.exe	88
PID 884 wrote to memory of 1964	884	chrome.exe	88
PID 884 wrote to memory of 1964	884	chrome.exe	88
PID 884 wrote to memory of 1964	884	chrome.exe	88
PID 884 wrote to memory of 1964	884	chrome.exe	88
PID 884 wrote to memory of 1964	884	chrome.exe	88
PID 884 wrote to memory of 1964	884	chrome.exe	88
PID 884 wrote to memory of 1964	884	chrome.exe	88
PID 884 wrote to memory of 1964	884	chrome.exe	88
PID 884 wrote to memory of 1964	884	chrome.exe	88
PID 884 wrote to memory of 1964	884	chrome.exe	88
PID 884 wrote to memory of 1964	884	chrome.exe	88
PID 884 wrote to memory of 1964	884	chrome.exe	88
PID 884 wrote to memory of 1964	884	chrome.exe	88
PID 884 wrote to memory of 1964	884	chrome.exe	88
PID 884 wrote to memory of 1964	884	chrome.exe	88
PID 884 wrote to memory of 1964	884	chrome.exe	88
PID 884 wrote to memory of 1964	884	chrome.exe	88
PID 884 wrote to memory of 1964	884	chrome.exe	88
PID 884 wrote to memory of 1964	884	chrome.exe	88
PID 884 wrote to memory of 1964	884	chrome.exe	88
PID 884 wrote to memory of 1964	884	chrome.exe	88
PID 884 wrote to memory of 1964	884	chrome.exe	88
PID 884 wrote to memory of 1964	884	chrome.exe	88
PID 884 wrote to memory of 1964	884	chrome.exe	88
PID 884 wrote to memory of 1964	884	chrome.exe	88
PID 884 wrote to memory of 1964	884	chrome.exe	88
PID 884 wrote to memory of 1964	884	chrome.exe	88
PID 884 wrote to memory of 3168	884	chrome.exe	89
PID 884 wrote to memory of 3168	884	chrome.exe	89
PID 884 wrote to memory of 2464	884	chrome.exe	90
PID 884 wrote to memory of 2464	884	chrome.exe	90
PID 884 wrote to memory of 2464	884	chrome.exe	90
PID 884 wrote to memory of 2464	884	chrome.exe	90
PID 884 wrote to memory of 2464	884	chrome.exe	90
PID 884 wrote to memory of 2464	884	chrome.exe	90
PID 884 wrote to memory of 2464	884	chrome.exe	90
PID 884 wrote to memory of 2464	884	chrome.exe	90
PID 884 wrote to memory of 2464	884	chrome.exe	90
PID 884 wrote to memory of 2464	884	chrome.exe	90
PID 884 wrote to memory of 2464	884	chrome.exe	90
PID 884 wrote to memory of 2464	884	chrome.exe	90
PID 884 wrote to memory of 2464	884	chrome.exe	90
PID 884 wrote to memory of 2464	884	chrome.exe	90
PID 884 wrote to memory of 2464	884	chrome.exe	90
PID 884 wrote to memory of 2464	884	chrome.exe	90
PID 884 wrote to memory of 2464	884	chrome.exe	90
PID 884 wrote to memory of 2464	884	chrome.exe	90
PID 884 wrote to memory of 2464	884	chrome.exe	90
PID 884 wrote to memory of 2464	884	chrome.exe	90
PID 884 wrote to memory of 2464	884	chrome.exe	90
PID 884 wrote to memory of 2464	884	chrome.exe	90

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://files.vmtsi.com/awa/#[email protected]
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff872619758,0x7ff872619768,0x7ff872619778
  2⤵
  PID:1524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1780 --field-trial-handle=1816,i,17054510267488162280,15049304659054588350,131072 /prefetch:2
  2⤵
  PID:1964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1816,i,17054510267488162280,15049304659054588350,131072 /prefetch:8
  2⤵
  PID:3168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2200 --field-trial-handle=1816,i,17054510267488162280,15049304659054588350,131072 /prefetch:8
  2⤵
  PID:2464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3228 --field-trial-handle=1816,i,17054510267488162280,15049304659054588350,131072 /prefetch:1
  2⤵
  PID:2128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3244 --field-trial-handle=1816,i,17054510267488162280,15049304659054588350,131072 /prefetch:1
  2⤵
  PID:2772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4628 --field-trial-handle=1816,i,17054510267488162280,15049304659054588350,131072 /prefetch:1
  2⤵
  PID:3788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5332 --field-trial-handle=1816,i,17054510267488162280,15049304659054588350,131072 /prefetch:8
  2⤵
  PID:460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5412 --field-trial-handle=1816,i,17054510267488162280,15049304659054588350,131072 /prefetch:8
  2⤵
  PID:1220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4860 --field-trial-handle=1816,i,17054510267488162280,15049304659054588350,131072 /prefetch:8
  2⤵
  PID:3712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4556 --field-trial-handle=1816,i,17054510267488162280,15049304659054588350,131072 /prefetch:1
  2⤵
  PID:2104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3272 --field-trial-handle=1816,i,17054510267488162280,15049304659054588350,131072 /prefetch:1
  2⤵
  PID:2256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5236 --field-trial-handle=1816,i,17054510267488162280,15049304659054588350,131072 /prefetch:1
  2⤵
  PID:484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3280 --field-trial-handle=1816,i,17054510267488162280,15049304659054588350,131072 /prefetch:1
  2⤵
  PID:1652

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4492

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
240B

MD5
ab7e7f5896046dd4b44c5c124f21f277

SHA1
40616a11f601ad78ca812472a2fd2af6c7d87456

SHA256
de47b893683cbf19dcc92f7d7abe76453a63e4aa0c2522ad467c6d376d8d3205

SHA512
fe57657f4e62545997d1bda41eeee5c4274cca30a2d117a5ddf258f1cd7eaeea5a543e35f07a240181d6390aebf3ae2a5368094310a9c973be7c9d8190ed209f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
2e6668450e9abbb587f424c64a5536c8

SHA1
2ea3c4d4ca2e051b1485194bd2b633e6ca8d05b4

SHA256
594288db67782a90d5ccab28ff273795dbeb1aa13eeaa4d43e01eb38f8ab24ce

SHA512
540c5d05cbc2d7be8de84cb981e0e2baf15d6ea623c2ddfbcf655cdc3805f01598051f2112018eb1a8aa55aaf0f4c69c5642c08e5e57bdb0f0036ab8a22f615d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
754b772a58ed9375de44c65e6c2f1364

SHA1
84b957ad5a25a79d9ff7590ed6dd87d10d725b21

SHA256
23634fbac3967d808349981d0ece61fec1689f4b7a1883776e761bfb6254c20a

SHA512
0816193a2a9859753add750e5178c21f2fb5821ce7265a13385019fe9d565c13021b984a86bc39d8dd2ae0ec44d5e621f1a9c0a4a8d9bd22bf8b4662a6f43501

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
ef725a1f24edc56816b972a1773a0d97

SHA1
323325b010b43dff0e5c08ea648f5448c70fb439

SHA256
7b230139945079e9591a9996256542e97d6398029a6ef32d111d81939b41884a

SHA512
47c58ee6f7ebf6e012ba793d378af981b08b41031ee96acb3e4f58da2caac4c5f89334ce141e7b9bc81efb3301226996e1f027012e527b7b34ede9f190ba4a15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
88746d5869dbbb7242e717bbd33ce6c9

SHA1
77a86a39e8cf506cfcc9ba7f41e2aa57ec0177c9

SHA256
64bae81b5c708e694869d1e09a8e5e72b1142f0f1b8705cde0b35fad12b8b0c8

SHA512
0b1cd2f1cdcc7bb26c7221ccf1ea0e4e560147d5735f173aac2edecfd08da1b54a540d8661cfc43171f922055707ecba363a9ab13a0d6ed93657c11365500a28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
144KB

MD5
38f6a2ffb99bf5035afdad850d32b17c

SHA1
8de30926abb1aa5226283ab66f716cfa7e8247a7

SHA256
a10b8ad327727bd56f6a285b84d5b32826162382ce1bc8964aec71f6b75f84f5

SHA512
a71ca3d4758b77f5d7a88c68eb0b0ada55c8bb08b2d0255346beb93ba1a34a6e3d419d6ae875e6b4df7405b623cd19a988ac530ea0a7f5eaf157158e32a263b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit