50eb6895edd038541ec2a2051310f4b8fc2558b3dd891ed7ba9ce9e987889132

General

Target

Txdot Remittance_Advice.html
Size

161KB
MD5

e413b747ff25f218628c0222d14a56ae
SHA1

500ccbb955471c803cede52b67f1ac9caffbe101
SHA256

50eb6895edd038541ec2a2051310f4b8fc2558b3dd891ed7ba9ce9e987889132
SHA512

ccc5a890ac0bf07867f653848f4cc12a7c9a27cc0a7f6f71769a411a0f774afddbbd3f510e4fcf1af8f843fb3035327fe88e7ebe78f40445c01b529f21992feb
SSDEEP

3072:EGKrGwsK+Q92A7UmZ64o2qB1+Vi2HBKAJMqX/vPBWKssBqJMyUdAMC:TW7XZAqPhlssBqJM1ZC

Score

5^/10

microsoft phishing

Malware Config

Signatures

Detected potential entity reuse from brand microsoft.
phishing microsoft

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133239935458152448"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

684 chrome.exe
684 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

684 chrome.exe
684 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	684	chrome.exe
Token: SeCreatePagefilePrivilege	684	chrome.exe
Token: SeShutdownPrivilege	684	chrome.exe
Token: SeCreatePagefilePrivilege	684	chrome.exe
Token: SeShutdownPrivilege	684	chrome.exe
Token: SeCreatePagefilePrivilege	684	chrome.exe
Token: SeShutdownPrivilege	684	chrome.exe
Token: SeCreatePagefilePrivilege	684	chrome.exe
Token: SeShutdownPrivilege	684	chrome.exe
Token: SeCreatePagefilePrivilege	684	chrome.exe
Token: SeShutdownPrivilege	684	chrome.exe
Token: SeCreatePagefilePrivilege	684	chrome.exe
Token: SeShutdownPrivilege	684	chrome.exe
Token: SeCreatePagefilePrivilege	684	chrome.exe
Token: SeShutdownPrivilege	684	chrome.exe
Token: SeCreatePagefilePrivilege	684	chrome.exe
Token: SeShutdownPrivilege	684	chrome.exe
Token: SeCreatePagefilePrivilege	684	chrome.exe
Token: SeShutdownPrivilege	684	chrome.exe
Token: SeCreatePagefilePrivilege	684	chrome.exe
Token: SeShutdownPrivilege	684	chrome.exe
Token: SeCreatePagefilePrivilege	684	chrome.exe
Token: SeShutdownPrivilege	684	chrome.exe
Token: SeCreatePagefilePrivilege	684	chrome.exe
Token: SeShutdownPrivilege	684	chrome.exe
Token: SeCreatePagefilePrivilege	684	chrome.exe
Token: SeShutdownPrivilege	684	chrome.exe
Token: SeCreatePagefilePrivilege	684	chrome.exe
Token: SeShutdownPrivilege	684	chrome.exe
Token: SeCreatePagefilePrivilege	684	chrome.exe
Token: SeShutdownPrivilege	684	chrome.exe
Token: SeCreatePagefilePrivilege	684	chrome.exe
Token: SeShutdownPrivilege	684	chrome.exe
Token: SeCreatePagefilePrivilege	684	chrome.exe
Token: SeShutdownPrivilege	684	chrome.exe
Token: SeCreatePagefilePrivilege	684	chrome.exe
Token: SeShutdownPrivilege	684	chrome.exe
Token: SeCreatePagefilePrivilege	684	chrome.exe
Token: SeShutdownPrivilege	684	chrome.exe
Token: SeCreatePagefilePrivilege	684	chrome.exe
Token: SeShutdownPrivilege	684	chrome.exe
Token: SeCreatePagefilePrivilege	684	chrome.exe
Token: SeShutdownPrivilege	684	chrome.exe
Token: SeCreatePagefilePrivilege	684	chrome.exe
Token: SeShutdownPrivilege	684	chrome.exe
Token: SeCreatePagefilePrivilege	684	chrome.exe
Token: SeShutdownPrivilege	684	chrome.exe
Token: SeCreatePagefilePrivilege	684	chrome.exe
Token: SeShutdownPrivilege	684	chrome.exe
Token: SeCreatePagefilePrivilege	684	chrome.exe
Token: SeShutdownPrivilege	684	chrome.exe
Token: SeCreatePagefilePrivilege	684	chrome.exe
Token: SeShutdownPrivilege	684	chrome.exe
Token: SeCreatePagefilePrivilege	684	chrome.exe
Token: SeShutdownPrivilege	684	chrome.exe
Token: SeCreatePagefilePrivilege	684	chrome.exe
Token: SeShutdownPrivilege	684	chrome.exe
Token: SeCreatePagefilePrivilege	684	chrome.exe
Token: SeShutdownPrivilege	684	chrome.exe
Token: SeCreatePagefilePrivilege	684	chrome.exe
Token: SeShutdownPrivilege	684	chrome.exe
Token: SeCreatePagefilePrivilege	684	chrome.exe
Token: SeShutdownPrivilege	684	chrome.exe
Token: SeCreatePagefilePrivilege	684	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
684	chrome.exe
684	chrome.exe
684	chrome.exe
684	chrome.exe
684	chrome.exe
684	chrome.exe
684	chrome.exe
684	chrome.exe
684	chrome.exe
684	chrome.exe
684	chrome.exe
684	chrome.exe
684	chrome.exe
684	chrome.exe
684	chrome.exe
684	chrome.exe
684	chrome.exe
684	chrome.exe
684	chrome.exe
684	chrome.exe
684	chrome.exe
684	chrome.exe
684	chrome.exe
684	chrome.exe
684	chrome.exe
684	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
684	chrome.exe
684	chrome.exe
684	chrome.exe
684	chrome.exe
684	chrome.exe
684	chrome.exe
684	chrome.exe
684	chrome.exe
684	chrome.exe
684	chrome.exe
684	chrome.exe
684	chrome.exe
684	chrome.exe
684	chrome.exe
684	chrome.exe
684	chrome.exe
684	chrome.exe
684	chrome.exe
684	chrome.exe
684	chrome.exe
684	chrome.exe
684	chrome.exe
684	chrome.exe
684	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 684 wrote to memory of 1392	684	chrome.exe	chrome.exe
PID 684 wrote to memory of 1392	684	chrome.exe	chrome.exe
PID 684 wrote to memory of 3656	684	chrome.exe	chrome.exe
PID 684 wrote to memory of 3656	684	chrome.exe	chrome.exe
PID 684 wrote to memory of 3656	684	chrome.exe	chrome.exe
PID 684 wrote to memory of 3656	684	chrome.exe	chrome.exe
PID 684 wrote to memory of 3656	684	chrome.exe	chrome.exe
PID 684 wrote to memory of 3656	684	chrome.exe	chrome.exe
PID 684 wrote to memory of 3656	684	chrome.exe	chrome.exe
PID 684 wrote to memory of 3656	684	chrome.exe	chrome.exe
PID 684 wrote to memory of 3656	684	chrome.exe	chrome.exe
PID 684 wrote to memory of 3656	684	chrome.exe	chrome.exe
PID 684 wrote to memory of 3656	684	chrome.exe	chrome.exe
PID 684 wrote to memory of 3656	684	chrome.exe	chrome.exe
PID 684 wrote to memory of 3656	684	chrome.exe	chrome.exe
PID 684 wrote to memory of 3656	684	chrome.exe	chrome.exe
PID 684 wrote to memory of 3656	684	chrome.exe	chrome.exe
PID 684 wrote to memory of 3656	684	chrome.exe	chrome.exe
PID 684 wrote to memory of 3656	684	chrome.exe	chrome.exe
PID 684 wrote to memory of 3656	684	chrome.exe	chrome.exe
PID 684 wrote to memory of 3656	684	chrome.exe	chrome.exe
PID 684 wrote to memory of 3656	684	chrome.exe	chrome.exe
PID 684 wrote to memory of 3656	684	chrome.exe	chrome.exe
PID 684 wrote to memory of 3656	684	chrome.exe	chrome.exe
PID 684 wrote to memory of 3656	684	chrome.exe	chrome.exe
PID 684 wrote to memory of 3656	684	chrome.exe	chrome.exe
PID 684 wrote to memory of 3656	684	chrome.exe	chrome.exe
PID 684 wrote to memory of 3656	684	chrome.exe	chrome.exe
PID 684 wrote to memory of 3656	684	chrome.exe	chrome.exe
PID 684 wrote to memory of 3656	684	chrome.exe	chrome.exe
PID 684 wrote to memory of 3656	684	chrome.exe	chrome.exe
PID 684 wrote to memory of 3656	684	chrome.exe	chrome.exe
PID 684 wrote to memory of 3656	684	chrome.exe	chrome.exe
PID 684 wrote to memory of 3656	684	chrome.exe	chrome.exe
PID 684 wrote to memory of 3656	684	chrome.exe	chrome.exe
PID 684 wrote to memory of 3656	684	chrome.exe	chrome.exe
PID 684 wrote to memory of 3656	684	chrome.exe	chrome.exe
PID 684 wrote to memory of 3656	684	chrome.exe	chrome.exe
PID 684 wrote to memory of 3656	684	chrome.exe	chrome.exe
PID 684 wrote to memory of 3656	684	chrome.exe	chrome.exe
PID 684 wrote to memory of 3360	684	chrome.exe	chrome.exe
PID 684 wrote to memory of 3360	684	chrome.exe	chrome.exe
PID 684 wrote to memory of 4976	684	chrome.exe	chrome.exe
PID 684 wrote to memory of 4976	684	chrome.exe	chrome.exe
PID 684 wrote to memory of 4976	684	chrome.exe	chrome.exe
PID 684 wrote to memory of 4976	684	chrome.exe	chrome.exe
PID 684 wrote to memory of 4976	684	chrome.exe	chrome.exe
PID 684 wrote to memory of 4976	684	chrome.exe	chrome.exe
PID 684 wrote to memory of 4976	684	chrome.exe	chrome.exe
PID 684 wrote to memory of 4976	684	chrome.exe	chrome.exe
PID 684 wrote to memory of 4976	684	chrome.exe	chrome.exe
PID 684 wrote to memory of 4976	684	chrome.exe	chrome.exe
PID 684 wrote to memory of 4976	684	chrome.exe	chrome.exe
PID 684 wrote to memory of 4976	684	chrome.exe	chrome.exe
PID 684 wrote to memory of 4976	684	chrome.exe	chrome.exe
PID 684 wrote to memory of 4976	684	chrome.exe	chrome.exe
PID 684 wrote to memory of 4976	684	chrome.exe	chrome.exe
PID 684 wrote to memory of 4976	684	chrome.exe	chrome.exe
PID 684 wrote to memory of 4976	684	chrome.exe	chrome.exe
PID 684 wrote to memory of 4976	684	chrome.exe	chrome.exe
PID 684 wrote to memory of 4976	684	chrome.exe	chrome.exe
PID 684 wrote to memory of 4976	684	chrome.exe	chrome.exe
PID 684 wrote to memory of 4976	684	chrome.exe	chrome.exe
PID 684 wrote to memory of 4976	684	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" "C:\Users\Admin\AppData\Local\Temp\Txdot Remittance_Advice.html"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffee9ad9758,0x7ffee9ad9768,0x7ffee9ad9778
2⤵
PID:1392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1792 --field-trial-handle=1804,i,14194143995662559185,11112928013273406928,131072 /prefetch:2
2⤵
PID:3656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1804,i,14194143995662559185,11112928013273406928,131072 /prefetch:8
2⤵
PID:3360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1804,i,14194143995662559185,11112928013273406928,131072 /prefetch:8
2⤵
PID:4976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3144 --field-trial-handle=1804,i,14194143995662559185,11112928013273406928,131072 /prefetch:1
2⤵
PID:2772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3160 --field-trial-handle=1804,i,14194143995662559185,11112928013273406928,131072 /prefetch:1
2⤵
PID:4416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4936 --field-trial-handle=1804,i,14194143995662559185,11112928013273406928,131072 /prefetch:8
2⤵
PID:1720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5028 --field-trial-handle=1804,i,14194143995662559185,11112928013273406928,131072 /prefetch:8
2⤵
PID:368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 --field-trial-handle=1804,i,14194143995662559185,11112928013273406928,131072 /prefetch:8
2⤵
PID:2252

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4312

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
873B

MD5
f607c66f884f10bec936305cb5bde5b5

SHA1
202b8eea5f64474792ebea29851cf324bbd65198

SHA256
98dba816b58deea377c7255ea02320c26bf71d9a5608cc731392689b58787600

SHA512
e25497d0497fb2feb1f437dd25903202a78ac9fe3938f4769e7e60e2041e304db1cace748b8a62dc413e825b7b0a8e356c4b2ae97d337d4ba0d465e955c42843

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
91537ab96370add42d67e3b1460232c6

SHA1
d1a106952d8632b9d6a05f9ff1da9c622fa2e0b4

SHA256
ff8c07a0fc7a4d437a5a795dfe566a5a800c687130461230cbecc3a77ebd6ba8

SHA512
f3fbdbb6f456175a5fcd2f70181365b65454fcaa8f05a29c293483f51fbde23b2c940677ba0fc01e7fac70218c982e510e335d622378f3f2002d61311d7afe93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
15KB

MD5
3d4dd73251d336633bd47b98c2ccf8d8

SHA1
7d8e7329cf635f17d94e9b718c1c320ccef6cf34

SHA256
51c397b1ab694f9a2417a1bb27043056a3897ac3db58097ddddbc3bb97613e33

SHA512
c7f946aca60a498f4a96c27e3dcf1fd614f1fbd804b8b3edcea8d5a5a3e0e0a89414e3e311c9e64bb4fc7c6eee6b5f5f5f405efca735135dfe7195320aa01782

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
144KB

MD5
e4334ba8c77765108b6681620498de30

SHA1
3cd07c1024f558e000059904367368a0d83ce46c

SHA256
74e2d1c14f309fc3c396caa2211cd3fbafcaeb3fdd4bf41d8e970fc7e4c4544a

SHA512
f5f305df031ec78d97f4e917db3853cc09ac92b880ba2bc00b139b4825fce2117ff3e18a707e582639bf17e2a556a342b9cf427532c1399d430c813d2c7188ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
\??\pipe\crashpad_684_SRXBWEXQUITFOFJW
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads