e3eeee10af22422f14f4674e1d08ee0c3671be18ea215a0eade683c1b2d8899d

Resubmissions

17-03-2023 09:48

230317-ls3kbsfe74 1

17-03-2023 09:42

230317-lpmdyahe5z 1

17-03-2023 08:30

230317-kd4neahb7z 1

17-03-2023 08:19

230317-j8b17sfb24 1

Analysis

max time kernel
1800s
max time network
1691s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
17-03-2023 08:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Remittance Advice.html
Size

61KB
MD5

23e89a9e99a4221b8359cdcb5f7f714c
SHA1

a7c345dd20dee6206dd25bbe44c2571d5bb400af
SHA256

e3eeee10af22422f14f4674e1d08ee0c3671be18ea215a0eade683c1b2d8899d
SHA512

866d25a829b6508583d75aafdba339e9d453b99bc52360567432cff0bafccc782dd8e8a0de7e8b1c4032250aa24124f96e04fb700e6198f91c8b4d1440d668b5
SSDEEP

1536:Mo9KBJuu92UUtCq7+THf6wXFfd8CYpxZOsh:Mo9KBEu92UUt/7AL1NYpDh

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133235156894770338"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
564	chrome.exe
564	chrome.exe
4604	chrome.exe
4604	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
564	chrome.exe
564	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 564 wrote to memory of 1340	564	chrome.exe	87
PID 564 wrote to memory of 1340	564	chrome.exe	87
PID 564 wrote to memory of 4852	564	chrome.exe	88
PID 564 wrote to memory of 4852	564	chrome.exe	88
PID 564 wrote to memory of 4852	564	chrome.exe	88
PID 564 wrote to memory of 4852	564	chrome.exe	88
PID 564 wrote to memory of 4852	564	chrome.exe	88
PID 564 wrote to memory of 4852	564	chrome.exe	88
PID 564 wrote to memory of 4852	564	chrome.exe	88
PID 564 wrote to memory of 4852	564	chrome.exe	88
PID 564 wrote to memory of 4852	564	chrome.exe	88
PID 564 wrote to memory of 4852	564	chrome.exe	88
PID 564 wrote to memory of 4852	564	chrome.exe	88
PID 564 wrote to memory of 4852	564	chrome.exe	88
PID 564 wrote to memory of 4852	564	chrome.exe	88
PID 564 wrote to memory of 4852	564	chrome.exe	88
PID 564 wrote to memory of 4852	564	chrome.exe	88
PID 564 wrote to memory of 4852	564	chrome.exe	88
PID 564 wrote to memory of 4852	564	chrome.exe	88
PID 564 wrote to memory of 4852	564	chrome.exe	88
PID 564 wrote to memory of 4852	564	chrome.exe	88
PID 564 wrote to memory of 4852	564	chrome.exe	88
PID 564 wrote to memory of 4852	564	chrome.exe	88
PID 564 wrote to memory of 4852	564	chrome.exe	88
PID 564 wrote to memory of 4852	564	chrome.exe	88
PID 564 wrote to memory of 4852	564	chrome.exe	88
PID 564 wrote to memory of 4852	564	chrome.exe	88
PID 564 wrote to memory of 4852	564	chrome.exe	88
PID 564 wrote to memory of 4852	564	chrome.exe	88
PID 564 wrote to memory of 4852	564	chrome.exe	88
PID 564 wrote to memory of 4852	564	chrome.exe	88
PID 564 wrote to memory of 4852	564	chrome.exe	88
PID 564 wrote to memory of 4852	564	chrome.exe	88
PID 564 wrote to memory of 4852	564	chrome.exe	88
PID 564 wrote to memory of 4852	564	chrome.exe	88
PID 564 wrote to memory of 4852	564	chrome.exe	88
PID 564 wrote to memory of 4852	564	chrome.exe	88
PID 564 wrote to memory of 4852	564	chrome.exe	88
PID 564 wrote to memory of 4852	564	chrome.exe	88
PID 564 wrote to memory of 4852	564	chrome.exe	88
PID 564 wrote to memory of 4224	564	chrome.exe	89
PID 564 wrote to memory of 4224	564	chrome.exe	89
PID 564 wrote to memory of 4176	564	chrome.exe	90
PID 564 wrote to memory of 4176	564	chrome.exe	90
PID 564 wrote to memory of 4176	564	chrome.exe	90
PID 564 wrote to memory of 4176	564	chrome.exe	90
PID 564 wrote to memory of 4176	564	chrome.exe	90
PID 564 wrote to memory of 4176	564	chrome.exe	90
PID 564 wrote to memory of 4176	564	chrome.exe	90
PID 564 wrote to memory of 4176	564	chrome.exe	90
PID 564 wrote to memory of 4176	564	chrome.exe	90
PID 564 wrote to memory of 4176	564	chrome.exe	90
PID 564 wrote to memory of 4176	564	chrome.exe	90
PID 564 wrote to memory of 4176	564	chrome.exe	90
PID 564 wrote to memory of 4176	564	chrome.exe	90
PID 564 wrote to memory of 4176	564	chrome.exe	90
PID 564 wrote to memory of 4176	564	chrome.exe	90
PID 564 wrote to memory of 4176	564	chrome.exe	90
PID 564 wrote to memory of 4176	564	chrome.exe	90
PID 564 wrote to memory of 4176	564	chrome.exe	90
PID 564 wrote to memory of 4176	564	chrome.exe	90
PID 564 wrote to memory of 4176	564	chrome.exe	90
PID 564 wrote to memory of 4176	564	chrome.exe	90
PID 564 wrote to memory of 4176	564	chrome.exe	90

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" "C:\Users\Admin\AppData\Local\Temp\Remittance Advice.html"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xb4,0x108,0x7ffade389758,0x7ffade389768,0x7ffade389778
  2⤵
  PID:1340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1792 --field-trial-handle=1812,i,13442682544014228470,3509131931216712432,131072 /prefetch:2
  2⤵
  PID:4852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1812,i,13442682544014228470,3509131931216712432,131072 /prefetch:8
  2⤵
  PID:4224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 --field-trial-handle=1812,i,13442682544014228470,3509131931216712432,131072 /prefetch:8
  2⤵
  PID:4176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3176 --field-trial-handle=1812,i,13442682544014228470,3509131931216712432,131072 /prefetch:1
  2⤵
  PID:4052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3164 --field-trial-handle=1812,i,13442682544014228470,3509131931216712432,131072 /prefetch:1
  2⤵
  PID:2092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4728 --field-trial-handle=1812,i,13442682544014228470,3509131931216712432,131072 /prefetch:8
  2⤵
  PID:2052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4880 --field-trial-handle=1812,i,13442682544014228470,3509131931216712432,131072 /prefetch:8
  2⤵
  PID:3184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4828 --field-trial-handle=1812,i,13442682544014228470,3509131931216712432,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4604

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
4d36a0663b01afd8c8b3be29cf6231c5

SHA1
c4ba0239624c39ffd0e2d72ec588c562366fb03c

SHA256
b2cae0a2c7cc0c80412d32d820a0322a70487af9ac8c7a1c06b772a0a3a96f0e

SHA512
09cbdbeedb1f8384c44f869b584b474ae2162beb45111da3d1040afa2a57755d0858146e8c1d6be352fe3c523494ed4b7c32e4f95b78244b7ae7fbbddd79833b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
f7557e604595cbde7d8c700262eed680

SHA1
216de1e3216dcc90b7ed1e708f5396e9f2383273

SHA256
9ca18915c4aa82d61bcf84be9388ed7fb29bcf97b826632a23b66797b02954a3

SHA512
dedd7f4a5d27812d30211899e7c7ebbecbd20d8007e941823572f03918e7cf428cb383f0d8a6a35dfdf8c7db0b599e9b87e3c5bd9ed530ba79f304e96c80358a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
9277173ff77009d98ed47557a29744ac

SHA1
8bff32abd1ca256ee8873c4311963137950d0e51

SHA256
60bc0e6856edd41a41e8cb10bc510d88f113ec423ee6afee31d7bcec87a770ec

SHA512
453de71a9ee9e7d0b698ae28085ab2ebfb1e6dcc0eac8a4951e4b2944660b0a23ad760ca701aeec64c9ec20920e8013fedf6240eaedce980b912ed8f59a22b21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\e6c76b2c-ca1f-4f41-ac73-5aabb85c6adc.tmp

Filesize
5KB

MD5
e4cf9da92ce9c82d7b2289318ac2d3ce

SHA1
a373045a3294f59f019dd6de0b5947e1645c562e

SHA256
ab5949c4b001e7b4261fc9c63d1941f5edacbddf23644786583605cce361b6ae

SHA512
52c9623d195caefb692884c2141eaf7bb3ceeae3a6e43b361f3105e345cdfd8a96fe2ec9a3677c98a6aa952fafd3b453378d07ff5ea682f0bb25b822d160cae8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
143KB

MD5
26e6add5baaa69bf9e2285dbac3ecfeb

SHA1
68f0811aaf01b646ce8994b63c0e4f2e6a14e032

SHA256
ae32bf53fd71e3b65ed2ff2dcf8142346217d633abf541f5d6fc365334968056

SHA512
de807382b909351d611aa9fd908851002f066e3e2f4f316edd1a26dffa5930c1ea1618dfed4551fbb84cf5045ffa92cb09c39b17066141431eaed7ef22f4bbd6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit