hxxps://support[.]startmail[.]com/hc/en-%20us/articles/360009662977-StartMail-Referral-Program-share-the-freedom-of-%20private-email

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
20/03/2023, 12:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://support.startmail.com/hc/en-%20us/articles/360009662977-StartMail-Referral-Program-share-the-freedom-of-%20private-email

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133237883178784483"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2672	chrome.exe
2672	chrome.exe
3480	chrome.exe
3480	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2672	chrome.exe
2672	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeCreatePagefilePrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeCreatePagefilePrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeCreatePagefilePrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeCreatePagefilePrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeCreatePagefilePrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeCreatePagefilePrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeCreatePagefilePrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeCreatePagefilePrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeCreatePagefilePrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeCreatePagefilePrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeCreatePagefilePrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeCreatePagefilePrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeCreatePagefilePrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeCreatePagefilePrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeCreatePagefilePrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeCreatePagefilePrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeCreatePagefilePrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeCreatePagefilePrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeCreatePagefilePrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeCreatePagefilePrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeCreatePagefilePrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeCreatePagefilePrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeCreatePagefilePrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeCreatePagefilePrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeCreatePagefilePrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeCreatePagefilePrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeCreatePagefilePrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeCreatePagefilePrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeCreatePagefilePrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeCreatePagefilePrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeCreatePagefilePrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeCreatePagefilePrivilege	2672	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 1304	2672	chrome.exe	87
PID 2672 wrote to memory of 1304	2672	chrome.exe	87
PID 2672 wrote to memory of 2616	2672	chrome.exe	88
PID 2672 wrote to memory of 2616	2672	chrome.exe	88
PID 2672 wrote to memory of 2616	2672	chrome.exe	88
PID 2672 wrote to memory of 2616	2672	chrome.exe	88
PID 2672 wrote to memory of 2616	2672	chrome.exe	88
PID 2672 wrote to memory of 2616	2672	chrome.exe	88
PID 2672 wrote to memory of 2616	2672	chrome.exe	88
PID 2672 wrote to memory of 2616	2672	chrome.exe	88
PID 2672 wrote to memory of 2616	2672	chrome.exe	88
PID 2672 wrote to memory of 2616	2672	chrome.exe	88
PID 2672 wrote to memory of 2616	2672	chrome.exe	88
PID 2672 wrote to memory of 2616	2672	chrome.exe	88
PID 2672 wrote to memory of 2616	2672	chrome.exe	88
PID 2672 wrote to memory of 2616	2672	chrome.exe	88
PID 2672 wrote to memory of 2616	2672	chrome.exe	88
PID 2672 wrote to memory of 2616	2672	chrome.exe	88
PID 2672 wrote to memory of 2616	2672	chrome.exe	88
PID 2672 wrote to memory of 2616	2672	chrome.exe	88
PID 2672 wrote to memory of 2616	2672	chrome.exe	88
PID 2672 wrote to memory of 2616	2672	chrome.exe	88
PID 2672 wrote to memory of 2616	2672	chrome.exe	88
PID 2672 wrote to memory of 2616	2672	chrome.exe	88
PID 2672 wrote to memory of 2616	2672	chrome.exe	88
PID 2672 wrote to memory of 2616	2672	chrome.exe	88
PID 2672 wrote to memory of 2616	2672	chrome.exe	88
PID 2672 wrote to memory of 2616	2672	chrome.exe	88
PID 2672 wrote to memory of 2616	2672	chrome.exe	88
PID 2672 wrote to memory of 2616	2672	chrome.exe	88
PID 2672 wrote to memory of 2616	2672	chrome.exe	88
PID 2672 wrote to memory of 2616	2672	chrome.exe	88
PID 2672 wrote to memory of 2616	2672	chrome.exe	88
PID 2672 wrote to memory of 2616	2672	chrome.exe	88
PID 2672 wrote to memory of 2616	2672	chrome.exe	88
PID 2672 wrote to memory of 2616	2672	chrome.exe	88
PID 2672 wrote to memory of 2616	2672	chrome.exe	88
PID 2672 wrote to memory of 2616	2672	chrome.exe	88
PID 2672 wrote to memory of 2616	2672	chrome.exe	88
PID 2672 wrote to memory of 2616	2672	chrome.exe	88
PID 2672 wrote to memory of 1564	2672	chrome.exe	89
PID 2672 wrote to memory of 1564	2672	chrome.exe	89
PID 2672 wrote to memory of 3400	2672	chrome.exe	90
PID 2672 wrote to memory of 3400	2672	chrome.exe	90
PID 2672 wrote to memory of 3400	2672	chrome.exe	90
PID 2672 wrote to memory of 3400	2672	chrome.exe	90
PID 2672 wrote to memory of 3400	2672	chrome.exe	90
PID 2672 wrote to memory of 3400	2672	chrome.exe	90
PID 2672 wrote to memory of 3400	2672	chrome.exe	90
PID 2672 wrote to memory of 3400	2672	chrome.exe	90
PID 2672 wrote to memory of 3400	2672	chrome.exe	90
PID 2672 wrote to memory of 3400	2672	chrome.exe	90
PID 2672 wrote to memory of 3400	2672	chrome.exe	90
PID 2672 wrote to memory of 3400	2672	chrome.exe	90
PID 2672 wrote to memory of 3400	2672	chrome.exe	90
PID 2672 wrote to memory of 3400	2672	chrome.exe	90
PID 2672 wrote to memory of 3400	2672	chrome.exe	90
PID 2672 wrote to memory of 3400	2672	chrome.exe	90
PID 2672 wrote to memory of 3400	2672	chrome.exe	90
PID 2672 wrote to memory of 3400	2672	chrome.exe	90
PID 2672 wrote to memory of 3400	2672	chrome.exe	90
PID 2672 wrote to memory of 3400	2672	chrome.exe	90
PID 2672 wrote to memory of 3400	2672	chrome.exe	90
PID 2672 wrote to memory of 3400	2672	chrome.exe	90

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://support.startmail.com/hc/en-%20us/articles/360009662977-StartMail-Referral-Program-share-the-freedom-of-%20private-email
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff865aa9758,0x7ff865aa9768,0x7ff865aa9778
  2⤵
  PID:1304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1784 --field-trial-handle=1744,i,5972165116047755268,3446430033266189156,131072 /prefetch:2
  2⤵
  PID:2616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1744,i,5972165116047755268,3446430033266189156,131072 /prefetch:8
  2⤵
  PID:1564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2208 --field-trial-handle=1744,i,5972165116047755268,3446430033266189156,131072 /prefetch:8
  2⤵
  PID:3400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3164 --field-trial-handle=1744,i,5972165116047755268,3446430033266189156,131072 /prefetch:1
  2⤵
  PID:5028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3180 --field-trial-handle=1744,i,5972165116047755268,3446430033266189156,131072 /prefetch:1
  2⤵
  PID:4192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 --field-trial-handle=1744,i,5972165116047755268,3446430033266189156,131072 /prefetch:8
  2⤵
  PID:4108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5464 --field-trial-handle=1744,i,5972165116047755268,3446430033266189156,131072 /prefetch:8
  2⤵
  PID:4104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2820 --field-trial-handle=1744,i,5972165116047755268,3446430033266189156,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3480

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4200

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
cd8932321b024bbb982a82b11ccab57e

SHA1
aceddcd7b4563b0cc035bea8aabaab46e5d1936b

SHA256
2f27256c12236358a4f81ee8b1f51927e2d6f94c00468f10b035bc6d2baa5ec2

SHA512
8c28fd72c2666a9c9c50c820c90d064df91404a0e8c53d0c5b4e75eb20769c74e1b73bc14ed9e4df06f630243f3725f92309c9146928c2cfa1188f9d7adfec2a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
2ca5c2a88254b12328dfad8e1e5f3850

SHA1
45a5c12c4e55c93ddc1e38ffc2866c24b5928e48

SHA256
773518af850b95a0b1cd1d876da26ebaf7ef05390946f584ceaa1ce255392d1b

SHA512
3731dea7e9c452550c9c6529ba0df17309771bef7bbf28d7e7e066716442a4064e48c350119c3e300f1ff3e46115f4807a8c797e0154b28137816137ec089dd3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
875B

MD5
471e9ebec57a124b787cc5df7be0a537

SHA1
b750f3069e67c5d11d30e53aff9819855742e95a

SHA256
baea92ec951bd1a24a875bf61653ced399fa86824ad8bdacc4de132ea92039f8

SHA512
f4ec99c295ddfdbef091ebff16333883306e15b613467b3a3f66014b915c1ee1d6521ce04e60978ab63b542c433be9bc26fb7fb5f03d4ad854ffe14078148805

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
46768b74a76e7f945c2187d40eaeec16

SHA1
c67c28cc3701ec4b6976df366c89332d6f298819

SHA256
7096c00617d2deec18b062c77a2c9a10f9bf42245009b21815be93aa6ebdfdc7

SHA512
9d68f49720890ea1351842c0466299341e2e400eb893bf24fc53f9c1d7fac919de12d739bcd32b27f174e2c4a1a3dd1db8332aa9111dc855c61ef345e2826432

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
7457600b73dae879ea08719fc975507c

SHA1
fcff9c933122d9a6d44e29dd7cd131d81893826a

SHA256
9c0da68a54c283a46ce711f4027a99be345e0af21859204dc2f9a9e429620f4c

SHA512
cdb58da302019d90013adc59605cddee461045d806dd53f87a00613eb99fe0f7c138cf59cb043e9ffc7c6d708cf024bf0e526e934617084a6e45d68e302f4ba8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
59f5434815bca21c4ea202c4ce4ed534

SHA1
59db687be4a299c8176b84d8964220ee874a2cf0

SHA256
6c432c213ad7678e408b79b1413834f1d5111822f7bf55f932b6b56fa1cc0f3b

SHA512
60b1efea6e698fe28720e14e55054af55665f685953eff39936474164a0b516e86d002168712c67a0459103130ed6eea423fe52d1e1e1c8403b488bc2582a84a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
143KB

MD5
181f41fa5a8eec4f57aa4beaa73555e6

SHA1
f7b3d843db3a03209c5da3e1d2e75783ad7b3477

SHA256
5cc796380ca64e92adc1b0ba7740fbfa2f9ebab771c60aa40612abfd3a6335dc

SHA512
0f54b17de22dd3702ed275f94622625ed02ef29fbdf4620b66d619b08644745902fc9c070d77e296ed72af9c133860db9ebfeb866fd73358a431c643a14d2ee9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit